Privacy Policy — CorgiCloud — Built Low. Built Strong. Built Private.

The short version: Your files are encrypted on your machine before they ever reach us. We store only ciphertext. We cannot read your data, we do not sell your data, and we do not share your data with third parties for any commercial purpose. This policy explains exactly what we do collect, why, and how we protect it.

1. Who We Are

CorgiCloud is a backup-as-a-service operated by Short Stack Cloud Services LLC, a limited liability company based in Norman, Oklahoma. When this policy says "we," "us," or "CorgiCloud," it means Short Stack Cloud Services LLC.

Contact: support@corgicloud.org

2. The Zero-Knowledge Model

CorgiCloud uses a zero-knowledge encryption architecture. This means:

Your backup passphrase is entered on your device only. It is never transmitted to our servers.
Your encryption key is derived locally from your passphrase using Argon2id key derivation. The derived key never leaves your machine.
All file data is encrypted on your device using AES-256-GCM before being transmitted over TLS 1.3 to our servers.
We store only encrypted ciphertext. Without your passphrase, the stored data is computationally indecipherable — to us, to attackers, and to anyone else.
File restores are decrypted on your machine after download. Our servers never see plaintext file contents.

Practical consequence: If you lose your passphrase, we cannot recover your data. There is no password reset for your backup encryption. Please store your passphrase in a password manager.

3. What We Collect

Account Information

When you sign up, we collect your name, email address, and billing information. This information is used solely to operate your account, communicate with you, and process payments.

Backup Metadata

Our systems record metadata about backup operations, including timestamps, file counts, backup sizes, and completion status. This metadata does not include file names, file paths, or file contents — it is operational data used to monitor service health and your account usage.

Encrypted Backup Data

We store the encrypted ciphertext of your backups. As described above, this data is encrypted with keys only you possess. We cannot access the contents of this data.

Service Logs

Our servers maintain standard access logs including IP addresses, connection timestamps, and bytes transferred. These logs are used for security monitoring, abuse prevention, and capacity planning. Logs are retained for a maximum of 90 days.

Contact Information

When you contact us via email or our contact form, we retain those communications to provide support and maintain a record of our interactions.

4. What We Do Not Collect

We do not collect or store your backup passphrase or encryption keys.
We do not collect file names or file paths from your backups.
We do not use tracking pixels, behavioral analytics, or advertising cookies.
We do not use third-party analytics services (Google Analytics, etc.) on our web properties.
We do not build advertising profiles or sell data to data brokers.

5. How We Use Your Information

We use the information we collect only to:

Operate and maintain your backup service
Communicate with you about your account, service status, and support requests
Process payments and maintain billing records as required by law
Monitor for abuse, security incidents, and service problems
Comply with legal obligations

We do not use your information for advertising, profiling, or any purpose unrelated to providing the backup service you subscribed to.

6. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We share information only in the following limited circumstances:

Service Providers

We use a small number of third-party service providers to operate our business, including payment processing. These providers are contractually prohibited from using your data for any purpose other than providing the service to us.

Legal Requirements

We may disclose information if required by law, court order, or valid legal process. Because of our zero-knowledge architecture, any compelled disclosure of backup data would yield only encrypted ciphertext that cannot be decrypted without your passphrase.

Business Transfer

In the event of a merger, acquisition, or sale of assets, subscriber information may be transferred to the successor entity. We will notify affected customers before any such transfer and provide options to delete their data.

7. Data Retention

Your encrypted backup data is retained as long as your account is active and for a short grace period after cancellation to allow for account recovery. Upon final account deletion, all backup data is permanently deleted from our servers within 30 days.

Billing records are retained for the period required by applicable law (typically 7 years).

Access logs are retained for a maximum of 90 days.

8. Security

We take the security of our infrastructure seriously. Our servers run on hardened Linux with full-disk encryption. Backup data is stored on RAID-Z2 arrays. All data in transit is protected by TLS 1.3. Access to production systems is restricted to authorized personnel only.

However, no system is perfectly secure. The zero-knowledge encryption model provides strong protection for your file contents even in the event of a server compromise, since encrypted ciphertext is unusable without your key.

9. Your Rights

You have the right to:

Access the personal information we hold about you
Correct inaccurate information
Request deletion of your account and associated data
Export your account metadata
Opt out of non-essential communications

To exercise any of these rights, contact us at support@corgicloud.org.

10. Cookies

Our marketing website does not use tracking cookies. Our backup portal uses a single session cookie to maintain your login state. This cookie is strictly necessary for the service to function and is not used for tracking or advertising.

11. Children's Privacy

Our services are not directed at children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

12. Changes to This Policy

We may update this policy from time to time. We will notify active subscribers by email of any material changes at least 30 days before they take effect. The current version will always be posted at corgicloud.org/privacy-policy.html.

13. Contact

Questions or concerns about this privacy policy? Contact us:

Short Stack Cloud Services LLC
Norman, Oklahoma
support@corgicloud.org