PRIVACY POLICY

Privacy Policy

How we handle your information and why we collect no data.

Zefer was designed from scratch with a single principle: your information is yours alone. All encryption and decryption happens exclusively in your browser — or on your own machine if you use the official CLI (zefer-cli). No data is sent, stored, or processed on our servers. It is mathematically impossible for us, or any third party, to access the content of your .zefer files. This policy covers both the web application and the CLI.

AES-256-GCM Encryption

We use AES-256-GCM (Advanced Encryption Standard with Galois/Counter Mode), the same standard used by governments and military organizations. With a 256-bit key, there are 2^256 possible combinations, making a brute-force attack computationally impossible.

PBKDF2 Key Derivation

Your passphrase is not used directly as the encryption key. It's processed through PBKDF2-SHA256 with 600,000 iterations and a unique random 32-byte salt. Even simple passphrases generate cryptographically strong keys.

No server, no traces

Zefer is 100% client-side. There is no backend, database, or API that stores your data. The .zefer file is generated and decrypted entirely in your browser. Not even we could access your information, because we never receive it.

.zefer file format

The .zefer files contain a minimal public header (iterations, compression, optional hint and note) and an encrypted block that includes the content, security metadata, expiration, secret question, and IP list. All sensitive information is inside the AES-256-GCM encrypted block and is completely invisible without the key.

Expiration options

You can choose for your .zefer file to expire in 30 minutes, 1 hour, 24 hours, 7 days, or 2 weeks. You can also create files with no expiration. Once expired, the content is unrecoverable.

IP address restriction

Optionally, you can restrict decryption to specific IP addresses (IPv4 and IPv6). The list of allowed IPs is stored encrypted inside the .zefer file, so an attacker cannot see which IPs are authorized without the passphrase. Verification is done by checking the client's public IP at the time of decryption.

No tracking metadata

We do not store IP addresses, user agents, timestamps, or any browsing data. Zefer has no analytics, cookies, or trackers. Your visit to this page is completely anonymous.

Client-side encryption

We use the browser's native Web Crypto API, which provides hardware-optimized and verified cryptographic implementations. We do not rely on third-party libraries, eliminating supply chain risks. This also applies to the site's tools: the password generator and analyzer and the .zefer file analyzer process everything locally — no generated or analyzed password, nor any inspected file, ever leaves your device.

The official CLI (zefer-cli)

zefer-cli applies the same principles: all cryptographic processing happens locally on your machine, with no telemetry, no analytics, and no network connections (the only exception is the public IP lookup if you enable IP restriction, just like on the web). The failed-attempt counter is stored only on your device (~/.zefer/attempts.json). The CLI is distributed as an open-source npm package and as standalone binaries with verifiable SHA-256 checksums.

Regulatory compliance (GDPR, CCPA, LGPD)

Zefer complies with the major international data protection regulations: the EU's GDPR, California's CCPA, and Brazil's LGPD. Since Zefer does not collect, process, or store personal data of any kind, it inherently complies with the principles of data minimization and privacy by design established in these regulations. No cookies, trackers, or analytics are used. For more details, see our terms and conditions.

What we store vs. what we DON'T store

We store

Nothing. Absolutely nothing. Zefer has no server or database.

We NEVER store

  • Plaintext content
  • Passphrase / password
  • IP address
  • User agent / browser
  • Cookies or trackers
  • Usage analytics

Legal framework

Zefer is an open-source project that provides a client-side encryption tool. We do not collect, store, or process personal data. By using Zefer, you accept our terms of service and conditions of use.

View terms and conditions
Back to home