Privacy Policy

FortressDrive ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your information when you use our Personal Operating System platform (the "Platform").

FortressDrive is built on a zero-knowledge architecture. This means your data is encrypted before it reaches our servers, and we cannot read, access, or process your content in any form. Privacy is our foundation — not an afterthought.

This Privacy Policy should be read together with our Terms & Conditions. By using the Platform, you consent to the practices described in this policy.

Unlike most platforms, FortressDrive operates on a strict zero-knowledge principle. Here is what this means for your data:

Data protected by encryption:

• Your files stored in My Drive — AES-256 encrypted before upload to Cloudflare R2.

• Your passwords and credentials in the Password Vault — AES-256-GCM encrypted at rest.

• Your crypto wallet private keys — AES-256 encrypted and never exposed in plaintext.

Data protected by server-side security:

• Your notes, documents, and journal entries — stored behind multi-layer authentication and module security gates.

• Your goals, projects, and personal database content — access-gated with per-module PIN protection.

• Your financial data in the Finance Tracker — protected behind authentication and security gates.

• Your business reports and analytics — gated behind multi-layer authentication.

AI Assistant conversations:

• Conversations are processed through OpenAI's API to generate responses. They are transmitted securely and are not used for model training. Conversations are stored in your account and protected by your authentication layers.

Our security architecture combines AES-256-GCM encryption for critical assets with multi-layer authentication, per-module security gates, and comprehensive audit logging across all modules.

While we cannot access your encrypted content, we do collect minimal information necessary to operate the Platform:

Account Information:

• Email address — Used for account creation, authentication, and critical security notifications.

• Hashed password — Your password is hashed using industry-standard algorithms. We never store your plaintext password.

• TOTP authenticator data — We store your 2FA enrollment status and TOTP configuration data required for authentication verification.

Security & Authentication Data:

• Login timestamps — When you log in, we record the time for audit trail purposes.

• IP addresses — Logged during authentication events for security monitoring and brute-force protection.

• Device identifiers — Used for device verification as part of three-factor authentication.

• Failed login attempts — Tracked to enforce brute-force protection and account lockout policies.

• Security event logs — Password changes, 2FA toggles, and module gate changes are logged for your audit trail.

Subscription & Payment Data:

• Subscription tier and status.

• Cryptocurrency wallet addresses used for payment (public blockchain data).

• Payment confirmation timestamps and transaction hashes.

We do NOT collect: browsing history, cookies for advertising, personal demographics, location data, contact lists, or any data from your device beyond what is explicitly listed above.

The minimal information we collect is used exclusively for:

• Account authentication — Verifying your identity through our 3FA system.

• Security protection — Detecting and preventing brute-force attacks, unauthorized access, and suspicious activity.

• Audit trail — Providing you with a transparent log of all security events on your account.

• Service operation — Managing your subscription, processing payments, and enforcing storage limits.

• Critical notifications — Sending security alerts for login attempts from new devices or suspicious activity.

• Platform improvement — Aggregated, anonymized usage statistics (such as total user count) to improve service reliability. No individual user data is analyzed.

We do NOT use your information for: advertising, profiling, selling to third parties, training AI models, marketing campaigns, or any purpose beyond operating and securing the Platform.

FortressDrive does not sell, rent, trade, or share your personal information with third parties for their own purposes. Period.

Limited third-party services we use:

• Cloudflare R2 — For encrypted file storage (My Drive). Cloudflare stores only encrypted, unreadable data. They cannot decrypt your files.

• OpenAI API — For the AI Assistant module. Your conversations are sent through OpenAI's API for processing. OpenAI's data usage policies apply to API calls. We use API endpoints that do not retain or train on your data. Conversations are not stored by OpenAI beyond the processing window.

• Blockchain Networks — Crypto wallet transactions are broadcast to public blockchain networks (Ethereum, Solana, Tron, Bitcoin). Blockchain transactions are public and immutable by nature.

• SMTP Email Service — For sending security notifications and password reset emails. Only your email address and the notification content are transmitted.

Law Enforcement: Due to our zero-knowledge architecture, we are technically unable to provide your encrypted content to law enforcement or any other party. We can only provide the limited account information listed in Section 3 if legally required by a valid court order.

We implement comprehensive security measures to protect your data:

Encryption:

• AES-256-GCM encryption for all stored data (notes, files, passwords, wallet keys, financial data).

• Encryption keys are derived locally from your credentials and are never transmitted to or stored on our servers.

• Critical assets (files, credentials, wallet keys) are encrypted before storage.

Authentication:

• Three-factor authentication (3FA): password + TOTP authenticator + device verification.

• Per-module security gates with separate PIN codes.

• Password strength enforcement: minimum 12 characters with complexity requirements.

• Automatic account lockout after repeated failed login attempts.

Infrastructure Security:

• HSTS (HTTP Strict Transport Security) enforced.

• X-Frame-Options DENY to prevent clickjacking.

