Privacy Policy

Last updated: 1 March 2026 — Questions? Get in touch.

Overview

PastePort is built by Stori Innovations ("we", "us", "our"). This policy describes what personal data we collect when you use PastePort, how we use it, and what control you have over it.

The short version: we collect the minimum we need to run the service, we cannot read your content because it's end-to-end encrypted, and we don't sell your data or show you ads.

End-to-end encryption means we can't read your content. Everything you send through PastePort — links, text, images, files — is encrypted on your device before it reaches our servers, using a key that only your devices hold. We store ciphertext and cannot decrypt it.

What we collect

Account information

When you create an account we collect:

  • Your email address (used for authentication and transactional emails like account deletion confirmation)
  • A hashed password if you use email/password sign-in, or your Google account ID if you sign in with Google

Device records

Each device you pair with PastePort gets a record in your account that includes:

  • A display name (e.g. "My Pixel 8") — you set this yourself and can change it anytime
  • The device type (Android, Chrome extension, CLI)
  • A timestamp for when the device was registered and when it was last active
  • A Firebase Cloud Messaging (FCM) token for push notifications

Encrypted message envelopes

When you send content, we store a message document in Firestore that contains:

  • An encrypted payload (ciphertext — we cannot read this)
  • Metadata: sender device ID, timestamp, expiry time, content type indicator, and delivery status per device

The content type indicator (e.g. "url", "text", "image") is stored in plaintext in the message envelope. Everything else — the actual URL, text, image or file — is encrypted.

Usage and diagnostics

We may collect aggregate, anonymised metrics to understand how the service is being used — for example, the number of messages sent per day or total active devices. These metrics do not identify you individually.

If the app crashes, crash reports may be sent to Firebase Crashlytics. These reports contain stack traces and device information (OS version, device model) but not the content of any message.

Log data

Our servers record standard access logs: your IP address, request timestamps, and HTTP status codes. These logs are used for security monitoring and are retained for up to 90 days.

What we don't collect

  • The content of anything you share — links, text, images or files — because it is encrypted before it leaves your device
  • Your contacts, call log, or any data from other apps
  • Your precise location
  • Advertising identifiers

We don't run ads. We don't build advertising profiles. Your data is not shared with third-party advertisers.

How we use your data

We use the data we collect to:

  • Operate the PastePort service — routing encrypted messages between your devices, managing authentication, and enforcing plan limits
  • Send transactional emails — account confirmation, pairing link emails, and deletion confirmation. We don't send marketing emails unless you've separately opted in.
  • Diagnose problems and improve reliability using crash reports and aggregate usage metrics
  • Prevent abuse and enforce our Terms of Service
  • Comply with legal obligations

Sharing your data

We do not sell, rent or trade your personal data. We share limited data only in these circumstances:

Service providers

PastePort is built on Google Firebase (Firebase Authentication, Cloud Firestore, Cloud Functions, Firebase Cloud Messaging, Firebase Hosting). Google processes data on our behalf under a data processing agreement. See Firebase's privacy information.

Legal requirements

We may disclose your data if required to do so by law, court order, or a valid legal process. We will notify you of any such request where we are legally permitted to do so.

Business transfers

If Stori Innovations is acquired or merges with another company, your data may be transferred as part of that transaction. We will notify you and you'll have the option to delete your account before any transfer takes effect.

Data retention

We retain your account information for as long as your account is active. You can delete your account at any time from within the Android app or Chrome extension settings — this permanently deletes your account record, all device records, and all messages from our servers. You'll receive a confirmation email when deletion is complete.

Messages are automatically purged from Firestore after they expire:

  • Free plan: 7 days from the time they were sent
  • Pro plan: 30 days from the time they were sent

You can also manually purge all of your messages at any time from your account settings — this deletes them immediately, ahead of the scheduled expiry.

Server access logs are retained for up to 90 days and then deleted automatically.

Security

Security is central to PastePort's design rather than bolted on. Key measures:

  • End-to-end encryption. All content payloads are encrypted with AES-256-GCM using an account-level symmetric key (ASK). The ASK is generated on your devices, exchanged between them via an ECDH (X25519) key exchange during pairing, and never sent to or stored on our servers.
  • TLS in transit. All communication between your devices and our servers uses TLS.
  • Authentication. Accounts are authenticated via Firebase Auth. Admin access to our internal systems requires multi-factor authentication.
  • Access controls. Firestore security rules ensure that a device can only read messages belonging to its own account.

No security system is perfect. If you discover a vulnerability, please contact us at security@pasteport.app.

Your rights

Depending on where you live, you may have the following rights regarding your personal data:

  • Access. Request a copy of the personal data we hold about you.
  • Correction. Ask us to correct inaccurate data (e.g. your email address).
  • Deletion. Delete your account and all associated data at any time via the app, or by contacting us. Message content is encrypted and only meaningful to you — deleting your account also makes any remaining ciphertext permanently unreadable.
  • Portability. Export your message history as a ZIP archive from within any PastePort client before deleting your account.
  • Objection / restriction. Object to or restrict certain processing where applicable under local law.

To exercise any of these rights, email us at privacy@pasteport.app. We'll respond within 30 days.

If you're in the EU or UK, you have the right to lodge a complaint with your local data protection authority.

Children

PastePort is not intended for use by children under 13, or under 16 in the EU. We do not knowingly collect personal data from children. If you believe a child has created an account, please contact us at privacy@pasteport.app and we will delete it promptly.

Changes to this policy

If we make material changes to this policy, we'll notify you by email or with a notice in the app before the changes take effect. The date at the top of this page always reflects when it was last updated.

Contact

Questions about this policy? Reach us at privacy@pasteport.app or through our contact page.

Stori Innovations
privacy@pasteport.app