ezS3.net Back to home

Legal

Privacy Policy

Last updated: January 2025

1. Introduction

Gone Coding Ltd ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use ezS3 (the "Service"). Please read this policy carefully. If you do not agree with the terms of this policy, please do not access the Service.

ezS3 is a role-based access management platform for S3-compatible object storage. We act as an interface between your team and your S3 buckets, managing authentication, permissions, and audit logs.

2. Information We Collect

2.1 Personal Information You Provide to Us

We collect information that you voluntarily provide to us when you register for an account, use the Service, or communicate with us. This may include:

  • Email Address: Used for authentication via passwordless magic links and Google OAuth
  • Account Information: Name, organization details, and profile information you choose to provide
  • S3 Credentials: Access keys, secret keys, bucket names, and region information required to connect to your S3-compatible storage
  • Communication Data: Messages, support requests, and feedback you send to us
  • Payment Information: Payment card details processed securely through third-party payment processors (we do not store complete card numbers)

2.2 Information Automatically Collected

When you access and use the Service, we automatically collect certain information, including:

  • Log Data: IP address, browser type, operating system, referring/exit pages, and timestamps
  • Device Information: Device type, unique device identifiers, browser type, and mobile network information
  • Usage Data: Features used, actions taken, frequency of use, and performance metrics
  • Authentication Data: Login timestamps, authentication methods used, and security events

2.3 Cookies and Tracking Technologies

We use cookies, web beacons, and similar tracking technologies to collect information about your browsing activities and device usage. See Section 8 for more details.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Service Provision: To provide, maintain, and improve the Service, including processing authentication requests and managing S3 access
  • Security: To detect, prevent, and address technical issues, security incidents, and fraudulent or illegal activity
  • Authentication: To verify your identity and provide secure access to your account
  • Audit Logging: To maintain comprehensive logs of S3 access, file operations, and permission changes for security and compliance purposes
  • Communication: To send you technical notices, updates, security alerts, and support messages
  • Customer Support: To respond to your inquiries, requests, and provide customer service
  • Analytics: To analyze usage patterns and improve the functionality, performance, and user experience of the Service
  • Legal Compliance: To comply with legal obligations, enforce our terms, and protect our rights and interests
  • Business Operations: To conduct business operations, including billing, account management, and fraud prevention

Legal Basis for Processing (GDPR): Our legal basis for collecting and using the personal information described in this Privacy Policy depends on the personal information we collect and the specific context in which we collect it. However, our legal bases generally include: (a) contract performance; (b) legitimate interests; (c) legal obligations; and (d) consent where applicable.

4. Data Storage and Security

4.1 Storage of S3 Credentials

Your S3 access keys and secret keys are stored securely using industry-standard AES-256-GCM encryption at rest. Each credential set is encrypted with a unique initialization vector (IV) to ensure security. Credentials are never stored in plaintext and are only decrypted in memory when needed to generate presigned URLs for S3 operations.

4.2 Data We Do Not Store

Important: ezS3 does not store your actual S3 data files. All file uploads, downloads, and deletions happen directly between your browser and your S3-compatible storage provider via presigned URLs. Your data never flows through our servers.

We only store metadata necessary to manage access, including:

  • File names and paths
  • File sizes and timestamps
  • Access permissions and role assignments
  • Audit logs of S3 operations

4.3 Security Measures

We implement appropriate technical and organizational security measures designed to protect the security of any personal information we process. These include:

  • Encryption: TLS/SSL encryption for data in transit; AES-256 encryption for data at rest
  • Access Controls: Role-based access control, multi-factor authentication support, and principle of least privilege
  • Monitoring: 24/7 system monitoring, intrusion detection, and regular security audits
  • Testing: Regular penetration testing and vulnerability assessments
  • Training: Security awareness training for all employees with data access

However, no method of transmission over the internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee its absolute security.

4.4 Hosting and Infrastructure

Our application is hosted on Cloudflare's global network. Cloudflare provides secure hosting, DDoS protection, and content delivery services. Data processed by our application may be stored and processed in Cloudflare's data centers located in various regions worldwide.

5. Data Retention

We retain your personal information for different periods depending on the purpose:

  • Account Information: Retained while your account is active and for a reasonable period after account closure
  • Audit Logs: Retained for 14 days in Simple mode; extended retention available for enterprise customers
  • Authentication Data: Retained for security monitoring and fraud prevention purposes
  • Payment Records: Retained as required by applicable tax and accounting laws (typically 7 years)
  • S3 Credentials: Retained until you delete or update them

Upon your request, we will delete or anonymize your personal information, subject to certain exceptions including legal obligations, fraud prevention, and legitimate business interests. See Section 7 for details on your rights.

6. Third-Party Services and Integrations

6.1 S3-Compatible Storage Providers

Our Service integrates with S3-compatible storage providers including AWS S3, Cloudflare R2, Wasabi, DigitalOcean Spaces, MinIO, and others. Your data is stored according to your storage provider's policies. We encourage you to review their privacy policies.

