Foldyni Privacy Policy

1. Who we are

Foldyni is operated by Custavia. For any privacy question, data request, or complaint, contact us at hello@custavia.com. This mailbox is monitored.

2. Identity and sign-in

We use Firebase Authentication (a Google service) to sign you in. When you create an account, Firebase — not Foldyni — holds your login credential.

• We never see or store your password. Authentication is handled entirely by Firebase/Google.
• From Firebase we receive your email address and display name, which we store to identify your account and your documents.

Google's handling of your authentication data is governed by Google's own privacy policy.

3. What we collect

When you use Foldyni, we store:

• Your account identity — email address and display name, from Firebase.
• Your uploaded files — the actual bytes of every document you upload. These are envelope-encrypted before they touch our storage (see §5). Our storage layer never sees your file contents in readable form.
• Document metadata — for each document:
• Filename. In the current version, the original filename is stored on our servers in readable (unencrypted) form. **This means Foldyni infrastructure can see your filenames today.** This changes in v1.1, when filenames move inside the encrypted blob and are no longer visible to us (see §10).
• File size, content type (e.g. PDF, JPEG), and timestamps (created, updated).
• **Extracted text and entities — only when you turn on "Make searchable" for a document.** When you enable searchability, Foldyni extracts the text from your document so you can search it later.
• **Today, this extracted text is stored on our servers in unencrypted form so that search works. This is a known privacy compromise of the current version.** We plan to move search entirely onto your device in v1.1, so that we no longer hold this text at all (see §10). We are telling you this up front because you are trusting us with your documents, and you deserve to know exactly what we can see.
• If you never turn on "Make searchable" for a document, we do not extract or store its text.
• Crash reports and optional usage telemetry — content-free. To find and fix bugs during the closed beta, Foldyni sends crash reports when the app crashes. A crash report contains technical diagnostics (error type, stack trace, app version, device model, OS version) and is **scrubbed on your device before it is sent**: emails, phone numbers, and ID numbers (Aadhaar, PAN, card-like 16-digit numbers) are redacted, and your account id is replaced with a one-way hash so we can group a user's crashes without storing who you are. Separately, the app sends **anonymous usage telemetry — on by default during the beta**, and you can turn it off any time at Settings → Privacy → Help improve Foldyni (the app also tells you this the first time you open it). Usage telemetry means: the names of screens you visit and how long you spend on them, simple counts of features you use, and performance timings (such as how long the app takes to start). It is processed for us by PostHog (servers in the United States), tied only to the same one-way hash — never your email or account id. Finally, **diagnostic logs are sent only when you choose to send them: the Share / Submit buttons in Settings → Diagnostics & logs**, and the optional log attachment in Help & Feedback, are always user-initiated and scrubbed on your device first. Neither crash reports, telemetry, nor diagnostic logs ever include document contents, titles, filenames, extracted text, search queries, or anything you type. The full, plain-language list is in the app at **Settings → Privacy → What telemetry collects**.

4. What we do NOT collect

We want to be specific about this. Foldyni does not collect:

• Your location. No GPS, no IP-based geolocation for tracking.
• Your contacts.
• Your browsing history.
• Advertising identifiers (IDFA, GAID) — we run no ads.
• Behavioural tracking or profiling for advertising. Usage telemetry (on by default during the beta, with an always-working off switch — see §3) collects only screen names, time-on-screen, feature counts, and performance timings, processed by PostHog as described in §3. We do not build advertising profiles, we run no ads, and we never collect document contents, titles, filenames, extracted text, search queries, or anything you type — not in crash reports, telemetry, or diagnostic logs. We embed no advertising SDK and no ad-network trackers.
• Your password — as noted in §2, Firebase holds your credential, not us.

We do not sell your data. We do not share it with advertisers. There are no ad networks and no marketing trackers in Foldyni.

5. How your documents are protected (encryption posture)

• File bytes are protected with envelope encryption. Every document gets its own fresh 256-bit data encryption key (DEK). That per-document key is itself wrapped (encrypted) with a master key that is never stored alongside your data. Files are encrypted before they are written to storage, so the storage system only ever holds ciphertext.
• Honest caveat about extracted text. As stated in §3, the encryption above protects your *file bytes*. It does not today protect the *extracted text* of documents you mark searchable — that text is stored unencrypted on our servers so search can run server-side. We consider this a temporary compromise and are removing it in v1.1 by moving search onto your device.
• Honest caveat about filenames. As stated in §3, the original filename is stored unencrypted today and is therefore visible to our infrastructure. This also changes in v1.1.

6. Sharing

Foldyni supports household sharing so you can share documents with people in your household.

• Today, sharing is enforced by server policy. That means our server decides who may access a shared document and enforces those rules. It does *not* mean the document is cryptographically locked to only the intended recipients — the enforcement lives in our access-control logic, not in the encryption keys.
• In v1.1, sharing becomes cryptographically enforced, so access is governed by who holds the keys rather than by server-side policy alone (see §10).

