Version 2.1 — Effective: 03-07-2026
Multi Dimension Solutions Limited is committed to ensuring that your privacy is protected.
We are the data controller of the App and the Account, namely, Multi Dimension Solutions Limited, a company established under the Laws of Malta, bearing company registration number C 96131.
We recognise Our obligations as data controller and We are committed to comply with all applicable laws, including the Data Protection Act (Cap 586 of the Laws of Malta) and the General Data Protection Regulation (2016/679).
Please note that the defined terms in the HashThat Terms and Conditions are to be ascribed the same meaning as ascribed thereto in the HashThat Terms and Conditions when used in this Privacy Notice.
Please read this Privacy Notice carefully to understand your rights and our practices with respect to your personal data.
Please do note that this Privacy Notice applies to your use of Our App and your Account only.
This Privacy Notice describes how we collect, use, and safeguard personal data when you interact with our services. It applies when you:
Capitalised terms used in this Privacy Notice have the meanings given to them in the HashThat Terms and Conditions.
“Personal data” means any information that identifies you, or can reasonably be used to identify you, directly or indirectly (e.g., name, email address, identifiers, IP addresses, or support messages).
We do not intentionally collect sensitive categories of data (e.g., health, biometric, or political opinions). If you upload or store such data, you must ensure you have a lawful basis. All customer content is treated as confidential.
We collect personal data directly from you, automatically through your use of our services, and from certain third parties, depending on your interactions with the App and related services. Specifically, we collect data when you:
We do not monitor or access the content of your vault entries, shared passwords, encrypted Notes, or uploaded files. Where client-side encryption is used, we have no ability to decrypt your data. Encryption keys are generated on your device and encrypted using your Master Password and, if enabled, your Secret Key. These keys are never transmitted to our servers in a form that would allow us to access your encrypted content.
However, we may collect non-content metadata—such as the number of vault items, notes, links, storage usage, subscription entitlements, device status, or feature usage frequency—to manage account limits, ensure fair use, provide security features, and determine eligibility for subscription tiers. This metadata does not include or reveal the contents of your encrypted data.
We collect and process various categories of personal data depending on your interaction with our services and subscription level. The tables below describe the types of data we may collect, the purposes for processing, and the applicable legal bases under relevant data protection laws (such as the GDPR and UK GDPR).
Some data is only collected when using certain features, such as those available under a Pro subscription. Where applicable, this is noted in the relevant section. Optional features that rely on your consent (e.g., marketing, optional cookies, or push notification permission) are always clearly marked, and you may withdraw your consent at any time.
We do not use personal data for automated decision-making or profiling beyond what is necessary to provide the core service securely and efficiently.
| Data: | Username, email address, account ID, language preference, subscription tier/status, entitlement status, Free Trial status, country, transaction metadata, Billing Provider identifiers, purchase/renewal/cancellation/restoration events, and invoice or receipt metadata. |
|---|---|
| Purpose: | To manage your account, deliver services, process payments and taxes, verify and restore entitlements, prevent misuse, and send essential service communications. |
| Legal basis: | Contract performance; legal obligations; legitimate interests (e.g., fraud prevention, service integrity). |
| Providers: | Web purchases are processed through Stripe. In-app purchases may be processed through Apple App Store or Google Play billing and managed through RevenueCat. |
| Data: | Hashed credentials, token identifiers, sign-in events (timestamps, IP address, user-agent), 2FA status, recovery data, trusted-device records, device verification status, account security settings, and security audit events. |
|---|---|
| Purpose: | To secure access, enable account recovery, respond to incidents, and prevent fraudulent activity. |
| Legal basis: | Contract performance; legitimate interests; legal obligations. |
| Notes: | Your Master Password and, if used, Secret Key are generated and stored client-side only. |
| Data: | Vault item metadata, encrypted vault contents, password import metadata, sharing metadata, and device sync metadata. Vault contents are encrypted and inaccessible to us where client-side encryption is used. |
|---|---|
| Purpose: | To store, import, share, and synchronise encrypted vaults across your devices. |
| Legal basis: | Contract performance. |
| Data: | Inviter and invitee IDs and emails, roles, sharing status, audit events, and sharing identifiers. |
|---|---|
| Purpose: | To enable secure sharing of vault items and manage sharing permissions. |
| Legal basis: | Contract performance; legitimate interests (e.g., security, abuse prevention). |
| Data: | Encrypted file contents, metadata (filename, size, MIME type, checksum), storage keys, link IDs/tokens, optional link passwords, expiration limits, and access logs. |
|---|---|
| Purpose: | To enable secure file sharing, enforce link limits and expiration, and detect potential abuse. |
| Legal basis: | Contract performance; legitimate interests; legal obligations. |
| Notes: | If client-side encryption is enabled, we cannot decrypt your files. |
| Data: | Original URL, short ID, creation timestamp, optional tags, project or folder metadata, abuse signals, click timestamps, referrer, campaign parameters, approximate location, device type, browser, operating system, aggregated usage metrics, optional IP address and user-agent. |
|---|---|
| Purpose: | To manage shortened links, provide link analytics, export analytics where available, enforce limits, and detect misuse. |
| Legal basis: | Contract performance; legitimate interests. |
| Notes: | Link analytics are intended to provide operational statistics to the link owner and to protect the service from abuse. You are responsible for giving any notices or obtaining any consents required for your use of links and analytics. |
| Data: | Encrypted note content, encrypted note metadata, note identifiers, mode, folder and tag metadata, pin/trash/restore status, global CSS settings, timestamps, and sync metadata. |
|---|---|
| Purpose: | To create, save, preview, organize, search, restore, delete, and synchronise Notes and related settings. |
| Legal basis: | Contract performance; legitimate interests for service integrity and abuse prevention. |
| Notes: | Note content is stored in encrypted form where client-side encryption is used. Some non-content metadata is processed to provide folders, tags, search, ordering, limits, and restore functionality. |
| Data: | Device UUID, push notification token, platform, operating system, OS version, manufacturer, model, app version/build, timezone, language, country/locale, virtual-device status, web-view version, notification identifiers, and notification-open events. |
|---|---|
| Purpose: | To register devices, deliver push notifications where enabled, route notification actions, log notification opens where configured, support device controls, and maintain account security. |
| Legal basis: | Consent for push notification permission where required; contract performance and legitimate interests for device security, delivery, diagnostics, and abuse prevention. |
| Data: | Support messages, attachments, contact details, and service-related communications. |
|---|---|
| Purpose: | To respond to support requests and send essential service updates. |
| Legal basis: | Contract performance; legitimate interests. |
| Marketing: | Only with your explicit consent, which you may withdraw at any time. |
We process your personal data based on the following legal grounds, as permitted under the GDPR and UK GDPR:
We utilize a combination of in-house infrastructure and carefully selected third-party service providers, including AWS S3, Backblaze B2, and self-hosted MinIO. Web payment processing is handled by Stripe, Inc. In-app purchase entitlement management may be handled through RevenueCat, with payment and subscription processing performed by Apple App Store or Google Play where applicable. We may also use platform push notification services and other service providers needed to deliver, secure, monitor, and support the App.
The app (available via browser on app.hashthat.app, mobile and desktop) relies on essential functional cookies, local storage, device storage, and similar technologies to ensure it operates securely and functions correctly.
On our marketing / secondary websites, we also use necessary functional cookies. We may also use marketing and analytics cookies to enhance your experience – your consent is required for these. See our Cookie Policy for complete information.
On mobile, the App may also use platform permissions and SDKs for purchases, push notifications, device information, and secure local preferences. You can manage operating-system permissions through your device settings.
We retain your personal data exclusively for the period which is lawfully permissible to retain your personal data. Thereafter, your personal data shall be immediately and irrevocably destroyed.
In view of Our contractual relationship with you, We typically retain your personal data for up to five (5) years from the end of Our contractual relationship on the basis of Our legitimate interests to protect ourselves in civil cases which you might institute against Us in relation to Our contractual relationship.
Payment information such as invoices, receipts, purchase records, entitlement records, and transactional documentation and information, may be kept by Us or the applicable Billing Provider for up to ten (10) years from the completion of the relevant transaction, on the basis of legal obligations imposed on Us or the Billing Provider to retain such information.
Encrypted customer content, including vault data, Notes, files, links, and related metadata, is generally retained while your Account is active and then deleted or anonymised in accordance with the Terms, technical backup cycles, and applicable legal obligations. Security, diagnostic, notification, and abuse-prevention logs are retained only for as long as needed for the purposes described in this Notice, unless a longer period is required for legal, tax, accounting, fraud-prevention, or dispute purposes.
We may also have a legitimate interest to retain your data for longer periods such as when your personal data is required for exercising or defending legal claims.
You have several rights under applicable data protection laws, particularly the General Data Protection Regulation (GDPR), in relation to the personal data we process about you:
To exercise any of these rights, please contact us at: support@hashthat.app. Please note: We may require verification of your identity. Technical limitations may apply to encrypted content.
If you are a resident of certain U.S. states (including, but not limited to, California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Delaware, Iowa, and Tennessee), you may have the following rights under applicable state privacy laws:
To exercise any of these rights, please contact us at: support@hashthat.app. Please note: We may require verification of your identity. Technical limitations may apply to encrypted content.
Our services are not directed to, and we do not knowingly collect personal data from, children under the age of 16. If you are under 16, please do not provide any personal data through our website or services.
If we become aware that we have inadvertently collected personal data from a child under the applicable age threshold without verifiable parental consent, we will take steps to delete such data as soon as possible.
If you believe that we may have collected personal data from a child, please contact us immediately at support@hashthat.app.
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, misuse, loss, or destruction.
Our safeguards include encryption (in transit and at rest), access controls, authentication mechanisms, and ongoing monitoring. Where applicable, additional layers such as client-side encryption, device verification, secure local storage, recovery controls, push-notification security controls, and two-factor authentication are also used.
Although no system is entirely secure, we are committed to maintaining a high level of data security and will notify you of any data breaches in accordance with applicable laws.
We do not sell your personal data.
We may share your data only in the following circumstances, and always subject to appropriate confidentiality and security safeguards:
We ensure that any third parties accessing your personal data do so in compliance with applicable data protection laws and only for specified, legitimate purposes.
If you have any questions, requests, or concerns regarding this Privacy Policy or the way we handle your personal data, you may contact us via email on: support@hashthat.app
We may update this Notice to reflect changes in processing or law. We will notify you before material changes and seek consent if required.