Privacy as a Right

Privacy Shield

Your data isn't a product. It's yours. Here's exactly how we protect it.

Encryption That's Honest About What It Does

Your data is always encrypted — at rest and in transit. How it's encrypted depends on your account settings and the type of data.

  • Standard Accounts: Your personal data is encrypted at rest using AES-256-GCM with a server-held key. This protects against database breaches while allowing account recovery if you forget your password. The server can decrypt this data for legitimate operations.
  • DeepWeave Mode (Opt-In): When you enable DeepWeave, your sensitive personal data is encrypted with a key derived from your password. We cannot decrypt it. This is true zero-knowledge — but losing your password and recovery phrase means your encrypted data is gone permanently.
  • End-to-End Encrypted DMs (Planned): Private messaging with end-to-end encryption is on our roadmap. When launched, message keys will stay on your device.
  • Internal Access Controls: Least-privilege access ensures no one at Weavid can view your account data unless a specific, verified safety report requires it. All access is logged.
  • No Ghost Data: When you delete something, it's gone. We do not maintain "shadow copies" or backup archives of your deleted media.

EU Data Residency

Your personal data, databases, encryption key management, and backups are hosted in France by European providers. Public media content (videos, images) is delivered via Cloudflare for global performance and may be distributed across regions.

  • Application Server: Hostinger, France
  • Database: Scaleway Serverless SQL, Paris, France
  • Key Management (Abuse/Legal Hold): Scaleway Key Manager (HSM-backed), Paris, France
  • Media Storage: Cloudflare R2 (public media, may be distributed globally)
  • Backups: Double-encrypted, EU storage

Personal data stays in the EU. Your account data, messages, and encryption keys are subject to EU data protection laws (GDPR). Public media content is delivered via Cloudflare for performance and may be replicated globally.

Minimal Data Collection

We collect only what's absolutely necessary to run the platform. Nothing more.

  • IP Address Truncation: We strip the last octet and hash your IP for rate limiting. Only a 2-letter country code is stored — never your city or precise location.
  • No Trackers: Zero third-party analytics. No Facebook Pixel, no Google Analytics, no advertising cookies, no UTM parameters on any URLs.
  • No Contact Access: We will never request access to your phone contacts or address book.
  • Opt-In by Default: Every feature is off until you choose to enable it. We never opt you in to anything without explicit consent.
  • Clean URLs: Share links and video URLs contain no tracking parameters. We don't track who clicks what.

Encryption Details

Different data types use different encryption strategies — here's exactly what's in place.

  • Algorithm: AES-256-GCM with authenticated encryption across all encryption modes
  • Standard PII: Encrypted server-side with a dedicated encryption key, separate from database credentials
  • DeepWeave PII: Encrypted with a user-derived key (Argon2id) — server cannot decrypt
  • Abuse Reports & Legal Hold: HSM-backed envelope encryption via Scaleway Key Manager (Paris) with automated weekly key rotation
  • Key Versioning: All encryption systems support key versioning for rotation without downtime
  • Transport Security: TLS 1.2/1.3 for all connections with Cloudflare Origin certificates

For full legal terms and detailed data handling policies, see our Terms of Service & Privacy Policy.

For technical security details, see our Security page.

Questions about your data? [email protected]