Privacy Policy

Last updated: June 2026

1. Introduction

SaveState ("we", "us", "our") is a personal/sole proprietorship project operated from Denmark. We are committed to protecting your privacy and handling your personal data in compliance with the General Data Protection Regulation (GDPR) and applicable Danish data protection law.

This Privacy Policy explains how we collect, use, store, and protect your information when you use the SaveState cloud backup service (the "Service").

2. Data Controller

The data controller for the purposes of GDPR is:

SaveState
Jurisdiction: Denmark
Contact: support@savestate.dk

3. Data We Collect

3.1 Account Information

When you create an account, we collect:

  • Email address — used for account identification, login, and service communications.
  • Password — stored in a securely hashed format. We never store plaintext passwords.

3.2 Payment Information

Payment processing is handled entirely by Stripe. We do not store, process, or have access to your credit card numbers or full payment details. Stripe acts as an independent data controller for payment data. Please refer to Stripe's Privacy Policy for details.

3.3 Backup Data

Your backup files are encrypted on your device using AES-256-GCM zero-knowledge encryption before they are uploaded to our servers. This means we cannot read, access, or decrypt your backup data under any circumstances. We store only the encrypted blobs.

3.4 Usage Analytics

We use Google Analytics to collect anonymous usage data, including:

  • Pages visited and time on site
  • Browser type and operating system
  • Referral sources
  • General geographic region (country/city level)

Google Analytics data is anonymized and used solely to improve the Service. You can opt out by using a browser extension such as the Google Analytics Opt-out Add-on.

4. Cookies and Local Storage

We use the following cookies and browser storage mechanisms:

  • Authentication token (JWT) — stored in localStorage. This is an essential token required for you to remain logged in. It is not used for tracking.
  • Google Analytics cookies — used for anonymous usage analytics. These are non-essential and can be blocked without affecting core functionality.

We do not use advertising cookies or sell data to advertisers.

5. How We Use Your Data

We use your personal data for the following purposes:

  • To create and manage your account
  • To provide the backup and restore service
  • To process payments via Stripe
  • To send essential service-related communications (e.g., backup failure alerts)
  • To improve the Service through anonymous analytics
  • To respond to support requests

6. Legal Basis for Processing (GDPR)

We process your personal data under the following legal bases:

  • Contract performance (Article 6(1)(b)) — processing necessary to provide the Service you subscribed to.
  • Legitimate interest (Article 6(1)(f)) — anonymous analytics to improve the Service.
  • Consent (Article 6(1)(a)) — where applicable, such as optional Discord notifications.

7. Data Storage and Security

Your data is stored using the following infrastructure:

  • Cloudflare R2 — for encrypted backup file storage
  • Cloudflare D1 — for account and subscription data
  • VPS (Virtual Private Server) — for API services and infrastructure

All backup data is encrypted client-side with AES-256-GCM using a zero-knowledge architecture. Your encryption keys never leave your device. Even in the event of a server breach, your backup data remains unreadable.

Account data (email, hashed password) is transmitted over HTTPS/TLS and stored in encrypted databases.

8. Third-Party Services

We share data with the following third parties, only as necessary to operate the Service:

We do not sell, rent, or trade your personal data to any third parties.

9. Data Retention

We retain your data as follows:

  • Account data — retained while your subscription is active.
  • Backup data — retained while your subscription is active.
  • After subscription ends — all account data and encrypted backups are deleted.

If you request account deletion, we will erase all personal data and backup files within 30 days.

10. Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights:

  • Right of access — request a copy of the personal data we hold about you.
  • Right to rectification — request correction of inaccurate personal data.
  • Right to erasure — request deletion of your personal data ("right to be forgotten").
  • Right to data portability — receive your data in a structured, commonly used format.
  • Right to restriction of processing — request that we limit how we use your data.
  • Right to object — object to processing based on legitimate interests.
  • Right to withdraw consent — where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, contact us at support@savestate.dk. We will respond within 30 days as required by GDPR.

11. International Data Transfers

Your data may be processed in countries outside the European Economic Area (EEA) through our third-party service providers (Cloudflare, Stripe, Google). These transfers are protected by appropriate safeguards, including Standard Contractual Clauses (SCCs) and adequacy decisions where applicable.

12. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us and we will promptly delete it.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. We encourage you to review this page periodically. Continued use of the Service after changes constitutes acceptance of the updated policy.

14. Contact Us

If you have any questions about this Privacy Policy or your personal data, contact us at:

Email: support@savestate.dk