Privacy Policy
Privacy Policy
Last updated: January 2025
Effective date: January 1, 2025
strayfiles (“we,” “our,” or “us”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Markdown notes application and related services (collectively, the “Service”).
Please read this privacy policy carefully. If you do not agree with the terms of this privacy policy, please do not access the Service.
1. Our Privacy Principles
strayfiles is built with privacy as a core principle:
- Local-first architecture: Your files stay on your device by default
- Zero-knowledge encryption: We cannot read your synced content
- Minimal data collection: We only collect what’s necessary
- No tracking or analytics on content: We never analyze your notes
- Transparency: We tell you exactly what we collect and why
2. Information We Collect
2.1 Free Tier (Local-Only)
When using strayfiles for free, we collect nothing. The application runs entirely on your device:
- No account creation required
- No data transmitted to our servers
- No analytics or telemetry
- No tracking cookies
- Your notes never leave your device
2.2 Pro Tier (Stray Cloud)
If you subscribe to Pro and enable Stray Cloud, we collect:
Account Information:
- Email address (for authentication and communication)
- Hashed password (we never store plaintext passwords)
- Account creation date
- Subscription status and billing history
Synced Content (Encrypted):
- Your notes and files (end-to-end encrypted before transmission)
- File metadata (names, timestamps, directory structure)
- Tags and workspace configurations
- Device mappings (which devices have which files)
Technical Information:
- Device ID (UUID v7, unique per device installation)
- Device name (user-provided or system hostname)
- Platform type (macOS, iOS, Linux, Windows)
- App version
- Last sync timestamps
- Last seen timestamp per device
File Mirrors (if used):
- Source file path (absolute path on your system)
- Target file path (absolute path on your system)
- Mirror sync status and timestamps
- Error messages if sync fails
Payment Information:
- Processed by Stripe (we never see your full card number)
- We store only: last 4 digits, card type, expiration date
- Billing address for tax purposes
2.3 Website Visitors
When you visit strayfiles.com:
- We do not use analytics tracking
- We do not use advertising cookies
- We may use essential cookies for site functionality
- Server logs may temporarily record IP addresses for security
3. How We Use Your Information
We use the information we collect to:
- Provide, maintain, and improve the Service
- Process transactions and send billing notifications
- Send important service updates and security alerts
- Respond to your comments, questions, and support requests
- Detect, prevent, and address technical issues
- Protect against fraudulent or illegal activity
We never:
- Sell your data to third parties
- Use your content for advertising
- Share your notes with anyone
- Train AI models on your data
- Profile you based on note content
4. End-to-End Encryption
All data synced to our servers is encrypted before it leaves your device:
- Encryption: AES-256-GCM authenticated encryption
- Key derivation: Argon2id with strong parameters (64 MiB memory, 4 iterations)
- Zero-knowledge: Your encryption key never leaves your device
- We cannot read your notes: Even with a court order, we cannot decrypt your content
Your encryption key is derived from your password and stored only on your devices. We have no ability to recover your data if you forget your password.
5. Sensitive Information Warning
Critical for developers: Your Markdown files may contain sensitive information such as:
- API keys and access tokens
- Database credentials and connection strings
- Environment variables and secrets
- Private keys and certificates
- Authentication tokens (JWT, OAuth, etc.)
- Internal documentation with security details
Our strong recommendations:
- Use local-only mode for sensitive files:
---
strayfiles:
enabled: true
sync: false # This file will never leave your device
----
Never store production credentials in any cloud-synced service, even with encryption
-
Use secret management tools (HashiCorp Vault, AWS Secrets Manager, etc.) for production secrets
-
Rotate any credentials that may have been accidentally synced
Disclaimer: We are not responsible for any leaked API keys, credentials, environment variables, or other sensitive data that you choose to include in synced files. The security of your secrets is your responsibility.
6. Data Storage and Security
6.1 Local Storage (On Your Device)
All users have data stored locally in ~/.strayfiles/:
| Location | Contents |
|---|---|
~/.strayfiles/data.redb | Local database with note metadata, tags, workspaces |
~/.strayfiles/config.csv | User settings (theme, sync preferences, display options) |
~/.strayfiles/versions/ | Local version history (up to 50 versions per note) |
~/.strayfiles/conflicts/ | Conflict files during sync resolution |
~/.strayfiles/keys.enc | Encrypted master key (Pro tier only) |
~/.strayfiles/strayfiles.toml | User-level tracked file paths |
Note content is stored in your own Markdown files on disk, not in our database. We only store metadata locally.
Security: The ~/.strayfiles/ directory has restricted permissions (0700 on Unix). Encryption keys use 0600 permissions.