• Strict referrer policies and permissions controls.

• Content Security Policy headers to prevent XSS attacks.

• Inactivity auto-lock after 5 minutes.

• Full audit trail with timestamps and IP addresses for all security events.

Brute-Force Protection:

• Intelligent rate limiting on all authentication endpoints.

• Progressive delays after failed attempts.

• Automatic account lockout with email notification.

Active accounts: Your encrypted data is stored for as long as your account is active. We do not impose data expiration on active accounts.

Account deletion: When you delete your account, all your data is permanently and irreversibly removed from our servers within 30 days. This includes:

• All encrypted notes, files, and documents.

• All wallet data and encrypted keys.

• All vault credentials.

• All journal entries, goals, and reports.

• All financial tracking data.

• Your account information and audit logs.

This deletion is irreversible. Due to our zero-knowledge architecture, we cannot recover deleted data under any circumstances.

Security logs: Authentication and security event logs are retained for 90 days after account deletion for fraud prevention and security purposes, then permanently deleted.

Inactive accounts: Accounts that have been inactive for 24 consecutive months may be flagged for deletion. We will send email notifications before taking any action.

FortressDrive uses only essential cookies required for the Platform to function:

• Session cookie — Maintains your authenticated session. Expires when you close your browser or after inactivity timeout (5 minutes).

• Authentication token — Securely identifies your logged-in session. Encrypted and httpOnly.

We do NOT use:

• Advertising cookies or tracking pixels.

• Analytics cookies (Google Analytics, Mixpanel, etc.).

• Social media tracking scripts.

• Cross-site tracking of any kind.

• Fingerprinting technologies.

No third-party scripts are loaded on the Platform that could track your activity.

You have the following rights regarding your data:

• Right to Access — You can view all your data at any time through the Platform. Due to zero-knowledge encryption, only you can access it.

• Right to Export — You can export your data at any time. No vendor lock-in.

• Right to Delete — You can delete your account and all associated data at any time.

• Right to Correct — You can modify your account information at any time.

• Right to Restrict Processing — Since we don't process your encrypted data, this right is inherently satisfied.

• Right to Data Portability — Your data can be exported in standard formats.

• Right to Object — You can object to any processing of your non-encrypted account data by contacting us.

For users in the European Economic Area (EEA), these rights are provided in accordance with the General Data Protection Regulation (GDPR). For California residents, these rights align with the California Consumer Privacy Act (CCPA).

To exercise any of these rights, you can use the Platform's built-in tools or contact us through our support channels.

FortressDrive is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18.

If we become aware that a child under 18 has created an account, we will take steps to terminate the account and delete associated data promptly.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately.

FortressDrive's servers and infrastructure may be located in various jurisdictions. By using the Platform, you consent to the transfer of your encrypted data to servers that may be outside your country of residence.

Because all user data is encrypted with AES-256-GCM before leaving your device, the physical location of our servers does not affect the privacy or security of your data. Even in jurisdictions with different data protection laws, your data remains unreadable to anyone without your encryption keys.

For EEA users, we ensure that any data transfers comply with GDPR requirements through the inherent protection of our zero-knowledge encryption.

When using the Crypto Wallet module, please be aware:

• Blockchain transactions are public — All cryptocurrency transactions are recorded on public blockchains. Transaction amounts, wallet addresses, and timestamps are publicly visible.

• Wallet addresses are pseudonymous — While blockchain addresses don't directly reveal your identity, they can potentially be linked to real identities through transaction analysis.

• Private keys are encrypted — Your wallet private keys are AES-256 encrypted and stored in your encrypted vault. We cannot access them.

• Transaction data — We do not store blockchain transaction data on our servers. Wallet balances and transaction history are fetched directly from blockchain networks in real-time.

FortressDrive has no control over blockchain networks and cannot reverse, modify, or censor blockchain transactions.

The AI Assistant uses OpenAI's API to process your requests. Important privacy considerations:

• Your conversations are sent to OpenAI's API for processing through encrypted channels.

• We use API endpoints configured to not retain your data for training purposes.

• OpenAI's API data usage policy applies to the processing of your requests.

• We do not store conversation logs on our servers beyond what is encrypted in your account.

• AI responses should not be considered private communications — they are generated by third-party AI models.

For maximum privacy, avoid sharing highly sensitive personal information (SSN, financial account numbers, etc.) in AI Assistant conversations.

We may update this Privacy Policy from time to time. When we make changes:

• We will update the "Last Updated" date at the bottom of this page.

• For significant changes, we will notify you via email or through the Platform.

• Your continued use of the Platform after changes constitutes acceptance of the updated policy.

We encourage you to review this Privacy Policy periodically.

If you have any questions, concerns, or requests regarding this Privacy Policy or your data, please contact us through the Platform's support channels.

For data protection inquiries from EEA residents, you may also contact your local data protection authority.

This Privacy Policy was last updated on March 20, 2026.