Oynux Cloud products are still in development. Please stay tuned and come back soon!

Privacy Policy

Last updated: March 2026

TL;DR — The short version

We cannot read your emails, files, photos, notes, or calendar entries. Everything is encrypted with keys that only you hold. We collect the bare minimum to operate the service — no ads, no profiling, no data sales. You are not the product.

1. Scope and applicability

This Privacy Policy governs the collection, use, and protection of personal information by Oynux ("we", "us", "our") when you use the oynux.com website and all Oynux services, including but not limited to email (webmail.oynux.com), cloud storage (drive.oynux.com), photos (photos.oynux.com), notes (notes.oynux.com), calendar (calendar.oynux.com), and contacts (contacts.oynux.com).

Our infrastructure is located in Québec, Canada, and is subject to Canadian federal and provincial privacy legislation, including the Personal Information Protection and Electronic Documents Act (PIPEDA) and Québec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25).

By creating an account or using any Oynux service, you acknowledge that you have read and understood this Privacy Policy.

2. Information we collect

2.1 Account registration

When you create an account, we collect:

  • Username (which becomes the local part of your @oynux.com email address)
  • SRP-6a verifier — a cryptographic derivative of your password. Your actual password is never transmitted to or stored on our servers
  • Cryptographic salt used for key derivation
  • Your public OpenPGP key (public by design)
  • Your encrypted private key — stored in encrypted form only; we do not possess the ability to decrypt it
  • Full name (optional, user-provided)
  • Recovery phrase hash (a one-way cryptographic hash for account recovery validation)

No personal identity documents, phone numbers, or social media accounts are required to create an Oynux account.

2.2 Payment information

Payment processing is handled entirely by Stripe, Inc. We store only the Stripe customer identifier and your subscription status. We do not store, process, or have access to credit card numbers, bank account details, or other financial instruments. Stripe's handling of your payment data is governed by Stripe's Privacy Policy.

2.3 Service usage and logs

Our servers automatically record limited technical information for security and abuse prevention purposes:

  • IP addresses associated with authentication events
  • User agent strings (browser and operating system identifiers)
  • Timestamps of account activity

These logs are retained for a maximum of 14 days and are then permanently deleted. No permanent IP logs are maintained by default. In cases of confirmed abuse or Terms of Service violations, relevant logs may be retained for the duration necessary to address the violation.

2.4 Anti-abuse verification

During account registration, we may employ captcha challenges and device fingerprinting solely for the purpose of preventing automated abuse (bots, spam accounts). Verification data is processed ephemerally and is not used for tracking or profiling.

3. Information we cannot access

Due to the end-to-end encrypted and zero-knowledge architecture of Oynux, we do not have the technical capability to access:

  • The content of your emails, including body text and attachments
  • Files stored in your encrypted cloud drive
  • Photos stored in your encrypted photo library
  • Notes, calendar events, or contacts
  • Your password or private encryption keys

All user content is encrypted client-side using OpenPGP (AES-256) before transmission to our servers. Decryption keys exist solely on your devices and are derived from your password, which is never sent to us. Even under legal compulsion, we are unable to provide the content of your encrypted data because we do not possess the means to decrypt it.

4. How we use your information

We use the information we collect exclusively for the following purposes:

  • Providing, operating, and maintaining the Oynux services
  • Authenticating your identity via the SRP-6a zero-knowledge protocol
  • Processing payments and managing subscription status
  • Detecting, investigating, and preventing fraudulent or unauthorized use
  • Complying with applicable legal obligations
  • Communicating essential service notifications (security alerts, billing, policy changes)

We do not use your data for advertising, behavioral profiling, user analytics, or sale to any third party. We do not engage in data brokering. We do not operate ad-supported services.

5. Legal basis for processing

For users located in the European Economic Area or other jurisdictions with similar frameworks, we process personal data on the following legal bases:

  • Performance of contract: Processing necessary to deliver the services you have subscribed to
  • Legitimate interest: Security logging, fraud prevention, and protection of the service against abuse
  • Legal obligation: Where required by applicable law or regulation
  • Consent: Where you have provided optional information (e.g., recovery email address), which can be withdrawn at any time through your account settings

6. Data sharing and third-party disclosure

We do not sell, rent, lease, or trade personal data under any circumstances. We may disclose limited information to the following categories of recipients:

  • Payment processor (Stripe, Inc.): Billing data strictly necessary for payment processing, governed by standard contractual clauses and Stripe's own privacy commitments
  • Law enforcement authorities: Only when compelled by a valid and binding legal order issued by a court of competent jurisdiction in Canada. In such cases, we can only provide data we actually possess — which excludes all encrypted content. We will challenge overbroad or unlawful requests where possible

We do not use third-party analytics services, advertising networks, social media trackers, or customer profiling tools.

7. Data retention and deletion

  • Account data is retained for the active lifetime of your account
  • Upon account deletion (initiated by you or as a consequence of Terms of Service enforcement), all associated data is permanently erased from our systems within 30 days
  • Server access logs are automatically purged after 14 days
  • Payment records held by Stripe are subject to Stripe's own retention policies and applicable financial regulations
  • Free accounts that remain inactive for 3 consecutive months may be scheduled for deletion after prior notice

8. Your rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you
  • Rectification: Correct inaccurate or incomplete data
  • Erasure: Delete your account and all associated data permanently
  • Portability: Export your email via IMAP/SMTP and download your files at any time
  • Restriction and objection: Request restriction of processing or object to specific processing activities
  • Complaint: Lodge a complaint with a relevant supervisory or data protection authority

Most of these rights can be exercised directly through your account dashboard. For requests that cannot be handled through self-service tools, contact [email protected].

9. Cookies and tracking technologies

Oynux uses a strictly limited approach to cookies:

  • Authentication cookie: A single httpOnly, secure cookie containing an encrypted refresh token, required for session management
  • Preference cookies: Local storage entries for theme preference and language selection (client-side only, never transmitted to our servers)

We do not use tracking cookies, analytics cookies, advertising pixels, or any third-party tracking scripts. No Google Analytics, no Facebook pixel, no external telemetry of any kind.

10. Security measures

We implement multiple layers of security to protect your data:

  • All data in transit is protected by TLS 1.3
  • All user content is encrypted at rest using OpenPGP (AES-256)
  • Authentication uses the SRP-6a zero-knowledge proof protocol — your password is never transmitted
  • Optional TOTP-based two-factor authentication
  • Rate limiting and device fingerprinting to prevent brute-force attacks

Despite our best efforts, no method of electronic storage or internet transmission is perfectly secure. We cannot guarantee absolute security of your data. You acknowledge that you use the service at your own risk and are responsible for maintaining the confidentiality of your password and recovery phrase.

To report a security vulnerability: [email protected]

11. Children's privacy

Oynux services are not directed at individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that a child under 16 has created an account, we will take steps to terminate the account and delete associated data. If you believe a minor has registered, please contact us immediately.

12. International data considerations

Our servers are located in Canada. If you access the service from outside Canada, your information will be transferred to and processed in Canada. Canada has been recognized by the European Commission as providing an adequate level of data protection. By using our services, you consent to this transfer.

13. Modifications to this policy

We reserve the right to update this Privacy Policy at any time. Material changes will be communicated to registered users by email at least 14 days before they take effect. The "last updated" date at the top of this page reflects the most recent revision. Your continued use of the service after the effective date of any changes constitutes your acceptance of the revised policy. In the event of conflicts between translated versions of this policy, the English version shall prevail.

14. Contact

For all privacy-related inquiries, data subject requests, or complaints:

[email protected]