This Privacy Policy describes how Maskify ("we") collects, uses, stores and protects the personal information of people using the service. It is aligned with the EU General Data Protection Regulation (GDPR) and equivalent local data-protection laws.

1. Data controller

Maskify is a project under active development. For any data-related request, please reach out via the contact page.

2. Data we collect

• User account: email address, optional name and a bcrypt password hash. We never keep the plain-text password.
• Sessions: a signed identifier in anHttpOnly cookie plus basic session metadata (IP and user-agent) for security monitoring.
• Masked documents: only the already-obfuscated text and the positions of the masked entities. We never store the original text; per-entity original values stay empty in the database after export.
• Personal memory patterns: when you save rules with «+» in the editor and choose to remember them for future documents, we store the resulting regex pattern (not the original value) attached to your account. You can review and delete them at any time from your Profile.
• Language: a preference cookie (maskify_lang) so the UI is served in the language you chose.

3. Data we do NOT collect

• No third-party analytics, no advertising cookies.
• We don't share your text with external APIs. PII detection runs on our own infrastructure (the openai/privacy-filtermodel executed in-house).
• We don't keep the reversal map. It's generated in your browser and only downloaded to your disk.

4. Purpose and legal basis

• Service delivery (contract performance, GDPR art. 6(1)(b)): account creation, session management, document processing and result delivery.
• Security (legitimate interest, GDPR art. 6(1)(f)): recording session IP and user-agent to detect suspicious access.
• Email verification (contract performance, GDPR art. 6(1)(b)): sending the verification link at signup.

5. Retention

Your account and your masked documents are kept while the account is active. You may request a full deletion through the contact page. Sessions expire after 14 days.

6. Your rights

You have the right to access, rectify, erase, restrict and object to the processing of your data, plus the right to data portability. You may exercise them by writing through the contact page. You may also file a complaint with your local supervisory authority.

7. Processors

We rely on the hosting provider where the application runs and on a managed PostgreSQL database. We don't systematically transfer personal data outside the European Economic Area.

For transactional emails (account verification, contact-form replies) we use a third-party SMTP provider. It only receives the destination email address and the message content, for as long as needed to deliver it.

8. Cookies

We only use strictly necessary cookies: the session cookie (maskify_session, HttpOnly) and the language preference (maskify_lang). No prior consent is required.

9. Changes to this policy

Any material change is announced on this same page and, where appropriate, by email to registered accounts.