Privacy Policy

Last updated: May 8, 2026

1. Introduction

ShardHex ("we", "our", "us") is a desktop application for erasure-coded file splitting with encrypted, multi-cloud distribution. This Privacy Policy explains what information we handle, how it is used, and the rights you have over it. We aim to collect the minimum amount of data necessary to operate the product.

2. Information We Collect

2.1 Purchase & License Activation

When you purchase a Pro license and activate it on a device, we collect and store:

  • Email address — to deliver your license key and contact you about your purchase.
  • License key — issued by us at the time of purchase.
  • Hardware identifier (HWID) — see Section 6 for an exact definition. Used solely to count and limit activations across devices.
  • Device name — your computer's hostname, shown in the in-app device list so you can identify which devices are activated.
  • PayPal capture ID — the unique transaction reference, retained for accounting and refund processing.

2.2 Payments

Payments are processed by PayPal. We do not see, store, or have access to your card or bank details. PayPal's handling of your payment data is governed by PayPal's Privacy Policy.

2.3 Cloud Provider Credentials

OAuth refresh tokens and API keys for cloud providers you connect (e.g., Google Drive, OneDrive, Dropbox, S3-compatible services) are stored only in a local configuration file on your device. They are never transmitted to our servers and we have no way to read them.

2.4 Feedback Submissions

If you choose to submit feedback through the in-app form, the following is sent to us:

  • The feedback type (bug report, feature request, or other).
  • The message text you wrote.
  • The app version and operating system, attached automatically to help us reproduce issues.
  • An email address — only if you choose to provide one for follow-up.

Please avoid putting personal data into feedback messages unless necessary for the report.

2.5 Update Checks

The app periodically checks for new versions. The update request includes only the currently installed version and the target platform/architecture (e.g. windows-x86_64). No identifier, no usage data.

2.6 What We Do Not Collect

  • The contents of your files. All splitting, encryption, and steganography happen entirely on your device.
  • What files or shards you store with which cloud provider. Your manifest stays on your device.
  • Telemetry, analytics events, or usage tracking from inside the app.
  • Browser cookies on this website beyond what is technically required.

3. How We Use Information

  • Email + license key + capture ID — to deliver your purchase and process refunds.
  • HWID + device name — to enforce the device activation limit.
  • Feedback — to fix bugs and prioritize new features.
  • Update check parameters — to serve you the appropriate update binary.

We do not use your data for advertising, profiling, or sale to third parties. We never have.

4. Where Data Is Stored

License records, activation records, and feedback submissions are stored on Cloudflare's global edge platform (Cloudflare D1 database; Cloudflare R2 object storage for installer files). Data may be replicated to whichever Cloudflare region serves your closest edge.

Your files, manifest, encryption keys, license token, and OAuth credentials are stored only on your local device — they never reach our infrastructure.

5. Third-Party Services

The product depends on the following third parties to operate:

  • Cloudflare — Workers, D1, R2, Pages. Hosts our backend and license database.
  • PayPal — payment processing.
  • Resend — transactional email delivery (license keys and optional feedback acknowledgments).
  • Cloud storage providers you choose to connect — Google Drive, OneDrive, Dropbox, Amazon S3, Cloudflare R2, Backblaze B2, Wasabi, MinIO, generic S3-compatible services, GoFile, Catbox, Pixeldrain. Your use of each is governed by that provider's own terms and privacy policy.

6. Hardware Identifier (HWID) — Defined

We deliberately use a weak hardware identifier to limit invasiveness. The HWID we receive is a 64-bit hash of two values from your operating system:

  • The computer name (COMPUTERNAME on Windows / HOSTNAME on Unix).
  • The current user account name (USERNAME / USER).

We never read your motherboard serial, MAC address, disk UUID, BIOS UUID, or any other true hardware fingerprint. The HWID changes if you rename the computer, switch user accounts, or reinstall the operating system — which is intentional. It is enough to distinguish "different copy of the app on a different setup", but not enough to persistently track you.

7. License Token Stored on Your Device

After activation, your device receives a signed license token stored in a local configuration file. The token contains your email, license key, HWID, maximum device count, and an expiration date — signed with our Ed25519 key so it cannot be forged. This is the same data we hold on the server; you can inspect or delete the file at any time, which immediately deactivates the Pro features on that device.

8. Data Retention

  • License records — retained while your license is active, plus up to 7 years afterward for accounting and refund-dispute purposes.
  • Activation records — deleted when you remove a device from the in-app device list, or when the underlying license is deleted.
  • Feedback submissions — retained for up to 24 months, then deleted.
  • Update-check logs — none retained beyond Cloudflare's standard request logs.

9. Your Rights

Regardless of where you live, you may request the following at any time by emailing [email protected]:

  • Access — a copy of all personal data we hold about you.
  • Rectification — correction of inaccurate data.
  • Erasure — deletion of your account and license records (subject to the retention obligations described in Section 8).
  • Portability — your data exported in a structured, machine-readable format (JSON).
  • Objection / restriction — to specific uses of your data.
  • Withdrawal of consent — for any processing based on consent.

We will respond to verifiable requests within 30 days. If you are in the EEA / UK and you believe we are mishandling your data, you also have the right to lodge a complaint with your local data protection authority.

10. Security

All transport between your device and our servers uses TLS 1.2 or higher. License tokens are signed with Ed25519. Server-side secrets are stored in Cloudflare's secret store, never in source code. Administrative access to systems handling personal data is restricted to authorized maintainers only.

That said, no online service is impenetrable. If we ever discover a security incident that affects your data, we will notify affected users by email within 72 hours of confirming the breach.

11. Children

ShardHex is not directed at children under 16. We do not knowingly collect personal data from anyone in this age group. If you believe a child has provided us with personal data, please contact us and we will delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Significant changes will be announced via an in-app notification or email to your registered address. The "Last updated" date at the top of this page reflects the most recent revision.

13. Contact

Questions, requests, or complaints about this Policy: [email protected].