At a glance
- Our browser-based tools process files entirely in your browser. Your files never reach our servers.
- When you buy something, we collect what we need to fulfill the order (name, email, phone, shipping address) and payment is handled by a PCI-compliant payment processor.
- We use a small number of third-party service providers for payments, hosting, email, rate-limiting, and analytics. We describe each one by category below; the specific vendors are available on request.
- We never sell your personal information. You can request access, correction, deletion, or export at any time.
- This policy applies worldwide. If you’re in the EU, UK, California, or Quebec, you have additional rights — see Your Privacy Rights.
Who we are
"CipherForces", "we", "us", and "our" refer to CipherForces Inc., a California corporation located at 6259 Foothill Blvd, Tujunga, CA 91042, USA. For privacy matters, contact privacy@cipherforces.com.
For the purposes of GDPR / UK GDPR, CipherForces is the data controller for information collected through our site and services, except where stated otherwise below.
CipherTools (browser-based tools)
Our tools run inside your browser tab. When you upload a file to a tool like PDF Merger, Image Compressor, Resume Builder, or Contract Generator, the file is processed using JavaScript running on your device. Nothing is uploaded to our servers.You can verify this by opening browser DevTools → Network while using any tool.
A handful of tools have documented exceptions because the underlying function cannot run in a browser:
- SSL Checker calls
/api/ssl-checkbecause TLS handshakes require a server-to-server connection. We send the hostname you enter and discard the result after returning it. - Privacy Checker calls
/api/privacy-checkto fetch the URL you enter. We bound the response to 2 MB and discard it after analysis. - Breach Checker forwards the email address you enter to a third-party public breach-lookup database. We do not store your email or the result.
- Contract Generator signature stamps call
/api/ip-hashto hash your IP address. We never store the hash and never return the raw IP.
What we collect and why
1. Information you provide
- Contact form: name, email, phone (optional), service of interest, message. Used to reply to you.
- Orders: name, email, phone, shipping/billing address, order contents. Used to fulfill orders, send receipts, and for accounting. Payment details are collected directly by our payment processor and we never see the full card number.
- Print design files: files you upload for printing are kept only as long as needed to produce and ship your order, and are deleted after a reasonable retention window once the order is complete. Access is restricted to CipherForces and our production partner.
- Wedding website content: couple names, photos, RSVPs, and other content you add to your wedding site. Retained while the site is live and for a reasonable period after your event, then archived or deleted on request.
- Proposal requests: project briefs sent through
/contactor/startare retained as long as needed to respond and, if applicable, fulfill the engagement.
2. Information collected automatically
- License cookie (
cf_license): HttpOnly, SameSite=Lax, signed with HMAC. Issued after you unlock the Pro license. Expires after 365 days. Strictly necessary — cannot be declined. - Rate-limiting hashes: we briefly store a hash of your IP address in a short-lived key/value store (≤1 hour) to prevent abuse of public endpoints. Never linked to a person.
- Server logs: standard request logs from our hosting provider (method, path, status, user-agent, truncated IP) retained for approximately 30 days.
- Cookies set by analytics / chat: see our Cookie Policy for defaults and how to change them.
3. Information you do not provide
We don't operate user accounts. We don't log into social networks on your behalf. We don't fingerprint your device. We don't build marketing profiles. We don't sell data.
Legal bases (EU / UK users)
- Contract: to fulfill an order you placed (print, license, wedding site, starter package).
- Legitimate interest: to run and secure the site, prevent abuse, reply to inquiries, and keep basic server logs.
- Consent: for optional analytics and live-chat cookies. Withdrawable at any time.
- Legal obligation: to retain tax and accounting records.
Categories of service providers
We share personal information only with service providers who help us run the site, and only to the extent necessary for their purpose. Each provider is bound by data-protection terms. We use providers in the following categories:
| Category | Purpose | Data shared |
|---|---|---|
| Payment processor | Checkout, receipts, tax calculation | Name, email, phone, billing / shipping address, payment token |
| License reseller (Merchant of Record) | Pro license sale and VAT handling | Name, email, payment token, license key |
| Business database | Order + wedding-site records | Order fields, RSVP fields |
| Website hosting / edge functions | Serving the site | Request metadata, truncated IP |
| Object storage | Short-term print-design file storage | Your uploaded design files |
| Rate-limiting service | Abuse prevention | IP hash + request counters |
| Transactional email | Receipts, replies, shipping notices | Email address, message content |
| Analytics (optional, consent-gated) | Aggregate site analytics | Pseudonymous visit data |
| Live-chat widget (optional, consent-gated) | Customer support chat | Chat content, name / email you provide in the chat |
| Public breach database (only when you use the Breach Checker) | Breach lookup | Email address you enter |
| Web-font delivery | Rendering page typography | IP address (transient) |
| User-chosen AI provider (only when you opt into AI features) | AI requests using your own API key | Prompt content \u2014 sent directly from your browser, not through our servers |
You have a right under GDPR Art. 15(1)(c) and CCPA to know the specific providers we use. Email privacy@cipherforces.com with "Sub-processor list request" in the subject and we will send the current list within 30 days. We don\u2019t publish the list because the exact vendors we choose are part of how we run our business, not part of what you need to know to understand our privacy practices.
If you opt into AI features in the Resume Builder or Contract Generator tools, your prompts go directly from your browser to the provider you chose using the API key you supplied. Our servers do not see your key or your prompts.
International data transfers
Most of our sub-processors are US-based. If you're outside the US, your personal information may be transferred to and processed in the United States. Where required by law, we rely on EU Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, or equivalent mechanisms through our sub-processors' own terms.
Retention
- Customer orders: kept indefinitely for accounting, warranty, and reorder purposes.
- Print design files: kept indefinitely so we can reprint on request.
- Wedding website content: removed approximately one month after your event. We keep the order record and a full-page screenshot of the site so we have a reference copy of what we delivered.
- Contact-form messages: cycled out approximately one month after resolution.
- Rate-limit hashes and server logs: short-lived; typically minutes to days, depending on the system.
You can request deletion of information that is not subject to a legal-retention requirement at any time by emailing privacy@cipherforces.com.
Your rights
Regardless of where you live, you can request access, correction, deletion, or a portable copy of your personal information by emailing privacy@cipherforces.com. We respond within 30 days (45 days for CCPA requests, extendable once if the request is complex — we'll tell you if we need the extra time).
Region-specific rights (right to object, right to lodge a complaint with your supervisory authority, California "Do Not Sell or Share" request, Quebec Law 25 requests) are described in detail on the Your Privacy Rights page.
Security
We take reasonable technical and organizational measures to protect personal information: HTTPS everywhere, HMAC-signed cookies, rate-limiting, Content-Security-Policy on AI-capable tools, encrypted-at-rest BYO-key storage in the browser, private signed-URL access to any uploaded print files, and least-privilege access controls for admin tooling.
No system is perfectly secure. If you believe you've found a security issue, please email security@cipherforces.com and give us a reasonable time to investigate before public disclosure. We do not pay bounties but we will credit responsible reporters on request.
Children
Our services are not directed to children under 13 (or under 16 in the EU/UK). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we will delete it.
Do-Not-Track & Global Privacy Control
We honor the Sec-GPC HTTP header (Global Privacy Control). If your browser sends GPC, we will treat it as an opt-out of sale/share for California / Colorado / Connecticut / Virginia rights. We do not currently process Do-Not-Track headers because the standard is not consistently implemented; the GPC signal is the supported mechanism.
Changes to this policy
We update this policy when our practices or the law change. The "Last updated" date at the top reflects the most recent revision. For material changes, we'll post a banner on the home page for 30 days and email customers with active orders.
Contact
Questions or requests: privacy@cipherforces.com. For copyright concerns, see DMCA & Copyright. For accessibility issues, see Accessibility Statement.