Privacy Policy

ConfigSync is a developer environment sync tool operated by Inventive HQ, Inc. (“we,” “us”). This policy explains what information we collect when you use ConfigSync, how we use it, and the third-party services that process it on our behalf.

ConfigSync syncs your dotfiles, secrets, and configuration with client-side end-to-end encryption. Content is encrypted on your machine before it ever leaves it, using AES-256-GCM with a 256-bit key derived from your master password via PBKDF2-SHA-256 (100,000 iterations, 32-byte random salt per account).

The encryption keys never leave your machine, and we never receive them. As a result, the synced content stored on our servers is ciphertext that we cannot decrypt and we cannot read. If you forget your master password, we cannot recover your data — this is the cost of zero-knowledge.

• Account information. Email address, display name, and a bcrypt-hashed password verifier (cost factor 10). We never store your password in plaintext.
• Encrypted sync payloads. Ciphertext blobs we cannot decrypt. We see the size, the timestamp of upload, and an opaque machine identifier — not the contents.
• Payment information. Billing is processed by Stripe. We do not store card numbers; Stripe gives us a tokenized reference and the last four digits for display.
• API tokens. Stored as SHA-256 hashes; we never display them after creation.
• API logs & usage. For each request: the endpoint, timestamp, status, IP address, and user agent. Used for rate-limiting, abuse detection, and metrics.
• Audit logs (Team tier). Records of who took what action when (sync, share, key rotation), so admins can review activity in their workspace.

• To operate the sync service and deliver ciphertext between your machines.
• To bill you for paid plans.
• To detect and prevent abuse, fraud, and security threats.
• To respond to support requests.
• To send transactional account notices (security events, billing receipts, plan changes).

We do not sell your personal information. Because we cannot decrypt your sync content, we cannot use it for any purpose even if we wanted to.

• Cloudflare — hosting, Workers, D1, R2. All ConfigSync infrastructure runs on Cloudflare.
• Stripe — payment processing.
• GlitchReplay — browser-side error monitoring of the ConfigSync web dashboard (see §6).

We use GlitchReplay, an error-tracking service operated by InventiveHQ, to capture browser-side errors so we can identify and fix bugs.

When an uncaught JavaScript error, unhandled promise rejection, or failed resource load occurs in your browser, we send GlitchReplay:

• The error message and stack trace
• The URL of the page where the error happened
• Browser, operating system, and rough geographic region (country)
• A timestamp

We do not send: form input, cookies, localStorage, auth tokens, or any directly identifying personal information. Encrypted sync payloads are never transmitted to GlitchReplay — and even if they were, the server-side data is ciphertext we cannot decrypt.

Data is stored on Cloudflare infrastructure in the United States and retained for up to 30 days.

We use only essential cookies needed to keep you signed in and to protect against CSRF. We do not use advertising cookies or third-party tracking pixels.

• Account data: retained while your account is active; purged within 30 days of account deletion.
• Encrypted snapshots: retained per your plan tier (Free 30 days of history, Pro and Team longer). Old snapshots are purged automatically.
• Audit logs (Team tier): retained for 1 year.
• Billing records: retained for 7 years to meet tax and accounting requirements.

When you delete your account, we permanently delete the encrypted blobs and revoke all API keys. Because the master key never lived on our servers, the deletion is irreversible from both ends.

Summary of the security controls already mentioned above:

• End-to-end encryption: AES-256-GCM with 12-byte IV.
• Key derivation: PBKDF2-SHA-256, 100,000 iterations, 32-byte salt.
• Password storage: bcrypt (cost 10).
• API tokens: SHA-256 hashed at rest, never displayed after creation.
• Transport: TLS 1.3.
• Hosting: Cloudflare Workers, D1, R2 in the United States.

No system is perfectly secure; we cannot guarantee absolute security but apply industry-standard controls and a zero-knowledge design.

You can:

• Access or export your account metadata via the dashboard.
• Delete your account from settings — this purges encrypted blobs and revokes all API keys.
• Object to or restrict certain processing if you are in the EEA or UK.

For privacy requests email privacy@configsync.dev and we'll respond within 30 days.

ConfigSync is not directed to children under 16 and we do not knowingly collect personal information from them.

We may update this policy from time to time. The “last updated” date at the top reflects the most recent revision. For privacy questions, contact privacy@configsync.dev.

Inventive HQ, Inc., 2305 Historic Decatur Rd, Suite 100, San Diego, CA 92106.