We do not share your documents with anyone you have not chosen to share them with.

• Inviting someone to your household. When you invite a person to your household, Foldyni sends them an email containing only your display name, the name you gave your household, an expiry date, and a one-time accept link. The email never contains any of your documents, filenames, or other personal data. If the person you invited does not yet use Foldyni, we store the email address you entered as part of the invite record so the invite can be matched when they install the app. That address is retained with the invite record, including after the invite is accepted, declined, revoked, or expired.

7. Third parties

Foldyni relies on a deliberately small set of third parties:

• Firebase Authentication (Google) — sign-in and identity (§2).
• MinIO object storage — where your encrypted file bytes live. Today this is self-hosted by us. It may move to a hosting provider such as Hetzner or Oracle Cloud Infrastructure (OCI) in future; if so, the provider stores only encrypted bytes.
• Crash and telemetry collector (self-hosted). Crash reports and, if you opt in, anonymous usage telemetry (§3) are sent to a **self-hosted, Sentry-API-compatible collector (GlitchTip) that we operate ourselves** — not a third-party analytics vendor. It receives only the scrubbed, content-free data described in §3.

That is the full list. There are no third-party analytics vendors, no advertising networks, and no content delivery network (CDN) that can see your documents in readable form. Our crash and telemetry collector is self-hosted and receives only scrubbed, content-free data.

8. Data retention and deletion

• You can delete your account. When you request account deletion, your data enters a 7-day cooldown period, after which it is fully erased. The cooldown protects you from accidental or malicious deletion; once it elapses, the erasure is complete and irreversible.
• We do not keep your documents after erasure completes.
• Account suspension does not erase any data. If your account is suspended — for example because a subscription payment could not be renewed, or because of a Terms of Service or security review — your documents and metadata are retained, intact and unchanged, for the duration of the suspension. Suspension is reversible: it temporarily limits your account to read-only access (you can still view and search documents you have already synced, but cannot upload, share, or sync) until the suspension is lifted, at which point full access is restored without re-signing-in. Nothing is deleted as a result of suspension. If you would rather not wait, the "Cancel my account" option remains available from the suspension screen and follows the same 7-day-cooldown erasure described above.

9. Your rights

Depending on where you live (for example under the EU/UK GDPR, India's DPDPA, California's CCPA, or the Australian Privacy Principles) you may have the following rights. Foldyni supports them as follows:

• Erasure ("right to be forgotten") — supported. Delete your account; see §8.
• Rectification (correcting your data) — supported. You can edit your documents and account details in the app.
• Access (getting a copy of your data) / data export — **planned, not yet available** in the closed beta. Contact us at hello@custavia.com in the meantime and we will help manually.
• Portability (machine-readable export) — planned, not yet available.

To exercise any right, or if you are unhappy with how we have handled your data, contact hello@custavia.com.

10. What is changing in v1.1 (forward-looking)

We are telling you our direction so you can judge the trajectory, not just today's snapshot. None of the following is shipped yet — this section describes our plans, and plans can change.

• On-device search. Extracted text will be processed and stored on *your device* rather than on our servers, so we will no longer hold the searchable text of your documents (§3, §5).
• Encrypted filenames. Filenames will move inside the encrypted blob and will no longer be visible to Foldyni infrastructure (§3, §5).
• Cryptographically enforced sharing. Household sharing will be governed by encryption keys rather than server-side policy alone (§6).
• Client-held encryption keys — and the no-recovery trade-off. Today the key that unwraps your documents is held by Foldyni infrastructure. In v1.1 that key moves entirely onto your device and into a recovery phrase that only you hold; Foldyni will no longer keep a copy. This is what makes your documents genuinely private — but it has an honest cost you should understand before you rely on it: **if you lose both your device and your recovery phrase, your documents cannot be recovered. Not by you, and not by us — because we will no longer hold the key to decrypt them.** The same protection that stops anyone else from reading your documents also means we cannot rescue them for you. Households with two or more members will be able to use social recovery (another member re-grants access); a solo user who loses both factors has no recovery path. When this ships, Foldyni will prompt you to save your recovery phrase and will let you view it again under Settings → Security. Please keep it somewhere safe.

When v1.1 ships, we will update this policy and its effective date.

11. Children

Foldyni is not directed at children and is not intended for use by anyone under the age required to form a binding agreement in their jurisdiction.

12. Changes to this policy

If we make a material change to how we handle your data, we will update this document, bump the version, and require you to re-accept the updated policy the next time you sign in. Minor clarifications that do not change our data practices may be made without re-acceptance.

13. Change log

• v1 — 2026-05-31 — Initial privacy policy for the Foldyni closed beta. Documents content-free crash reporting and opt-in, off-by-default usage telemetry (see §3, §4, §7).