Legal
Filum — Privacy Policy
1. The short version
Filum is a document vault built so that we cannot read your documents. Your files are encrypted on your device with keys derived from a 24-word recovery key that the app generates for you — key material that never leaves your device and that we never receive, store, or have any way to obtain. This is what "zero-knowledge" means: even we cannot decrypt your vault.
Because of this architecture, the personal data we actually hold about you is deliberately minimal. This policy explains exactly what that is, what stays on your device, who our service providers are, and the rights you have.
2. Who we are (data controller)
Filum is operated by CorvidSoft, the trade name of the sole proprietorship (eenmanszaak) of Ivan Fossa Ferrari, based in Amsterdam, the Netherlands ("Filum", "we", "us", "our").
- Registered business / KvK number: 42082054
- Privacy contact: privacy@corvidsoft.dev
- Postal address: Hortusplantsoen 16, 1018TZ Amsterdam, Netherlands
For the purposes of the EU General Data Protection Regulation ("GDPR"), Filum is the data controller for the limited personal data described below.
3. Our privacy architecture (how "zero-knowledge" actually works)
Understanding the architecture is the fastest way to understand this policy:
- Encryption happens on your device. Encryption and decryption are performed locally using a Rust-based cryptography core running inside the app. Your encryption keys are derived from a 24-word recovery key that Filum generates on your device during setup. Filum does not use a chosen password; the recovery key is the single secret that protects your vault. We never receive your recovery key or your derived encryption keys.
- We store only ciphertext. When your encrypted documents and their encrypted metadata leave your device for backup and sync, they arrive at our storage already encrypted. We have no ability to decrypt them.
- Document intelligence runs on your device. Features such as automatic document classification and field extraction are performed on-device using Apple's on-device Foundation Models. The contents of your documents are not sent to our servers, to Apple, or to any third party for this processing.
- Even sensitive documents stay unreadable to us. If you choose to store documents that contain sensitive information (for example health, financial, or identity documents), we still only ever hold encrypted ciphertext. We do not process the content of those documents and cannot access any special-category data inside them.
4. What data we process
4.1 Data that stays on your device (we never receive it)
- Your 24-word recovery key.
- Encryption/decryption keys derived from them.
- The decrypted contents of your documents while you are viewing or editing them.
- The results of on-device AI classification and field extraction.
4.2 Data we hold, but cannot read
- Encrypted document files ("blobs"), stored for backup and cross-device sync.
- Encrypted document metadata (such as titles, tags, and classification labels), stored so the app can list and organize your vault.
We store these as opaque ciphertext. We cannot see filenames, titles, contents, or categories.
4.3 Account and technical data we can read
- An anonymous account identifier (UUID). Your account is identified by a randomly generated identifier. It is not derived from your name, email, or any other identifying information.
- Subscription status. Whether your account is on the free tier or has an active premium subscription, and related purchase/receipt data needed to unlock features. This is handled through our subscription provider (see Section 5) and is tied to the anonymous UUID.
- Essential technical/operational data. Limited server-side logs necessary to run and secure the service — for example, timestamps of sync requests, byte counts, error codes, and the IP address used to make a request. We use these for reliability, abuse prevention, and security, and retain them for a short period (see Section 8).
4.4 Data we do not collect
Unless you voluntarily provide it (for example when you email support), we do not collect:
- Your name, email address, phone number, or mailing address.
- The contents, titles, or categories of your documents.
- Contacts, photos library, location, or advertising identifiers.
- Behavioral analytics for advertising or cross-app tracking. Filum does not track you and contains no third-party advertising or analytics SDKs. (Confirm this matches your final build; if you later add crash reporting or analytics, update this section and your App Privacy label.)
4.5 Diagnostics
Filum does not embed third-party analytics or crash-reporting SDKs. If you have enabled Apple's system-level "Share With App Developers" analytics in your iOS Settings, Apple may share aggregated, anonymized crash and usage diagnostics with us. You control this in Settings › Privacy & Security › Analytics & Improvements at any time.
4.6 Support communications
If you contact us for support, we process the contents of your message and whatever contact detail you use to reach us, solely to respond to and resolve your request.
