Privacy Policy

1. Introduction

SecretCarousel is a secrets management platform operated by Tyga.Cloud Ltd ("we", "us", "our"). We provide encrypted secret storage, API key management, secret sharing, rotation scheduling, and audit logging services to development teams and organisations worldwide.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the SecretCarousel platform, including our web application, dashboard, APIs, SDKs, and related services (collectively, the "Service").

By using SecretCarousel, you agree to the collection and use of information in accordance with this policy. If you do not agree with the terms of this privacy policy, please do not access or use the Service.

Security First: SecretCarousel is designed with a zero-knowledge architecture for secret values. We encrypt your secrets at rest using AES-256-GCM encryption, and our systems are designed so that secret values are never stored in plaintext.

2. Information We Collect

2.1 Account Information

When you create a SecretCarousel account, we collect:

Full name and email address
Organisation or company name (if provided)
Password (stored as a bcrypt hash; we never store plaintext passwords)
Account preferences and configuration settings

2.2 Secret Data

When you store secrets through our platform, we process and store:

Secret metadata: key names, descriptions, environment labels, tags, version history timestamps, and rotation schedules
Encrypted secret values: all secret values are encrypted using AES-256-GCM before being persisted. We do not have access to your plaintext secret values.
Secret sharing records: recipient information, expiration times, access limits, and one-time link tokens

2.3 API Keys

When you generate API keys to access the SecretCarousel service, we collect and store:

API key prefix (for identification purposes)
Hashed API key value (using bcrypt; the full key is shown only once at creation)
Key name, description, assigned scopes and permissions
Creation date, last-used timestamp, and expiration date

2.4 Audit Logs

SecretCarousel automatically records audit log entries to help you monitor access and maintain compliance. Audit logs include:

Action performed (e.g. secret.create, secret.read, secret.update, secret.delete, apikey.create, share.create, backup.create)
Actor type and identity (user, service, application, or system)
Resource type and identifier
IP address and user-agent string of the requesting client
Timestamp of the action

2.5 Usage & Technical Data

We automatically collect certain technical information when you interact with the Service:

IP address, browser type, and operating system
Pages visited, features used, and time spent on the platform
API request patterns, response times, and error rates
Device identifiers and session information
Referral source and landing page data

2.6 Backup Data

When you create backups of your secrets vault, we store:

Encrypted backup files containing your secret data
Backup metadata: creation date, size, format, and retention tags
Backup download and restore history

Data Category	Examples	Retention
Account Data	Name, email, hashed password	Duration of account
Secret Data	Encrypted values, metadata, versions	Until deleted by user
API Keys	Hashed keys, scopes, usage logs	Until revoked or expired
Audit Logs	Actions, IP addresses, timestamps	90 days (configurable)
Usage Data	API patterns, session info, analytics	12 months
Backup Data	Encrypted vault backups, metadata	Per backup retention policy

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 Providing the Service

Storing, encrypting, and retrieving your secrets securely
Authenticating API requests and managing access control
Facilitating secret sharing with time-limited, access-controlled links
Executing automatic secret rotation schedules
Creating and managing encrypted backups of your vault
Generating audit trails for compliance and monitoring

3.2 Improving the Service

Analysing usage patterns to improve platform performance and reliability
Identifying and resolving bugs, errors, and security vulnerabilities
Developing new features based on aggregated usage data
Monitoring system health and capacity planning

3.3 Communication

Sending account-related notifications (e.g. secret rotation alerts, API key expiration warnings)
Responding to your support requests and enquiries
Providing security advisories and service updates
Sending product announcements (with your consent, where required by law)

3.4 Security & Compliance

Detecting and preventing fraud, abuse, and unauthorised access
Enforcing our Terms of Service and acceptable use policies
Complying with legal obligations and responding to lawful requests

4. Encryption & Security

Security is at the core of everything we do. SecretCarousel employs multiple layers of protection to safeguard your data:

4.1 Encryption at Rest

All secret values are encrypted using AES-256-GCM before being written to the database
Encryption keys are derived and managed through a secure key management process
Backups are encrypted using the same AES-256-GCM standard

4.2 Encryption in Transit

All communications with SecretCarousel are encrypted via TLS 1.2+
API endpoints enforce HTTPS-only connections
We use HTTP Strict Transport Security (HSTS) headers

4.3 Authentication & Access Control

API keys are hashed using bcrypt with an appropriate cost factor before storage
Passwords are hashed using bcrypt and are never stored in plaintext
Role-based access control with granular permission scopes
Tenant isolation ensures data is separated between organisations

4.4 Infrastructure Security

Regular security assessments and dependency audits
Automated vulnerability scanning of application dependencies
Rate limiting and abuse detection on all API endpoints
Comprehensive audit logging of all system operations

Zero-Knowledge Design: SecretCarousel is architected so that your secret values are encrypted before storage. Our team cannot access the plaintext values of your secrets, even if compelled to do so.

5. Data Sharing & Disclosure

We do not sell, rent, or trade your personal information or secret data. We may share information only in the following circumstances:

5.1 Service Providers

We may share limited information with trusted third-party service providers who assist us in operating the platform, such as:

Cloud infrastructure providers (for hosting and data storage)
Analytics services (aggregated, non-identifying usage data only)
Email delivery services (for transactional notifications)
Payment processors (for billing; we do not store full payment card details)

All service providers are contractually obligated to protect your data and may only use it for the purposes we specify.

5.2 Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities, including:

To comply with a legal obligation, subpoena, or court order
To protect and defend our rights or property
To prevent or investigate possible wrongdoing in connection with the Service
To protect the safety of users or the public

Important: Due to our encryption architecture, even if compelled by law to produce data, we can only provide encrypted secret values. We cannot provide plaintext secret values as we do not hold the means to decrypt them outside the encryption service context.

