Privacy Policy
Effective Date: May 1, 2026
Welcome to HighSubmit ("we," "our," or "us"). We respect your privacy and are deeply committed to protecting your personal data. HighSubmit is designed from the ground up with a Zero-Knowledge Architecture, meaning we cannot see, access, or read the sensitive information you store in your secure vault.
This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website, use our platform, or engage with our services (collectively, the "Services"). By using our Services, you consent to the data practices described in this policy.
1. Our Zero-Knowledge Security Promise
At the core of HighSubmit is our zero-knowledge, end-to-end encrypted (E2EE) architecture.
- Your Vault Data: Any information you save in your HighSubmit vault (such as passwords, secure notes, files, or team secrets) is encrypted locally on your device using AES-256-GCM encryption before it is transmitted to our servers.
- Your Master Keys: Your cryptographic keys (derived via Argon2 and protected using RSA-OAEP-2048) and Master Password never leave your device.
- No Access: We have no way to decrypt, read, access, or recover your vault data. If you lose your Master Password, we cannot restore your encrypted data.
2. Information We Collect
While we cannot read your encrypted vault contents, we do collect certain information required to provide, secure, and maintain the Services.
A. Information You Provide to Us
- Account Information: To create an account (individual or company tenant), we collect your email address, and optionally your name, phone number, date of birth, and gender.
- Billing Information: If you subscribe to a paid plan (e.g., Team or Enterprise), payment details are collected and processed directly by our secure third-party payment processor (Stripe). We do not store full credit card numbers on our servers.
- Support Requests: If you contact us for support, we collect the details of your inquiry and contact information.
B. Information Collected Automatically
- Security & Audit Logs: To protect your account and provide team audit trails, we log sensitive actions (like logins or sharing events). These logs may include your IP address, browser type/User-Agent, and timestamps.
- Device and Usage Data: We may collect non-identifiable telemetry data regarding how you interact with our platform to help us improve the service.
C. Encrypted Data (Zero-Knowledge)
We store the encrypted blobs of your vault items, folders, and sharing permissions. Because it is securely encrypted with keys only you control, this data is not considered "Personal Data" in its stored form as it cannot be tied back to readable information by us or any third party.
3. How We Use Your Information
We use the collected information strictly for the following purposes:
- Service Provision: To create your account, authenticate your login (including Multi-Factor Authentication via TOTP), and sync your encrypted vault across devices.
- Billing & Account Management: To process subscriptions, send invoices, and apply promotional coupons.
- Security & Fraud Prevention: To monitor for suspicious activity, prevent abuse, and maintain the integrity of our platform.
- Communication: To send you critical service updates, security alerts, and support responses.
4. How We Share Your Information
We never sell your personal data. We only share your information in the following limited circumstances:
- Service Providers: We work with trusted third-party vendors (such as AWS/Google Cloud for hosting, and Stripe for payments) who operate under strict confidentiality agreements.
- Team/Company Environments: If you use a Company Tenant account, certain account data (like your email and public key) is visible to your organization's administrators for collaboration and access management.
- Legal Compliance: We may disclose your non-encrypted data (like email or IP address) if required by law, subpoena, or valid legal process. Note: We cannot hand over decrypted vault data to law enforcement because we do not have the ability to decrypt it.
5. Data Retention
We retain your account information and encrypted vault data for as long as your account is active.
- Account Deletion: If you choose to delete your account, we will permanently delete your encrypted vault data, audit logs, and account information from our active servers. Residual data may remain in secure, encrypted backups for a limited period until they are overwritten.
6. Your Global Privacy Rights (GDPR, CCPA, etc.)
Depending on your region (e.g., EEA, UK, California), you have specific rights regarding your personal data:
- Right to Access: You can request a copy of the unencrypted personal data we hold about you (e.g., email, account logs).
- Right to Rectification: You can update or correct your personal data through your account settings.
- Right to Erasure ("Right to be Forgotten"): You can delete your account and associated data at any time.
- Right to Data Portability: You can export your vault data directly from your dashboard.
7. International Data Transfers
HighSubmit serves users worldwide. Your information may be transferred to, and processed in, countries other than the country in which you are a resident (such as the United States or the European Union). We rely on legally provided mechanisms, such as Standard Contractual Clauses (SCCs), to lawfully transfer data across borders.
8. Children's Privacy
Our Services are not intended for individuals under the age of 13 (or 16 in certain European jurisdictions). We do not knowingly collect personal information from children. If we become aware that a child has provided us with personal information, we will take steps to delete it.
9. Changes to this Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by posting the updated policy on our website and, where appropriate, sending an email notification.
10. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data handling practices, please contact us at: