Privacy Policy

Effective Date: October 24, 2025

Last Updated: October 24, 2025

1. Introduction and Scope

1.1 Who We Are

GeckoShare ("we," "us," "our") operates a secure, temporary file-sharing platform at geckoshare.com and related domains (app.geckoshare.com, api.geckoshare.com). We are committed to protecting your privacy and complying with global data protection regulations.

1.2 What This Policy Covers

This Privacy Policy describes:

• What information we collect when you use GeckoShare
• Why we collect it (legal basis under GDPR)
• How we use, store, and protect your information
• Your privacy rights (access, deletion, portability, etc.)
• How to contact us with privacy questions or requests

1.3 Applicable Laws

GeckoShare complies with:

• EU General Data Protection Regulation (GDPR) - For users in the European Union and European Economic Area
• UK GDPR and Data Protection Act 2018 - For users in the United Kingdom
• California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) - For California residents
• Brazil's Lei Geral de Proteção de Dados (LGPD) - For users in Brazil
• Other applicable privacy laws - We honor privacy rights globally

1.4 Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes:

• We will update the "Last Updated" date
• We will display a prominent notice on the website for 30 days
• Pro users will receive email notification (if contact information is provided)

Continued use of GeckoShare after changes take effect constitutes acceptance of the updated policy.

2. Information We Collect (Guest Users)

2.1 File Metadata (Minimal Collection)

When you upload a file as a guest, we collect:

2.2 Technical Information (Abuse Prevention)

To prevent abuse, spam, and security threats, we collect:

• IP Address: Your device's public IP address at the time of upload
• User Agent: Browser type and version (e.g., "Chrome 120.0 on macOS")
• Timestamp: Date and time of upload

Legal Basis (GDPR Article 6): Legitimate interest - Preventing abuse, fraud, malware distribution, and violations of our Terms of Service.

Retention Period: IP addresses are retained for 90 days after file deletion, then permanently deleted.

2.3 What We CANNOT Access (Zero-Knowledge Encryption)

Due to end-to-end encryption, we CANNOT and DO NOT collect:

• File Contents: Files are encrypted on your device before upload. We only store encrypted blobs.
• File Names: File names are encrypted on your device. We never see the real file name.
• Encryption Keys: Encryption keys are generated on your device and embedded in the URL fragment (after "#"). URL fragments are never sent to our servers.
• Download Recipients: We don't know who downloads files (unless they are logged-in Pro users).

2.4 Cookies and Local Storage (Guest Users)

Guest users do NOT require cookies for core functionality. We may use:

• Essential Cookies: Session cookies for temporary state management (e.g., upload progress). These are deleted when you close your browser.
• Local Storage: Your browser may temporarily store encryption keys and upload metadata locally. This data never leaves your device and is under your control.

No Tracking or Analytics Cookies: Guest users are not tracked across websites or sessions. We do not use third-party analytics for guest uploads.

3. Pro Tier Data Collection and Processing

3.1 Wallet Information (Blockchain Data)

What We Collect:

What We DO NOT Collect:

• Private Keys or Seed Phrases: NEVER transmitted to GeckoShare. We have no access to these.
• Transaction History: We only verify your current token balance, not your transaction history.
• Other Tokens: We only check PRICKO token balance, not other cryptocurrencies in your wallet.
• Wallet Balances (SOL or other tokens): We don't track your SOL balance or other assets.

How We Collect This:

• Read-Only Blockchain Query: We query the Solana blockchain via public RPC endpoints to verify your PRICKO token balance.
• No Transaction Signatures: Balance verification does NOT require you to sign transactions or approve spending.
• Public Data: Wallet addresses and token balances are publicly visible on the Solana blockchain. We simply query this existing public data.

Legal Basis (GDPR Article 6):

• Legitimate Interest: Verifying eligibility for premium features you've requested (Pro tier access).
• Contract Performance: Necessary to provide Pro tier services you've opted into (7-day retention, File Vault).

Retention Period: Wallet address and connection history are retained for 90 days after your last connection. After 90 days of inactivity, this data is permanently deleted.

3.2 File Vault Metadata (Pro Users)

For files uploaded to your Pro tier File Vault, we collect enhanced metadata:

Legal Basis (GDPR Article 6):

• Contract Performance: Necessary to provide File Vault management features (storage limits, expiration management, download tracking).
• Legitimate Interest: Enforcing storage limits and retention policies to maintain service quality.

Retention Period:

• Active Files: Metadata retained while file is in your Vault (maximum 7 days from upload).
• After Deletion: Metadata retained for 90 days after file deletion for abuse prevention and security monitoring.
• Complete Deletion: After 90 days, all metadata is permanently deleted and cannot be recovered.

3.3 Access Logs (Pro Users)

We log access events for files in your Pro tier Vault:

What We Log:

• Download Timestamps: Date and time when file was accessed (e.g., "2025-10-24 16:45:32 UTC")
• IP Address: Public IP address of the downloader (considered personal data under GDPR)
• User Agent: Browser/device type of the downloader (e.g., "Chrome 120.0 on Windows 11")
• File ID Accessed: Which file in your Vault was downloaded
• Geographic Location (Approximate): Country/region derived from IP address (e.g., "United States, California")

Why We Log This:

• Security Monitoring: Detect unauthorized access or suspicious download patterns (e.g., 1000 downloads from one IP)
• Fraud Prevention: Identify abuse of Pro tier features (e.g., automated scraping)
• User Visibility: Allow you to see who/when your files were accessed via the Vault dashboard

Legal Basis (GDPR Article 6): Legitimate interest - Fraud prevention, security monitoring, and service abuse detection.

Retention Period: Access logs are retained for 90 days after file deletion, then permanently deleted.

Your Rights: You may request deletion of access logs by emailing privacy@privacygecko.com. We will delete logs within 30 days unless retention is legally required (e.g., active law enforcement investigation).

3.4 Third-Party Services (Pro Users)

Pro tier features rely on external services that process your data:

3.4.1 Solana Blockchain (Public Network)

• Service: Solana blockchain network (decentralized, no single controller)
• Data Processed: Your public wallet address and PRICKO token balance (publicly visible on-chain)
• Purpose: Verify Pro tier eligibility by querying token balance
• Data Location: Global (Solana is a decentralized network with validators worldwide)
• Privacy Note: Blockchain data is public and permanent. Anyone can view your wallet address and token balance on Solana explorers (e.g., solscan.io).

3.4.2 Solana RPC Providers (Third-Party APIs)

• Service: Third-party Solana RPC API providers (e.g., Helius, QuickNode, Alchemy)
• Data Processed: Your wallet address (sent in API requests to query balance)
• Purpose: Facilitate blockchain queries for token balance verification
• Data Sharing: Your wallet address is temporarily processed by RPC providers to execute balance queries
• Privacy Note: RPC providers may log API requests (including wallet addresses) per their own privacy policies. We use reputable providers with strong privacy practices.

3.4.3 Hetzner Object Storage (File Storage)

• Service: Hetzner Online GmbH (EU-based cloud storage provider)
• Data Processed: Encrypted file blobs and metadata (file size, upload timestamp, bucket location)
• Purpose: Store encrypted files in secure, redundant cloud storage
• Data Location: European Union (Hetzner data centers in Germany and Finland)
• GDPR Compliance: Hetzner is GDPR-compliant and subject to EU data protection laws
• Privacy Note: Hetzner cannot decrypt your files (encryption keys never leave your device). They only store encrypted blobs.

3.5 Your Privacy Rights (Pro Users)

Under GDPR, CCPA, and other privacy laws, you have the following rights regarding your personal data:

Right to Access (GDPR Article 15, CCPA § 1798.100)

You may request a copy of all personal data we hold about you, including:

• Wallet address and connection history
• File Vault metadata (encrypted filenames, sizes, timestamps)
• Access logs (download history, IP addresses)
• Token balance check history

How to Request: Email privacy@privacygecko.com or submit a GDPR Data Request.

Response Time: We will respond within 30 days (GDPR) or 45 days (CCPA).

Right to Deletion / Right to be Forgotten (GDPR Article 17, CCPA § 1798.105)

You may request deletion of your personal data, including:

• Immediate deletion of all Vault files (before expiration)
• Deletion of wallet address and connection history
• Deletion of access logs and download history
• Complete account erasure (if account system is implemented)

Limitations: We may retain data if legally required (e.g., active law enforcement investigation, pending legal claims).