5.3 Business Transfers

In the event of a merger, acquisition, reorganisation, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your information becomes subject to a different privacy policy.

5.4 With Your Consent

We may share your information for any other purpose with your explicit consent.

6. Data Retention

We retain your data for as long as necessary to provide the Service and fulfil the purposes described in this policy:

Account data: retained for the duration of your account and for a reasonable period after account deletion to comply with legal obligations
Secret data: retained until you explicitly delete it, or until your account is terminated
API keys: retained until revoked, expired, or your account is terminated
Audit logs: retained for 90 days by default, configurable based on your plan tier
Shared secrets: automatically purged after expiration or when access limits are reached
Backups: retained according to your configured backup retention policy
Usage data: retained for up to 12 months in aggregate form

When you delete your account, we will delete or anonymise your personal data within 30 days, except where we are required to retain it for legal, regulatory, or legitimate business purposes.

7. Your Rights & Choices

Depending on your location, you may have the following rights regarding your personal data:

Access: Request a copy of the personal data we hold about you
Rectification: Request correction of inaccurate or incomplete data
Erasure: Request deletion of your personal data ("right to be forgotten")
Portability: Request a machine-readable export of your data
Restriction: Request that we limit the processing of your data
Objection: Object to the processing of your data for specific purposes
Withdrawal of consent: Where processing is based on consent, withdraw that consent at any time

To exercise any of these rights, please contact us at privacy@secretcarousel.com. We will respond to your request within 30 days.

Account Controls

Through the SecretCarousel dashboard, you can:

View and update your account information
Delete individual secrets, API keys, or shares
Download your audit logs
Export your secrets in encrypted backup format
Delete your account entirely

8. GDPR Compliance

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) applies to our processing of your personal data. SecretCarousel, operated by Tyga.Cloud Ltd, is the data controller.

Legal Bases for Processing

We process your personal data on the following legal bases:

Contract Performance (Art. 6(1)(b)): Processing necessary to provide the SecretCarousel service you have subscribed to
Legitimate Interests (Art. 6(1)(f)): Processing for security monitoring, fraud prevention, service improvement, and analytics, balanced against your rights
Legal Obligation (Art. 6(1)(c)): Processing necessary to comply with applicable laws and regulations
Consent (Art. 6(1)(a)): For optional marketing communications and non-essential analytics

Data Protection Officer

If you have questions about GDPR compliance or wish to exercise your rights under the GDPR, you may contact our Data Protection Officer at:

dpo@tyga.cloud

Supervisory Authority

You have the right to lodge a complaint with a supervisory authority in the EEA member state of your habitual residence, place of work, or place of the alleged infringement if you believe that our processing of your personal data violates the GDPR.

9. California Privacy Rights (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with specific rights regarding your personal information.

Your California Rights

Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you
Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions
Right to Correct: You have the right to request correction of inaccurate personal information
Right to Opt-Out: You have the right to opt out of the "sale" or "sharing" of personal information. SecretCarousel does not sell or share personal information for cross-context behavioural advertising
Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of personal information:

Identifiers (name, email address, IP address)
Internet or network activity information (API usage patterns, browsing history within the platform)
Professional or employment-related information (organisation name, role)
Inferences drawn from the above (usage analytics, feature preferences)

To exercise your CCPA rights, contact us at privacy@secretcarousel.com or call us at the number provided in the Contact section.

10. International Data Transfers

SecretCarousel is operated by Tyga.Cloud Ltd, which is based in the United Kingdom. Your data may be transferred to and processed in countries outside your country of residence, which may have different data protection laws.

Where we transfer personal data from the EEA, UK, or Switzerland to countries that have not been deemed to provide an adequate level of data protection, we rely on appropriate safeguards such as:

Standard Contractual Clauses (SCCs): EU-approved contractual terms that provide appropriate data protection guarantees
UK International Data Transfer Agreement (IDTA): For transfers from the UK
Adequacy decisions: Where the European Commission or UK Secretary of State has determined a country provides adequate protection

You may request a copy of the safeguards we use for international transfers by contacting dpo@tyga.cloud.

11. Children's Privacy

SecretCarousel is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16 years of age. If you are a parent or guardian and you become aware that your child has provided us with personal data, please contact us at privacy@secretcarousel.com.

If we become aware that we have collected personal data from a child under 16 without verification of parental consent, we will take steps to remove that information from our servers promptly.

12. Third-Party Services

SecretCarousel may integrate with or contain links to third-party services. This Privacy Policy does not apply to third-party services, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party services you connect to SecretCarousel.

Third-party integrations you may configure include:

CI/CD platforms (e.g. GitHub Actions, GitLab CI, Jenkins) for secret injection
Cloud providers (e.g. AWS, GCP, Azure) for secret synchronisation
Notification services (e.g. Slack, webhooks) for alert delivery
Identity providers for single sign-on (SSO) authentication

When you enable a third-party integration, you may authorise SecretCarousel to share specific data with that service. You can manage and revoke these integrations at any time through your dashboard settings.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:

Update the "Effective" date at the top of this page
Notify you via email or through a prominent notice on the platform
Where required by law, obtain your consent before applying material changes

We encourage you to review this Privacy Policy periodically. Your continued use of SecretCarousel after the effective date of a revised policy constitutes your acceptance of the changes.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

SecretCarousel, a division of Tyga.Cloud Ltd

Privacy enquiries: privacy@secretcarousel.com
Data Protection Officer: dpo@tyga.cloud
Tyga.Cloud Ltd (Company No: 14643275), Ground Floor, Unit 2 Mallard Court, Mallard Way, Crewe Business Park, Crewe, Cheshire, England, CW1 6ZQ

We aim to respond to all privacy-related enquiries within 30 days.

Table of Contents