5. Service providers (sub-processors)
We keep our stack deliberately small. We share data with the following providers only to the extent necessary to run the service:
| Provider | What they process | Purpose |
|---|---|---|
| Apple | Your purchase and payment information; on-device Foundation Models processing occurs locally on your device | App distribution, in-app purchases and subscriptions, on-device AI. Payments are handled by Apple — we never receive your card or payment details. |
| RevenueCat | Your anonymous account UUID, subscription/receipt status, and technical metadata (app version, and country/region and IP used for the request) | Subscription management and entitlement checks. RevenueCat receives no document data and no name or email. |
| DigitalOcean | Encrypted document blobs and encrypted metadata; request logs | Encrypted storage (Spaces), encrypted database (Managed Postgres), and backend hosting. All document data is encrypted before it reaches them. |
We do not sell your personal data, and we do not share it for advertising or cross-context behavioral advertising.
6. Legal bases for processing (GDPR)
- Performance of a contract (Art. 6(1)(b)). Storing and syncing your encrypted vault, maintaining your account, and processing your subscription so you can use the service.
- Legitimate interests (Art. 6(1)(f)). Keeping the service secure and reliable, preventing fraud and abuse, and maintaining short-lived operational logs. Our interest is running a safe, functioning service; because the data involved is minimal and non-identifying, this does not override your rights.
- Consent (Art. 6(1)(a)). Any strictly optional processing (for example, if we later introduce opt-in diagnostics). You may withdraw consent at any time.
- Legal obligation (Art. 6(1)(c)). Retaining certain transaction records where tax or accounting law requires it.
7. International data transfers
Personal data is processed on infrastructure located in the European Union (Amsterdam). Some providers (for example RevenueCat) are based in the United States. Where personal data is transferred outside the European Economic Area, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses. Because the data transferred is minimal, non-identifying, and (for documents) encrypted ciphertext we cannot decrypt, the exposure from any such transfer is very limited.
8. Data retention
- Encrypted documents and metadata: retained while your account is active. When you delete your account, they are deleted from our active systems and purged from backups within [30] days.
- Subscription/transaction records: retained for as long as required to provide the service and to meet tax and accounting obligations.
- Operational logs: retained for a short period (typically [30–90] days) for security and reliability, then deleted or aggregated.
9. Your rights
Because we hold so little identifiable data about you, most control over your information sits directly in the app. In addition, under the GDPR you have the right to:
- Access the personal data we hold about you.
- Rectify inaccurate data.
- Erase your data ("right to be forgotten").
- Restrict or object to certain processing.
- Data portability — receive your data in a portable format.
- Withdraw consent at any time, where processing is based on consent.
- Lodge a complaint with a supervisory authority.
A practical note: if you ask us for a copy of "all data we hold about you," what we can return is the limited account and subscription metadata described in Section 4.3. We cannot provide the contents of your documents, because they are encrypted with keys we do not have — those already live in your control inside the app, where you can export them.
To exercise any right, contact privacy@corvidsoft.dev. If you are in the EU/EEA, you may also complain to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, autoriteitpersoonsgegevens.nl) or your local authority.
10. Account deletion
You can delete your account and its associated data from within the app at any time (in line with Apple's requirements). Deleting your account removes your encrypted vault and account metadata from our systems as described in Section 8. Cancelling a subscription is handled separately through your Apple ID (see the Terms of Service); deleting your account does not automatically cancel an active App Store subscription.
11. Security
- End-to-end encryption with a Rust-based cryptographic core; keys are derived on-device and never transmitted to us.
- Encryption in transit (TLS) between the app and our backend.
- Encryption at rest for stored ciphertext.
- Minimization: we design the system so that plaintext access is not possible for us.
No system is perfectly secure, and the trade-off of zero-knowledge design is real: if you lose your 24-word recovery key, we cannot restore access to your vault (see the Terms of Service).
12. Children
Filum is not directed at children. You must be at least 16 years old (or older where required to form a binding agreement in your jurisdiction) to use the app. We do not knowingly collect data from anyone under this age.
13. California residents (CCPA/CPRA)
If you are a California resident: the categories of personal information we process are described in Section 4, we process them for the business purposes described in this policy, and we do not "sell" or "share" personal information as those terms are defined under California law. You have the right to know, delete, and correct your personal information, and not to be discriminated against for exercising these rights. Contact us at privacy@corvidsoft.dev to make a request.
14. Changes to this policy
We may update this policy from time to time. When we do, we will change the "Last updated" date above and, for material changes, provide notice in the app or on our website. Continued use of Filum after an update means you accept the revised policy.
15. Contact
Questions about privacy? Reach us at privacy@corvidsoft.dev. CorvidSoft (eenmanszaak of Ivan Fossa Ferrari), Amsterdam, the Netherlands.