How to Request: Email privacy@privacygecko.com with "Deletion Request" in the subject line.

Response Time: We will delete data within 30 days of verification.

Right to Data Portability (GDPR Article 20)

You may request a machine-readable export of your data, including:

• File Vault metadata (JSON format)
• Access logs (CSV format)
• Wallet connection history (JSON format)

Format: We provide data in structured JSON or CSV format for easy import into other services.

How to Request: Submit a Data Portability Request.

Right to Rectification (GDPR Article 16)

You may request correction of inaccurate or incomplete personal data.

Example: If we have an incorrect wallet address on file, you can request we update it.

How to Request: Email privacy@privacygecko.com.

Right to Object (GDPR Article 21)

You may object to processing of your personal data based on legitimate interest (e.g., access logging).

Impact: If you object to access logging, we may need to disable Pro tier features that depend on it (download tracking).

How to Request: Email privacy@privacygecko.com.

Right to Restrict Processing (GDPR Article 18)

You may request temporary suspension of data processing while we investigate a dispute or verify data accuracy.

How to Request: Email privacy@privacygecko.com.

Right to Withdraw Consent

If we process your data based on consent (e.g., optional analytics), you may withdraw consent at any time.

Impact: Withdrawal does not affect the lawfulness of processing before withdrawal.

How to Withdraw: Disconnect your wallet or email privacy@privacygecko.com.

4. How We Use Your Information

We use collected information ONLY for the following purposes:

4.1 Core Service Operations

• File Storage and Delivery: Store encrypted files and deliver them via download links
• Expiration Management: Automatically delete files after 24 hours (Guest) or 7 days (Pro)
• Storage Limit Enforcement: Track storage usage to enforce 20GB Pro tier limit
• Download Restriction Enforcement: Track downloads to enforce one-time download limit (Guest tier)

4.2 Pro Tier Feature Provisioning

• Token Balance Verification: Query Solana blockchain to verify ≥10,000 PRICKO token ownership
• File Vault Management: Display Vault dashboard with usage metrics and file metadata
• Access Tracking: Log and display download history for Pro tier files

4.3 Security and Abuse Prevention

• Rate Limiting: Use IP addresses to prevent spam, DDoS attacks, and abuse
• Malware Detection: Analyze file metadata (not contents) to detect suspicious patterns
• Fraud Prevention: Detect automated scraping, token balance manipulation, or service abuse
• Legal Compliance: Respond to valid DMCA notices, law enforcement requests, or court orders

4.4 Service Improvement (Aggregated Data Only)

• Anonymous Usage Statistics: Total uploads, average file sizes, popular file types (NO individual user tracking)
• Performance Monitoring: Identify slow uploads, errors, or infrastructure bottlenecks
• Feature Development: Understand which features are used to prioritize development

No Individual User Tracking: We do NOT track individual users across sessions or create user profiles. Analytics are aggregated and anonymized.

5. Data Retention Periods

5.1 Automatic Deletion

All data is automatically deleted according to the retention periods above. We use automated cleanup jobs that run:

• Every hour: Delete expired files (24-hour Guest, 7-day Pro)
• Daily: Delete metadata older than 90 days
• Weekly: Purge IP addresses and access logs older than 90 days

5.2 Early Deletion on Request

You may request early deletion of your data at any time by emailing privacy@privacygecko.com. We will delete data within 30 days unless legal retention is required.

6. Legal Basis for Processing (GDPR Compliance)

Under GDPR Article 6, we must have a legal basis to process your personal data. Here's our legal basis for each processing activity:

6.1 Legitimate Interest Balancing Test

When we rely on "legitimate interest" as the legal basis, we balance our interests against your privacy rights:

Example - IP Address Logging:

• Our Interest: Preventing abuse (spam, malware, DDoS) protects all users and service integrity
• Your Impact: Minimal - IP addresses are not linked to identity, retained only 90 days, used solely for abuse detection
• Balancing Result: Our legitimate interest in preventing abuse outweighs minimal privacy impact

You may object to processing based on legitimate interest by emailing privacy@privacygecko.com. We will assess your objection and stop processing unless we have compelling legitimate grounds that override your interests.

7. Data Security and Encryption

7.1 End-to-End Encryption

Client-Side Encryption:

• Files are encrypted on your device before upload using AES-GCM (256-bit encryption)
• Encryption keys are generated on your device using cryptographically secure random number generation
• Keys are NEVER transmitted to GeckoShare servers
• Keys are embedded in the URL fragment (after "#"), which is not sent to servers in HTTP requests

Server-Side Storage:

• GeckoShare only stores encrypted file blobs (unreadable ciphertext)
• We cannot decrypt files because we don't have encryption keys
• Even if servers are hacked, attackers cannot decrypt files without keys

7.2 Infrastructure Security

We implement industry-standard security measures:

Data in Transit:

• TLS 1.3 Encryption: All connections use HTTPS with modern TLS encryption (Let's Encrypt certificates)
• HSTS (HTTP Strict Transport Security): Forces browsers to use HTTPS, preventing downgrade attacks
• Certificate Pinning: Prevents man-in-the-middle attacks via certificate validation

Data at Rest:

• Encrypted Storage: Hetzner Object Storage uses server-side encryption at rest (AES-256)
• Double Encryption: Files are encrypted on your device (client-side) AND encrypted at rest (server-side)
• Redundant Storage: Files are replicated across multiple data centers for availability

Database Security:

• PostgreSQL SSL: Database connections encrypted with SSL/TLS certificates (production environment)
• Redis ACL: Redis access control with secure passwords and command restrictions
• Secrets Management: Sensitive credentials stored in environment variables, not hardcoded

Application Security:

• Rate Limiting: API endpoints protected against brute force attacks and abuse
• Input Sanitization: All user inputs sanitized to prevent XSS and injection attacks
• Helmet.js Security Headers: Content Security Policy (CSP), X-Frame-Options, etc.
• CORS Protection: Cross-origin requests limited to authorized domains

7.3 Access Controls

• Principle of Least Privilege: Employees and systems have minimal necessary access
• No Direct Database Access: Production databases not accessible from public internet
• Audit Logging: Administrative actions logged for security review

7.4 Incident Response

In the unlikely event of a data breach:

• GDPR Compliance: We will notify the relevant supervisory authority within 72 hours (GDPR Article 33)
• User Notification: Affected users will be notified without undue delay if breach poses high risk (GDPR Article 34)
• Breach Containment: Immediate steps to contain breach, investigate root cause, and prevent recurrence
• Transparency: Public disclosure of breach details (scope, affected data, remediation steps)

Limited Impact: Due to end-to-end encryption, a server breach would NOT expose file contents (only encrypted blobs and metadata).

8. International Data Transfers

8.1 Data Storage Locations

Primary Data Storage:

• Encrypted Files: Hetzner Object Storage (European Union - Germany and Finland data centers)
• Database (PostgreSQL): Hetzner Cloud (European Union)
• Cache (Redis): Hetzner Cloud (European Union)

Why EU Storage? We chose EU-based infrastructure for strong GDPR protections and privacy-friendly regulatory environment.

8.2 Third-Party Services (Non-EU)

Some Pro tier features rely on services outside the EU:

Solana Blockchain (Global Network):

• Nature: Decentralized blockchain with validators worldwide (including US, Asia, etc.)
• Data Transferred: Public wallet addresses and token balances (already publicly visible on-chain)
• Legal Basis: Necessary for Pro tier feature provisioning (contract performance)
• Safeguards: Blockchain data is public by design; no additional transfer risk

Solana RPC Providers (Varies by Provider):

• Potential Locations: United States (e.g., Helius, QuickNode, Alchemy)
• Data Transferred: Wallet addresses (temporarily processed in API requests)
• Legal Basis: Necessary for token balance verification (contract performance)
• Safeguards: We use reputable providers with strong privacy practices; data is public blockchain data

8.3 GDPR Transfer Mechanisms

For data transfers outside the EU/EEA, we rely on:

• Article 49(1)(b) - Necessity: Transfers to Solana network are necessary to perform the Pro tier contract (token balance verification)
• Article 49(1)(a) - Consent: For optional features, we obtain explicit consent for non-EU data transfers
• Standard Contractual Clauses (SCCs): Where applicable, we use EU-approved SCCs with third-party service providers

8.4 Your Rights (International Transfers)

You may:

• Request information about where your data is stored and transferred
• Object to transfers to specific countries (may limit Pro tier functionality)
• Request that we use alternative RPC providers in your region (if available)

9. Your Privacy Rights (All Users)

Regardless of your location, GeckoShare honors the following privacy rights:

9.1 Right to Know (CCPA)

You have the right to know:

• What personal information we collect
• How we use it
• Who we share it with (we don't sell data)
• How long we retain it

This Privacy Policy serves as our notice of data collection practices.

9.2 Right to Non-Discrimination (CCPA)

We will NOT discriminate against you for exercising privacy rights, including:

• Denying service
• Charging different prices
• Providing different quality of service

9.3 How to Exercise Your Rights

Email Request:

Email privacy@privacygecko.com with:

• Subject line indicating request type (e.g., "GDPR Deletion Request")
• Your wallet address (if Pro user) or short link code (if Guest user)
• Description of your request

Web Form:

Submit a formal request via our Data Subject Request Form.

Identity Verification:

• Pro Users: We may ask you to sign a message with your wallet to verify ownership
• Guest Users: Provide the short link code or IP address from time of upload

Response Time:

• GDPR: 30 days (may extend to 60 days for complex requests)
• CCPA: 45 days (may extend to 90 days with notice)

10. Cookies and Tracking Technologies

10.1 Cookie Usage

GeckoShare uses minimal cookies for essential functionality:

10.2 Local Storage

Your browser may use Local Storage for:

• Encryption Keys (Temporary): Keys are stored briefly in browser memory during encryption/decryption, then cleared
• Upload Progress: Track multi-part upload progress for large files
• Preferences: Remember UI preferences (dark mode, language, etc.)

Control: You can clear Local Storage via browser settings. This will NOT delete files from GeckoShare servers but may interrupt in-progress uploads.

10.3 Third-Party Tracking

GeckoShare does NOT use:

• Google Analytics or similar tracking services (on Guest tier)
• Third-party advertising networks
• Social media tracking pixels (Facebook Pixel, etc.)
• Cross-site tracking cookies

Browser Privacy: We respect Do Not Track (DNT) browser settings and privacy-focused browsers (Brave, Firefox, Tor).

11. Children's Privacy

Age Restriction: GeckoShare is not directed at children under 13 years old. We do not knowingly collect personal information from children under 13.

Parental Notice: If you are a parent or guardian and believe your child under 13 has provided personal information to GeckoShare, please contact us at privacy@privacygecko.com. We will promptly delete such information.

Teen Users (13-18): Users between 13 and 18 years old should have parental or guardian consent before using GeckoShare, especially Pro tier features that involve cryptocurrency.

12. Changes to This Privacy Policy

We may update this Privacy Policy to reflect:

• Changes in our data processing practices
• New features or services (e.g., new Pro tier features)
• Legal or regulatory requirements
• Feedback from users or privacy advocates

Notification of Changes:

• Minor Changes: "Last Updated" date will be revised
• Material Changes: 30-day advance notice via banner notification and email (Pro users)
• Regulatory Changes: Immediate updates if required by law (with notice)

Continued Use = Acceptance: By continuing to use GeckoShare after changes take effect, you accept the updated Privacy Policy.

13. Contact Information and Regulatory Authority

13.1 Contact Us

13.2 EU Representative (if required by GDPR)

If GeckoShare is established outside the EU/EEA and offers services to EU residents, GDPR Article 27 may require an EU representative.

[TO BE DETERMINED - Consult legal counsel if company is non-EU but serves EU users]

13.3 Supervisory Authority (Right to Lodge Complaint)

Under GDPR Article 77, you have the right to lodge a complaint with a data protection supervisory authority if you believe we have violated your privacy rights.

EU/EEA Users: Contact your country's Data Protection Authority (DPA). Find your DPA: https://edpb.europa.eu/about-edpb/about-edpb/members_en

UK Users: Information Commissioner's Office (ICO)
Website: https://ico.org.uk/
Helpline: 0303 123 1113

California Users: California Attorney General - Privacy Enforcement
Website: https://oag.ca.gov/privacy

We encourage you to contact us first so we can address your concerns directly before escalating to regulators.

Thank you for trusting GeckoShare with your files.
Last Updated: October 24, 2025
Return to GeckoShare | Terms of Service | Cookie Policy | Your Privacy Rights