-Version 2

Privacy Policy

Privacy Policy

Last updated: 2026-05-02

This Privacy Policy explains how ROHIT KUMAR, a sole proprietor registered under the trade name Software Development Consultant and operating Cloudless ("Cloudless", "we", "us", or "our"), collects, uses, stores, and discloses information when you visit our website, create an account, purchase a paid plan, or use the Cloudless application and related services.

1. What Cloudless Is

Cloudless is backup software that helps users create encrypted backups using their own storage providers, such as AWS S3, Google Drive or other supported storage services.

Cloudless is designed so that file contents are encrypted on the user's device before upload. Cloudless does not operate as a general-purpose file hosting service.

2. Information We Collect

We collect only the information reasonably necessary to operate the service, process payments, support users, maintain security, and comply with applicable law.

2.1 Account Information

We may collect:

  • name
  • email address
  • account identifier
  • password hash or authentication credentials metadata
  • billing plan and account status

2.2 Payment and Billing Information

Payments are processed by third-party payment service providers. We do not store full payment card numbers.

We may receive billing-related information such as:

  • payment status
  • subscription status
  • invoice identifiers
  • billing country
  • tax information where required
  • payment processor customer or subscription identifiers

2.3 Service and Device Metadata

We may collect:

  • application version
  • operating system and platform information
  • a device identifier used to maintain separate per-device backup history. On desktop platforms this identifier is derived from a stable machine identifier provided by the operating system; on mobile platforms it is a random identifier generated at first launch and stored locally by the application. The identifier is used to keep file version history scoped to the originating device and is not used for advertising or cross-service tracking.
  • backup configuration metadata needed to provide the service, including encrypted source-directory paths and the operational metadata described in Section 3
  • service logs, error events, and security events

2.4 Website Information

When you visit our website, we may collect:

  • IP address
  • browser type
  • pages visited
  • referral information
  • cookie and session data

2.5 Support Communications

If you contact us, we may collect:

  • your name
  • email address
  • message content
  • attachments or diagnostic details you choose to share

3. What the Server Sees and Does Not See

Cloudless performs all encryption on your device before any backup data is uploaded. The Cloudless server never receives:

  • your passphrase
  • any encryption key derived from your passphrase
  • the plaintext contents of files you back up
  • the plaintext names of files or folders you back up

To operate the service, the Cloudless server does store the following in plaintext. We disclose this so you can evaluate the service against your own threat model:

  • account email and display name
  • a device identifier (see Section 2.3)
  • file sizes, file modification timestamps, and version counts
  • SHA-256 hashes of plaintext file chunks, used for per-user content deduplication. Because the hash is computed from plaintext, the server could in principle detect when a stored chunk matches a known hash. Hashes are scoped per user and are not shared across accounts.
  • a deterministic keyed lookup ("blind index") of encrypted filenames, used so the application can find a previously backed-up file by exact name without the server learning the name itself
  • backup, restore, billing, and operational state
  • service and security logs

For a fuller technical description, see the Security and Data Handling page.

4. How We Use Information

We use information to:

  • create and manage accounts
  • authenticate users
  • process payments and manage subscriptions
  • provide backup, restore, licensing, and account-related functionality
  • respond to support requests
  • detect abuse, fraud, and unauthorized use
  • maintain service reliability and security
  • comply with legal, tax, accounting, and regulatory obligations
  • improve the website and product

We do not sell personal information.

5. Legal Bases for Processing

Where required by applicable law, we process personal data on one or more of the following bases:

  • performance of a contract
  • legitimate interests in operating, securing, and improving the service
  • compliance with legal obligations
  • consent, where required

6. Cookies and Similar Technologies

We may use cookies or similar technologies for:

  • authentication
  • session management
  • security
  • website preferences
  • analytics, where enabled

Please review our Cookie Policy for more information.

7. How We Share Information

We may share information with the following categories of service providers ("subprocessors"), only as necessary to operate the service:

  • payment processors
  • cloud hosting and infrastructure providers
  • email and communication providers
  • analytics or monitoring providers, where used
  • professional advisers, auditors, or regulators where necessary

A current list of subprocessors, including vendor names, processing purpose, and processing location, is maintained at Subprocessors.

We do not share personal information with third parties for their own independent marketing use.

8. Data Retention

We retain personal information only for as long as reasonably necessary to:

  • provide the service
  • maintain account history
  • comply with legal and tax obligations
  • resolve disputes
  • enforce our agreements

We may retain limited backup-related service metadata for operational, security, audit, or billing purposes.

If you delete your account, some information may be retained where required by law or for legitimate business purposes such as fraud prevention, dispute resolution, and accounting.

9. Data Security

We use reasonable technical and organisational measures to protect information, including access controls, encrypted transport, and operational security controls appropriate to the nature of the service.

In the event of a confirmed security incident affecting personal information, Cloudless will notify affected account holders without undue delay after the incident is identified and understood, consistent with applicable law. Where required by law (for example GDPR Article 33), Cloudless will also notify the relevant supervisory authority within the legally required time frame.

No system can be guaranteed to be completely secure.

10. International Transfers

Your information may be processed in countries other than your country of residence. Where required, we use appropriate safeguards for international data transfers.

11. Your Rights

Depending on your jurisdiction, you may have rights to:

  • access your personal information
  • correct inaccurate information
  • request deletion
  • object to or restrict certain processing
  • request portability
  • withdraw consent where processing is based on consent

To exercise any of these rights, contact support@trycloudless.io. We will respond to verifiable requests without undue delay and, where required by law, within one month of receipt. We may extend this period where permitted by law and will inform you if we do so.

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you also have the right to lodge a complaint with your local data protection supervisory authority. We would, however, appreciate the chance to address your concerns directly before you approach a regulator.

11.1 Data Controller and Roles

For personal information about account holders and website visitors, ROHIT KUMAR acts as the data controller. Our contact details are listed in Section 15.

Where Cloudless processes personal data on behalf of a business customer (for example, when a business customer uses Cloudless to back up data that includes information about their own users or employees), Cloudless acts as a data processor. Business customers with data processing requirements should contact support@trycloudless.io before using the service for regulated or enterprise workloads.

Cloudless has not designated an EU representative at this time. If an EU representative is required before onboarding EU users under Article 27 GDPR, the representative's name and contact details will be published here.

12. Children's Privacy

Cloudless is not directed to children. Cloudless is intended only for users who are at least 18 years old, consistent with Section 2 of the Terms of Service. We do not knowingly collect personal information from anyone under that age.

13. Third-Party Services

The service may integrate with third-party storage providers and payment providers. Their handling of data is governed by their own terms and privacy policies.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the updated version on our website with a revised "Last updated" date.

15. Contact

For privacy questions or requests, contact:

  • support@trycloudless.io
  • 4th Floor, Seat 130, Plot No. 66, Phase 2, Industrial Area, Chandigarh, Chandigarh 160002, India
Back to Home