Privacy Policy — Hoodik Cloud
Effective: 27 June 2026. Separate from the Hoodik App privacy policy at hoodik.io.
1. Who we are
Hudik d.o.o., Kapelska 6, 31000 Osijek, Croatia (VAT HR15878994254), operates Hoodik Cloud.
2. The core principle — we cannot read your files
Hoodik Cloud is end-to-end encrypted. Your files, file names, and thumbnails are encrypted on your device before upload; your keys are derived from your passphrase on your device and never sent to us. We never have access to the plaintext of your stored content. We process only encrypted data on your behalf and the limited account / operational data below.
3. What we process
- Account data: your email address, region choice, plan / subscription status. (Controller.)
- Billing data: handled by our payment partner / Merchant of Record (name, payment details, billing country, VAT) — we receive payout reports, not your card details.
- Operational data: access logs (IP address, timestamps, request metadata) for security and abuse prevention; instance metadata (region, storage used). IPs are minimized and retained short-term.
- Your stored files: held only as ciphertext — encrypted file content + metadata we cannot read. (We act as a processor; you control this data.)
4. Sub-processors
We use:
| Sub-processor | Purpose | Region |
|---|---|---|
| Hetzner (DE/FI/US) | Compute | EU or US (your choice) |
| Cloudflare | Encrypted object storage (R2) + DNS / edge | EU or US (your choice) |
| Paddle / Lemon Squeezy | Payment processing (Merchant of Record) | EU/UK/US |
| Scaleway (TEM) | Transactional email | EU (France) |
All file data held by storage sub-processors is ciphertext — they cannot read it either. Because Hoodik Cloud is end-to-end encrypted, data at rest is ciphertext regardless of provider, so the region you choose is about where your data lives, not about what anyone can read.
5. Lawful basis (GDPR)
Performance of contract (providing the service), legitimate interest (security / abuse prevention), and legal obligation (tax / accounting). You are the controller of the files you store; for that content we act as processor and offer a Data Processing Agreement on request.
6. Retention
Account + stored data are retained while your subscription is active and for a grace period after cancellation, then permanently deleted. Access logs are retained short-term. Backups follow their retention schedule.
7. Your rights
Access, rectification, erasure, restriction, portability (your one-click encrypted export), and objection. To exercise them or for a DPA, contact us. You may lodge a complaint with the Croatian DPA (AZOP).
8. International transfers
EU-region customer data stays in the EU. US-region data stays in the US, by your choice at signup.
9. Analytics
We use our own self-hosted, cookieless analytics to understand aggregate traffic on this site. It sets no cookies, does not track you across other sites, and does not collect personal data.
10. Contact
hello@hudik.eu · Hudik d.o.o., Kapelska 6, 31000 Osijek, Croatia.