6.2 Authentication Providers

We use third-party authentication services:

  • Google OAuth: When you sign in with Google, we receive your email address and basic profile information from Google
  • Email Authentication: Passwordless magic links are delivered through Postmark

These third parties may collect data about your use of their services according to their own privacy policies.

6.3 Analytics and Monitoring

We use third-party analytics services to help us understand how users interact with the Service:

  • Ahrefs Analytics: Used for website analytics and performance monitoring by Ahrefs

6.4 Payment Processing

We use Stripe to handle billing and payments. We do not store your complete payment card details. All payment data is processed in compliance with PCI DSS standards.

6.5 No Data Sale

We do not sell, rent, or trade your personal information to third parties for their promotional purposes. We may share your information only as described in this policy.

7. Your Privacy Rights

7.1 General Rights

Depending on your location, you may have certain rights regarding your personal information:

  • Access: Request a copy of the personal information we hold about you
  • Correction: Request correction of inaccurate or incomplete information
  • Deletion: Request deletion of your personal information (subject to legal and legitimate business exceptions)
  • Restriction: Request that we limit how we use your information
  • Objection: Object to our processing of your information
  • Portability: Request transfer of your data to another service provider
  • Withdraw Consent: Withdraw consent at any time where we rely on consent for processing

7.2 CCPA/CPRA Rights (California Residents)

If you are a resident of California, you have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to Know: Information about the categories of personal information we collect, use, and share
  • Right to Delete: Request deletion of your personal information (subject to exceptions)
  • Right to Opt-Out: Opt-out of the "sale" of your personal information (note: we do not sell personal information)
  • Right to Non-Discrimination: Not receive discriminatory treatment for exercising your privacy rights

7.3 GDPR Rights (EU/UK Residents)

If you are located in the European Union or United Kingdom, you have enhanced rights under the GDPR and UK GDPR, including the rights listed in Section 7.1. You also have the right to lodge a complaint with a supervisory authority.

7.4 How to Exercise Your Rights

To exercise any of these rights, please contact us using the information provided in Section 13. We will respond to your request within 30 days (or as required by applicable law).

8. Cookies and Tracking Technologies

8.1 Types of Cookies We Use

We use both session cookies (which expire when you close your browser) and persistent cookies (which remain until deleted or expired). Types include:

  • Essential Cookies: Required for the Service to function, including authentication and security
  • Analytics Cookies: Help us understand how users interact with the Service
  • Preference Cookies: Remember your settings and preferences (e.g., theme, language)
  • Functionality Cookies: Enable enhanced functionality and personalization

8.2 Browser Controls

Most web browsers allow you to control cookies through their settings. However, disabling cookies will prevent authentication and affect the functionality of the Service.

8.3 Do Not Track

We do not currently respond to "Do Not Track" browser signals. However, you can opt out of analytics tracking through browser extensions or by contacting us.

9. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws different from those of your jurisdiction.

When we transfer your information internationally, we ensure appropriate safeguards are in place to protect your privacy, including standard contractual clauses or other legally recognized mechanisms approved by relevant authorities.

Important for EU/UK Users: If you are in the EU or UK, your information may be transferred to countries that the European Commission or UK authorities have not recognized as providing adequate data protection. We take appropriate steps to ensure your personal information remains protected in accordance with this Privacy Policy.

10. Children's Privacy

The Service is not intended for children under the age of 16. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe your child has provided us with personal information, please contact us, and we will delete such information.

If we learn that we have collected personal information from a child under 16 without parental consent, we will take steps to remove that information from our servers.

11. Data Breach Notification

In the event of a security breach involving your personal information, we will notify you in accordance with applicable law. Notification may include email, conspicuous notice on our website, or other forms of communication. For EU/UK residents, we will notify you without undue delay where the breach poses a risk to your rights and freedoms.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. The updated version will be indicated by a revised "Last updated" date and the new version will be effective as soon as it is accessible.

Material Changes: If we make material changes to this policy, we will notify you by email (if you have provided an email address) or by placing a prominent notice on our website before the changes become effective.

Your continued use of the Service after the effective date of the revised Privacy Policy constitutes your acceptance of the changes.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Gone Coding Ltd
Unit 1603, 16th Floor, The L. Plaza
367 - 375 Queen's Road Central
Sheung Wan, Hong Kong

Data Protection Officer (EU/UK): For GDPR-related inquiries, you may also contact our Data Protection Officer at the email address above.

We will respond to your inquiry within 30 days of receipt (or as required by applicable law).

14. Additional Disclosures

14.1 Nevada Residents

Nevada residents may submit a request confirming that they opt-out of the sale of their personal information. Note that we do not sell personal information, so this would not apply to our practices.

14.2 Virginia Residents

Virginia residents may have additional rights under the Virginia Consumer Data Protection Act. We provide the rights described in Section 7.1 to Virginia residents.

14.3 Other US State Laws

Various US states have enacted data protection laws. We comply with applicable state data protection laws and provide the rights described in this Privacy Policy as required.