Privacy Policy for Cirrux Backup

Effective date: 2025-06-20

Cirrux (“Cirrux”, “we”, “our”, or “us”) is committed to protecting your privacy and we want to be completely transparent about how we handle your valuable data. This Privacy Policy explains how we collect, use, store, and protect your data when you use Cirrux Backup, especially in connection with your Google account.

1. Information we collect

To create a Cirrux account, we collect and store the following information:

• Your username
• Your password (stored securely)
• Your recovery email address

When you use Cirrux Backup to link your Google account, we collect and process the following information:

• Google Account Data: With your permission, Cirrux accesses your Gmail data via Google’s OAuth APIs to backup your email messages. This includes:
  • Message metadata (consisting of message ID, date, size and the labels attached)
  • Message contents (encrypted before storage)
• Authentication Data: Cirrux stores Google OAuth tokens in a secure, encrypted format so we can keep your backup up to date automatically. We do not have access to or store your Google account password. You can revoke access to your Google account at any time.

2. How we're using your Google data

We use your Google user data only for the purpose of backing up your Gmail emails to your Cirrux account. Specifically:

• We fetch and store encrypted copies of your email messages to enable reliable backups.
• We're using asymmetric encryption to encrypt your email messages, so no one, including ourselves, can read them as soon as they are encrypted.
• We do not and will never read, analyze, or process the contents of your emails other than encrypting and saving them for backup.
• We do not and will never use your Gmail data to train AI or ML models.
• We do not and will never use your Gmail data for advertising or marketing purposes.

3. Encryption and storage

• All email message contents are encrypted using a public/private key pair.
• This key pair is generated and stored on your device.
• Only the public key is stored on our servers; the private key never leaves your device.
• Encrypted data is stored securely on Scaleway servers located in Amsterdam, the Netherlands.
• Cirrux only stores minimal metadata (e.g., message ID, size, date) to support syncing and backups.

4. Data sharing and disclosure

Cirrux does not share, sell, transfer, or disclose your Google user data to any third parties, except:

• When required by law (e.g., lawful requests by public authorities), but the good news is that because your emails are stored encrypted and we don't have the key, there's nothing to hand over.
• To enforce our terms of service or investigate violations

Cirux does not use your Google user data to train AI models.

5. Data retention and deletion

Your data is retained for as long as you maintain an active Cirrux subscription. If you cancel your subscription or delete your account, your encrypted email backups and all related metadata are automatically and permanently deleted within 48 hours. You may request manual deletion of your data at any time by contacting help@cirrux.co.

You can delete your Cirrux account at any time.

6. AI and machine learning

Cirrux does not use any AI or machine learning models that access, analyze, or interact with your Google user data.

7. Your privacy rights

You can revoke Cirrux’s access to your Google account at any time via your Google Account Permissions page. You may also contact us to access, correct, or delete any personal data associated with your account.

8. Contact

If you have any questions or concerns about this Privacy Policy, please contact us at help@cirrux.co.