Privacy Policy

Your privacy is at the heart of everything we build.

Preserve U ("we", "our", or "us") is a digital time capsule service that lets you create encrypted messages, media, and documents to be delivered to recipients at a scheduled future date. This Privacy Policy explains what data we collect, why we collect it, how we use it, and your rights regarding that data.

By using Preserve U, you agree to this Privacy Policy. If you do not agree, please discontinue use of the service.

1. Information We Collect

a. Account Information

When you create an account, we collect your name, email address, and a hashed password. We never store your password in plain text.

b. Capsule Content

Text capsules are encrypted client-side using AES-256-GCM with a password you set. We store only the encrypted ciphertext — we cannot read your messages.

Media capsules (images, videos, audio, documents) are encrypted with AES-256-GCM before upload and stored as encrypted binary files. We cannot access their content.

c. Delivery & Scheduling Data

We store recipient name, recipient email address, scheduled delivery date and time, and capsule metadata (type, size, creation date). This data is stored in plaintext as it is required for our delivery service to function. It is protected by access controls and encryption at rest.

d. Analytics & Marketing Data

We use Meta Pixel (Facebook Pixel) — ID 4276757942586538 — on our website pages to measure the effectiveness of our marketing campaigns and to understand how users discover our service. Meta Pixel collects your IP address, browser information, and page interaction data and sends it to Meta Platforms, Inc. This data may be used to show you relevant ads on Facebook and Instagram.

We also use Google Analytics 4 (if configured) for aggregate website traffic analysis. You can opt out of marketing cookies at any time via the cookie consent banner or by emailingprivacy@preserveu.com.

e. Payment Information

Payments are processed by Razorpay. We do not store card numbers, CVVs, or bank account details. We receive only transaction confirmation and order IDs. Razorpay's privacy policy governs their data handling.

2. How We Use Your Information

• To create and manage your account
• To deliver time capsules to recipients at the scheduled time via email
• To process payments for capsule creation
• To send transactional emails (account confirmation, payment receipts, capsule delivery notifications)
• To maintain and improve the security and performance of our service
• To measure the effectiveness of our advertising campaigns (via Meta Pixel — you may opt out)
• To comply with legal obligations under Indian and applicable international law

We do not sell your personal information to third parties. Recipient email addresses and names are used exclusively to deliver the capsule and are never sold or shared with advertisers.

3. Data Retention

• Active capsules: Stored until the scheduled delivery date, then marked as delivered. Media files are retained for 30 days post-delivery.
• Account data: Retained while your account is active. You may request deletion at any time.
• Self-destruct capsules: Permanently deleted from our servers after the trigger condition is met.
• Dead Man's Switch capsules: Deleted if you perform a check-in before the switch triggers.
• Analytics data: Retained per Meta's and Google's respective data retention policies.

4. End-to-End Encryption

All text content is encrypted in your browser using AES-256-GCM before transmission. The encryption key is derived from your chosen password using PBKDF2-SHA256 with 600,000 iterations (OWASP 2023 recommended). We store only the encrypted ciphertext, salt, and IV — never the password or decryption key. We cannot decrypt your messages under any circumstances.

Media files are also encrypted client-side before upload. If you lose your password, the content is unrecoverable by design.

Note: Capsule metadata (recipient name, email, delivery date) is stored separately from encrypted content and is not encrypted at the field level, as it is required for our delivery system to function.

5. Third-Party Service Providers

To deliver a secure and reliable service, we work with the following vetted third-party providers:

• Vercel — cloud hosting and serverless API infrastructure (United States)
• MongoDB Atlas — database storage for encrypted capsule metadata and account data (cloud-hosted, encrypted at rest)
• Vercel Blob — encrypted media file storage
• Resend — transactional email delivery (capsule notifications, account emails)
• Razorpay — payment processing (India). Razorpay does not share payment data with us beyond transaction confirmation.
• Meta Platforms, Inc. — Meta Pixel for marketing attribution and ad measurement. Data may be transferred to Meta's servers in the US.
• Google LLC — Google Analytics 4 for aggregate traffic analytics (if configured).

Each provider is subject to their own privacy policy and is contractually bound to process data only as directed by us. Cross-border data transfers to the US are made under standard contractual clauses or equivalent mechanisms.

6. Your Rights

You have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your account and associated data
• Export your capsule metadata (note: encrypted content cannot be decrypted by us)
• Withdraw consent for non-essential data processing (including marketing analytics)
• Opt out of Meta Pixel tracking by visiting Meta's Ad Preferences or using the cookie consent option on our site

To exercise any of these rights, contact us at privacy@preserveu.com. We will respond within 30 days.

7. Cookies & Tracking

We use the following types of cookies and tracking technologies:

• Essential cookies: Secure session tokens required for login. Cannot be disabled.
• Analytics cookies: Meta Pixel and Google Analytics (if configured). These track page interactions and may be used for ad measurement. You can opt out via the cookie consent banner.

We aim to implement a cookie consent mechanism to give you full control over non-essential cookies. In the meantime, you may opt out via your browser settings or by contacting us at privacy@preserveu.com.

8. Security

We implement industry-standard security measures including:

• TLS/HTTPS for all data in transit with HTTP Strict Transport Security (HSTS)
• Client-side AES-256-GCM encryption for capsule content
• PBKDF2-SHA256 key derivation with 600,000 iterations (OWASP 2023)
• bcrypt password hashing for account passwords
• JWT-based session management with secure, HttpOnly cookies
• Rate limiting on authentication and sensitive API endpoints
• Security headers (X-Frame-Options, X-Content-Type-Options, CSP)

However, no system is 100% secure. In the event of a data breach affecting your personal information, we will notify you as required by applicable law including the Digital Personal Data Protection Act (DPDPA) 2023.

9. India — Digital Personal Data Protection Act (DPDPA) 2023

Preserve U serves users in India and complies with the Digital Personal Data Protection Act (DPDPA) 2023. Under DPDPA, you have the right to:

• Access information about your personal data we process
• Correction and erasure of your personal data
• Grievance redressal — contact our Data Protection Officer at privacy@preserveu.com
• Nominate another person to exercise rights on your behalf in the event of your death or incapacity

We process your personal data on the basis of your consent (given at signup) and for the performance of the service contract. You may withdraw consent at any time by deleting your account.

10. Children's Privacy

Preserve U is not directed to children under 13 (or under 18 without parental consent under DPDPA 2023). We do not knowingly collect personal data from children. If we become aware of such data being collected, we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or by posting a prominent notice on our website. Continued use of the service after changes constitutes acceptance of the updated policy.

12. Contact Us

For privacy-related inquiries or to exercise your data rights: