Privacy and Compliance

Privacy and Compliance

Zefer is built around a zero-knowledge, client-side model: the strongest privacy guarantee is architectural — there is simply no server that ever receives your data.

What Zefer does NOT do

• No servers store, process, or transmit your text, files, passphrases, or keys.
• No accounts, no sign-up, no email required.
• No cookies, no trackers, no analytics, no ads.
• Nothing is uploaded — encryption and decryption happen entirely in your browser via the Web Crypto API.

What is stored locally (on your device only)

• User preferences (theme, language, default TTL/iterations/compression, generator settings) in localStorage.
• Max-attempt counters for files that set a decryption-attempt limit, in localStorage (the CLI uses ~/.zefer/attempts.json).

None of this leaves your device.

The one network call

The only dynamic endpoint is /api/author, which fetches public GitHub profile data for the project page and caches it for one hour. It involves no user data.

Regulatory alignment

Because Zefer collects and transmits no personal data, it aligns cleanly with major privacy regulations:

• GDPR (EU)
• CCPA (California)
• LGPD (Brazil)
• Colombia Law 1581 of 2012 (data protection)

The /privacy and /terms pages document this in full (and are intentionally noindex, follow). The project is MIT-licensed and open source, so the privacy claims are independently verifiable in the source.

Verifying the claims

• Read the code — all crypto is in app/lib/ (crypto.ts, zefer.ts, chunked-crypto.ts).
• Watch the network tab — encrypting/decrypting makes no network requests.
• Inspect a .zefer file — use the .zefer File Analyzer to confirm only the public header is readable; everything else is AES-256-GCM ciphertext.

See Security Architecture for the cryptographic guarantees and threat model.

---

📖 Glossary — terms on this page: zero-knowledge · client-side · AES-256-GCM · hash (SHA-256). Full list in the Glossary.