Privacy Policy

Last updated: June 5, 2026

Lukko encrypts your files into sealed .lukko containers and gives you a live, revocable access list for every one of them. This policy explains what we store, what we can and cannot see, and how we respond to legal requests.

Your files, your control

Your files belong to you. You decide who can open them, you can revoke or expire that access at any time, and you are responsible for the files you create, the devices you keep them on, and the people you share them with. Lukko provides the encryption and access-control layer — we do not host your files. The encrypted containers live on your devices and wherever you choose to send them.

Opening a file is checked against Lukko in real time, which is what lets you cut off access instantly — on every copy, including ones already shared. If you revoke access or delete a file’s records, future opens will fail by design, and we cannot undo that for you.

How your files are protected

Every file is sealed on your device with strong, modern authenticated encryption (XChaCha20-Poly1305) before it ever leaves you. We never receive the contents, the real filename, or the file type — a stray .lukko file is just random-looking data that reveals nothing about what’s inside.

The keys that unlock your files are protected with hybrid post-quantum encryption (X25519 + ML-KEM-768), so files captured today stay protected even against tomorrow’s quantum computers. Your keys and your files are never kept together in a form that could unlock anything, and access is checked live every single time a file is opened — which is what lets you shut it off the instant you need to.

What we store

• Account data: your email address and authentication state.
• File metadata: a file identifier, size, timestamps, and an optional display label you set. The real filename and content type are encrypted inside the container and are never stored by us.
• Access policy: the identities (users, emails, or domains) you grant or revoke, and any expiry you set.
• Wrapped key material: the per-file key encrypted to our key service. We do not store an unwrapped key, and our database alone cannot decrypt it.
• Access log: a record of opens and access changes (see below).

We never store the plaintext contents of your files.

Access logs and metadata

Because every open is authorized server-side, Lukko records when a file is opened, by which identity, and whether it was allowed or denied. This powers the audit trail that file owners rely on, and it is a deliberate privacy trade-off: Lukko can see who opened what, and when — though not the file’s contents or real name.

Where your data lives

We use a small number of reputable infrastructure providers to operate the service: a secure managed Postgres database (accounts and metadata) and Cloudflare (the isolated key-handling service). Your encrypted files themselves stay on your own devices — we do not host files or their content.

Legal requests

We require valid legal process for any government request and comply only to the extent legally required.

Retention and deletion

You can remove someone’s access at any time, and they won’t be able to open the file again. You can also ask us to delete your account and its data by emailing us. The one thing we can’t do is pull back a copy someone already opened or saved while they still had access.

Changes to this policy

We may update this policy as the product evolves. Material changes will be reflected in the “last updated” date above.

Contact

Questions about this policy? Reach us at support@colab.fi.