6.2 Stray Cloud Storage (Pro Tier)
- Database: Supabase (PostgreSQL), SOC 2 Type II compliant
- Infrastructure: AWS data centers with physical security
- Regions: Data stored in US-East by default
- Backups: Encrypted daily backups with 30-day retention
6.3 Security Measures
- TLS 1.3 encryption for all data in transit
- AES-256 encryption for data at rest
- Row-level security (RLS) ensuring users only access their own data
- Regular security audits and penetration testing
- Bug bounty program for responsible disclosure
- Two-factor authentication support
- Rate limiting and DDoS protection
6.4 Employee Access
- Employees cannot access your encrypted content
- Administrative access is logged and audited
- Strict need-to-know access policies
- Background checks for all employees
7. Third-Party Services
We use the following third-party services:
| Service | Purpose | Data Shared | Privacy Policy |
|---|---|---|---|
| Supabase | Database & Auth | Account data, encrypted content | supabase.com/privacy |
| Stripe | Payments | Payment details | stripe.com/privacy |
| Resend | Email delivery | Email address | resend.com/privacy |
| Vercel | Website hosting | IP addresses (logs) | vercel.com/privacy |
Optional Integrations (User-Configured):
| Service | Purpose | Data Shared |
|---|---|---|
| Git providers (GitHub, GitLab, etc.) | Git-based sync | Note content, file paths, commit metadata |
| Cloud storage (iCloud, Dropbox, etc.) | File sync | Files in synced folders |
When you configure Git sync, your note content and file paths are transmitted to your chosen Git provider according to their privacy policies.
We do not use:
- Google Analytics or any tracking analytics
- Facebook Pixel or advertising trackers
- Any data brokers or aggregators
- Crash reporting services (Sentry, Bugsnag, etc.)
- Usage telemetry or analytics
8. Audit Logging (Pro Tier Teams)
For team collaboration features, we log the following operations for security and compliance:
| Action | Data Logged |
|---|---|
| Team created/updated/deleted | Team ID, user ID, timestamp |
| Member invited/accepted/removed | Team ID, user IDs, email (for invitations), timestamp |
| Workspace created/updated/deleted | Workspace ID, team ID, user ID, timestamp |
| Note shared/unshared | Note ID, workspace ID, user ID, timestamp |
Audit logs are retained for the duration of the team’s existence. Individual note editing is not logged.
9. App Updates
The strayfiles application checks for updates on startup:
- Data sent: Current app version, platform, architecture
- Data received: Latest version info, download URL, release notes
- Verification: Updates are verified using Ed25519 signatures and SHA-256 checksums
- No tracking: Update checks do not include user identifiers or usage data
You can disable automatic update checks in settings.
10. Data Retention
| Data Type | Retention Period |
|---|---|
| Free tier data | Never stored on our servers |
| Account information | Duration of account + 30 days |
| Encrypted notes | Duration of subscription + 30 days |
| Version history | 50 versions per note, then auto-pruned |
| Server logs | 30 days |
| Payment records | 7 years (legal requirement) |
After account deletion:
- All personal data deleted within 30 days
- Encrypted content permanently erased
- Backups purged within 90 days
- Anonymized aggregate statistics may be retained
11. Your Privacy Rights
11.1 All Users
You have the right to:
- Access: Request a copy of all data we hold about you
- Correction: Update or correct your personal information
- Deletion: Delete your account and all associated data
- Export: Download all your data in a portable format
- Withdraw consent: Opt out of optional data collection
11.2 European Users (GDPR)
If you are in the European Economic Area, you additionally have:
- Right to restriction: Limit how we process your data
- Right to object: Object to processing based on legitimate interests
- Right to portability: Receive your data in a structured format
- Right to lodge a complaint: Contact your local data protection authority
Legal basis for processing:
- Contract performance (providing the Service)
- Legitimate interests (security, fraud prevention)
- Consent (optional communications)
11.3 California Users (CCPA)
California residents have the right to:
- Know what personal information is collected
- Know if personal information is sold or disclosed
- Say no to the sale of personal information (we don’t sell data)
- Access their personal information
- Request deletion of personal information
- Equal service and price (no discrimination)
We do not sell personal information as defined by the CCPA.
12. International Data Transfers
If you are accessing the Service from outside the United States:
- Your data may be transferred to and processed in the United States
- We use Standard Contractual Clauses for EU data transfers
- We ensure adequate protection for international transfers
- By using the Service, you consent to this transfer
13. Children’s Privacy
The Service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If we discover we have collected data from a child under 13, we will delete it immediately.
14. Cookies and Tracking
14.1 Website (strayfiles.com)
We use minimal cookies:
| Cookie | Purpose | Duration |
|---|---|---|
| Essential cookies | Site functionality | Session |
We do not use:
- Analytics cookies
- Advertising cookies
- Third-party tracking cookies
14.2 Application
The strayfiles application does not use cookies or tracking. All data is stored locally on your device or encrypted in our database.
15. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any changes by:
- Posting the new Privacy Policy on this page
- Updating the “Last updated” date
- Sending an email to Pro subscribers for material changes
- Displaying an in-app notification
Your continued use of the Service after changes constitutes acceptance of the updated policy.
16. Contact Us
If you have questions about this Privacy Policy or our privacy practices:
Email: privacy@strayfiles.com
Mail: strayfiles Privacy Inquiries [Address to be added]
Response time: We aim to respond to all privacy inquiries within 30 days.
17. Data Protection Officer
For GDPR-related inquiries, you may contact our Data Protection Officer at:
Email: dpo@strayfiles.com
This Privacy Policy is provided in English. In case of any discrepancy between translations, the English version shall prevail.