Last updated: June 13, 2026

Privacy Policy

Privacy is not an afterthought — it is the foundation of everything we build.

1. Our Philosophy

Bunorden exists because we believe you deserve software that respects you. Every application we build operates on a simple principle: your data belongs to you, and only you. We never see your plaintext data. We never will. This is not a marketing claim — it is a cryptographic guarantee.

We do not monetize your data. We do not track your behavior. We do not run analytics in our applications. We do not serve advertisements. We build privacy-first tools because that is the kind of software we want to use ourselves.

2. End-to-End Encryption

All Bunorden applications use end-to-end encryption (E2EE). This means your data is encrypted on your device before it ever leaves your machine. The encryption happens locally using industry-standard cryptographic primitives:

  • AES-256-GCM — Authenticated encryption for all data at rest. Each encryption operation uses a unique 96-bit random initialization vector.
  • PBKDF2 — Key derivation with 600,000 iterations and a cryptographically random 128-bit salt, in line with OWASP 2024 recommendations.
  • X25519 — Elliptic-curve Diffie-Hellman for secure key exchange when sharing data with other users.

Your encryption key is derived from your password using PBKDF2. We never receive, store, or transmit your password or your derived encryption key. The encryption and decryption happen entirely on your device.

3. Data We Collect

We collect the minimum data required for our services to function:

3.1 Account Data

  • Email address — Used solely for authentication and account recovery. Stored in hashed form where possible.
  • Authentication tokens — Session tokens managed by Supabase Auth. These are standard JWT-based tokens.

3.2 Encrypted Application Data

All application data (notes, financial transactions, water intake logs, DSE past paper annotations, password vault entries) is encrypted on your device before transmission. We store only encrypted ciphertext. We cannot decrypt this data under any circumstance.

3.3 Data We Do NOT Collect

  • Analytics or telemetry of any kind
  • IP addresses (not logged at the application layer)
  • Device fingerprints
  • Location data
  • Cookies beyond those strictly necessary for authentication
  • Any behavioral or usage data

4. Data Storage & Retention

Encrypted application data is stored on Supabase infrastructure. All data is encrypted with AES-256-GCM before transmission. Our servers store only opaque encrypted blobs.

You can delete your data at any time through the application interface. When you delete data, the corresponding encrypted blobs are removed from our servers. Account deletion removes all associated data permanently.

We reserve the right to delete accounts that have been inactive for more than 24 consecutive months. We will attempt to notify you at your registered email address before doing so.

5. Third-Party Services

We use the following third-party infrastructure services. None of them receive your plaintext data:

  • Supabase — Provides authentication, database, and storage infrastructure. Supabase stores your encrypted data blobs and manages authentication sessions. Supabase never receives your encryption keys or plaintext data.
  • Cloudflare — Provides DNS, CDN, and Turnstile captcha for bot protection on our authentication pages. Cloudflare may process your IP address as part of standard HTTP request handling.
  • Vercel — Hosts our application frontends. Vercel serves static assets and server-rendered pages.

6. Your Rights

You have the right to:

  • Access your data at any time through our applications.
  • Export your data in a portable format (where supported by the application).
  • Delete your data and your account permanently.
  • Be informed about how your data is handled — which is what this document is for.

Because your data is end-to-end encrypted with keys only you hold, we are technically unable to provide your plaintext data to any third party, including law enforcement. We cannot produce what we do not possess.

7. Children's Privacy

Bunorden services are not directed at children under the age of 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

8. Changes to This Policy

We will update this policy as our services evolve. When we make material changes, we will notify you via email and update the "Last updated" date at the top of this page. Continued use of Bunorden services after changes take effect constitutes acceptance of the updated policy.

9. Contact Us

If you have questions about this privacy policy or our data practices, please reach out:

📧 privacy@bunorden.com

We take privacy seriously. We will respond to all inquiries within 72 hours.