Privacy Policy

About Help Contact Login Register
No internet connection

Privacy Policy

Last updated: February 21, 2026

1. Data Controller

Infragilis LLC is the data controller for your personal data processed through Legati. For any questions regarding your data, contact our Data Protection Officer at dpo@legati.co.

↑ Top

2. Data We Collect

We collect the following personal data when you register and use Legati:

  • Identity data: first name, last name, date of birth
  • Contact data: email address, phone number, mailing address
  • Account data: encrypted password hash, unique encryption key, user code
  • Usage data: login timestamps, IP addresses (retained for security)
  • File metadata: file names, sizes, upload dates (file contents are encrypted and inaccessible to us)
↑ Top

3. Purposes of Processing

  • Account creation and management (contractual necessity)
  • Providing encrypted file storage services (contractual necessity)
  • Security monitoring and fraud prevention (legitimate interest)
  • Communication about your account and service updates (legitimate interest)
↑ Top

4. Legal Basis

  • Contract performance: processing necessary to provide the service you subscribed to
  • Legitimate interest: security monitoring, login logging, and service improvement
  • Consent: you consent to our Privacy Policy and Terms of Service at registration
↑ Top

5. Cookies

Legati uses only strictly necessary session cookies for authentication and CSRF protection. We do not use tracking cookies, analytics cookies, or advertising cookies. These session cookies are essential for the service to function and cannot be declined without losing access to your account.

↑ Top

6. Data Retention

Your account data is retained for as long as your account is active. Visitor logs are automatically purged after 90 days. Login history retains only the 5 most recent entries. When you delete your account, all personal data, files, and related records are permanently erased.

↑ Top

7. Data Residency

We are committed to keeping your data within your region. Data belonging to users in the European Economic Area (EEA) is stored exclusively in European data centers and never transferred outside the EEA. Data belonging to users in the United States is stored in U.S. data centers. We comply with all applicable local data residency laws and regulations to ensure your data remains within the jurisdiction where it originated.

↑ Top

8. Third-Party Data Sharing

We do not sell, rent, or share your personal data with third parties. Encrypted file bundles are stored on secure infrastructure but are encrypted with your personal key before upload, making the contents inaccessible to anyone without your key. Payment processing is handled by Stripe, which has its own GDPR-compliant privacy policy.

↑ Top

9. Your Rights (GDPR)

Under the GDPR, you have the following rights:

  • Right of access: request a copy of your personal data (use "Export My Data" in your profile)
  • Right to rectification: update your personal information in your profile at any time
  • Right to erasure: delete your account and all associated data permanently
  • Right to data portability: export your data in machine-readable JSON format
  • Right to object: contact our DPO to object to specific processing
  • Right to lodge a complaint: you may file a complaint with your local data protection authority
↑ Top

10. Encrypted Backups

File bundles uploaded to secure storage are encrypted with your personal encryption key before transfer. These bundles contain no personally identifiable information in their filenames. Encrypted bundles may be retained in secure storage even after account deletion, as they cannot be linked to an individual or decrypted without the original encryption key.

↑ Top

11. Data Protection Officer

You can contact our Data Protection Officer for any questions or requests regarding your personal data: dpo@legati.co or use our GDPR contact form at /contact/dpo. We will respond within 30 days.

↑ Top

13. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with additional rights regarding your personal information.

Categories of Personal Information Collected

  • Identifiers: name, email address, phone number, mailing address, user code
  • Account information: encrypted password hash, encryption key, date of birth
  • Commercial information: subscription plan, payment history (via Stripe)
  • Internet/electronic activity: login timestamps, IP addresses, browser and device information
  • File metadata: file names, sizes, upload dates (file contents are encrypted and inaccessible to us)

Business Purposes for Collection

  • Providing and maintaining the encrypted file storage service
  • Account creation, authentication, and security monitoring
  • Processing payments and managing subscriptions

No Sale or Sharing of Personal Information

Legati does not sell, rent, or share your personal information with third parties for cross-context behavioral advertising or any other purpose. We have not sold or shared personal information in the preceding 12 months.

Your California Consumer Rights

  • Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you.
  • Right to Delete: You may request that we delete the personal information we have collected from you. You can also delete your account directly from your profile.
  • Right to Correct: You may request that we correct inaccurate personal information. You can also update your profile directly.
  • Right to Opt-Out of Sale: Not applicable — Legati does not sell your personal information.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

How to Submit a Request

To exercise your California privacy rights, submit a request through our CCPA request form or email us at info@legati.co. You may also designate an authorized agent to make a request on your behalf.

Verification and Response Timeline

We will verify your identity before processing your request by matching the information you provide with our records. We will respond to verifiable consumer requests within 45 calendar days. If we need additional time, we will notify you of the extension and the reason.

↑ Top

14. Health Information Privacy (HIPAA)

Legati is designed to meet the security requirements of the Health Insurance Portability and Accountability Act (HIPAA). While Legati is a general-purpose encrypted file storage service, users who store Protected Health Information (PHI) can rely on the following safeguards.

Technical Safeguards

  • AES-256-CBC encryption: all files are encrypted at rest with unique per-user encryption keys
  • Access controls: password-protected accounts with optional two-factor authentication (SMS or hardware security key)
  • Audit controls: login history tracking with IP addresses and timestamps
  • Transmission security: all data transmitted over TLS/SSL encrypted connections
  • Integrity controls: files are verified during upload and download to prevent unauthorized alteration

Protected Health Information

Legati does not access, view, or process the contents of your encrypted files. File contents are encrypted with your personal encryption key before storage, making them inaccessible to Legati staff and systems. Only file metadata (name, size, upload date) is visible to the system.

Your HIPAA Rights

  • Right to Access: You can download your files and export your account data at any time from your profile.
  • Right to Amendment: You can update your personal information through your profile settings.
  • Right to Restriction: You can request restrictions on how your information is used by contacting us.
  • Right to Accounting of Disclosures: You can request a record of disclosures of your information.
  • Right to Receive Breach Notification: You will be notified within 60 days if a breach affecting your data occurs.

How to Submit a HIPAA Request

To exercise your HIPAA rights, submit a request through our HIPAA request form or email us at info@legati.co. We will respond to requests within 30 days.

Breach Notification

In the event of a data breach affecting Protected Health Information, Legati will notify affected individuals within 60 days as required by the HIPAA Breach Notification Rule. Notification will be sent via email and, where applicable, by first-class mail.

↑ Top

15. Changes to This Policy

We may update this privacy policy from time to time. Changes will be posted on this page with an updated revision date. Continued use of Legati after changes constitutes acceptance of the revised policy.

↑ Top