Privacy Policy

Version 2.0 — Effective: 22-09-2025

Multi Dimension Solutions Limited is committed to ensuring that your privacy is protected.

We are the data controller of the App and the Account, namely, Multi Dimension Solutions Limited, a company established under the Laws of Malta, bearing company registration number C 96131 and having its registered address at The Bastions, Office 2, Emvin Cremona Street, Floriana, FRN 1281, Malta.

We recognise Our obligations as data controller and We are committed to comply with all applicable laws, including the Data Protection Act (Cap 586 of the Laws of Malta) and the General Data Protection Regulation (2016/679).

Please note that the defined terms in the HashThat Terms and Conditions are to be ascribed the same meaning as ascribed thereto in the HashThat Terms and Conditions when used in this Privacy Notice.

Please read this Privacy Notice carefully to understand your rights and our practices with respect to your personal data.

Please do note that this Privacy Notice applies to your use of Our App and your Account only.

1. Scope

This Privacy Notice describes how we collect, use, and safeguard personal data when you interact with our services. It applies when you:

Create or use a HashThat account or access the App via web, desktop, mobile, or browser extension;
Use features such as the Password Manager, Shared Vaults and Password Sharing, File Sharing and Secure Links, or the Link Shortener;
Visit our websites or communicate with us, including contacting support.

Capitalised terms used in this Privacy Notice have the meanings given to them in the HashThat Terms and Conditions.

2. What is “Personal Data”?

“Personal data” means any information that identifies you, or can reasonably be used to identify you, directly or indirectly (e.g., name, email address, identifiers, IP addresses, or support messages).

We do not intentionally collect sensitive categories of data (e.g., health, biometric, or political opinions). If you upload or store such data, you must ensure you have a lawful basis. All customer content is treated as confidential.

3. How We Collect Personal Data

We collect personal data directly from you, automatically through your use of our services, and from certain third parties, depending on your interactions with the App and related services. Specifically, we collect data when you:

Create or register a HashThat account, or update your Account Settings;
Use the App and its features (e.g., Password Manager, Secure Sharing), to the extent necessary to deliver core functionality (see Section 4);
Purchase, activate, or renew a subscription (e.g., Pro tier);
Contact us for support, submit feedback, or communicate via other channels;
Trigger automatic diagnostic or security-related events (e.g., sign-in activity, token issuance, IP logs, abuse prevention systems);
Visit our websites or interfaces, which may use cookies or software development kits (SDKs) for essential functions and optional analytics (see Section 7).

We do not monitor or access the content of your vault entries, shared passwords, or uploaded files. Where client-side encryption is used, we have no ability to decrypt your data. Encryption keys are generated on your device and encrypted using your Master Password and, if enabled, your Secret Key. These keys are never transmitted to our servers in a form that would allow us to access your encrypted content.

However, we may collect non-content metadata—such as the number of vault items, storage usage, or feature usage frequency—to manage account limits, ensure fair use, and determine eligibility for subscription tiers. This metadata does not include or reveal the contents of your encrypted data.

4. Categories of Data & Purposes

We collect and process various categories of personal data depending on your interaction with our services and subscription level. The tables below describe the types of data we may collect, the purposes for processing, and the applicable legal bases under relevant data protection laws (such as the GDPR and UK GDPR).

Some data is only collected when using certain features, such as those available under a Pro subscription. Where applicable, this is noted in the relevant section. Optional features that rely on your consent (e.g., marketing, link analytics) are always clearly marked, and you may withdraw your consent at any time.

We do not use personal data for automated decision-making or profiling beyond what is necessary to provide the core service securely and efficiently.

4.1 Account & Subscription

Data:	Username, email address, account ID, subscription tier/status, country, transaction metadata.
Purpose:	To manage your account, deliver services, process payments and taxes, prevent misuse, and send essential service communications.
Legal basis:	Contract performance; legal obligations; legitimate interests (e.g., fraud prevention, service integrity).

4.2 Authentication & Security

Data:	Hashed credentials, token identifiers, sign-in events (timestamps, IP address, user-agent), 2FA status, recovery data.
Purpose:	To secure access, enable account recovery, respond to incidents, and prevent fraudulent activity.
Legal basis:	Contract performance; legitimate interests; legal obligations.
Notes:	Your Master Password and, if used, Secret Key are generated and stored client-side only.

4.3 Password Manager (Vault)

Data:	Vault item metadata, device sync metadata. Vault contents are end-to-end encrypted and inaccessible to us.
Purpose:	To store and synchronise encrypted vaults across your devices.
Legal basis:	Contract performance.

4.4 Shared Vaults & Password Sharing

Data:	Inviter and invitee IDs and emails, roles, sharing status, audit events, and sharing identifiers.
Purpose:	To enable secure sharing of vault items and manage sharing permissions.
Legal basis:	Contract performance; legitimate interests (e.g., security, abuse prevention).

4.5 File Sharing & Secure Links

Data:	Encrypted file contents, metadata (filename, size, MIME type, checksum), storage keys, link IDs/tokens, optional link passwords, expiration limits, and access logs.
Purpose:	To enable secure file sharing, enforce link limits and expiration, and detect potential abuse.
Legal basis:	Contract performance; legitimate interests; legal obligations.
Notes:	If client-side encryption is enabled, we cannot decrypt your files.

4.6 Link Shortener

Data:	Original URL, short ID, creation timestamp, optional tags, abuse signals, aggregated usage metrics, optional IP address and user-agent.
Purpose:	To manage shortened links, provide usage analytics, and detect misuse.
Legal basis:	Contract performance; legitimate interests.
Notes:	We do not profile or track link users beyond necessary metrics.

4.7 Support & Communications

Data:	Support messages, attachments, contact details, and service-related communications.
Purpose:	To respond to support requests and send essential service updates.
Legal basis:	Contract performance; legitimate interests.
Marketing:	Only with your explicit consent, which you may withdraw at any time.

5. Legal Bases for Processing (Summary)

We process your personal data based on the following legal grounds, as permitted under the GDPR and UK GDPR:

Contract Performance: To provide and manage access to the App and associated subscription services.
Legitimate Interests: For purposes such as ensuring the security and integrity of our services, preventing fraud, improving performance, maintaining logs and metrics, and defending legal claims. We ensure that our interests do not override your rights and freedoms.
Legal Obligations: To comply with applicable laws and regulations, including tax and accounting obligations, responding to lawful requests, and breach notification requirements.
Consent: For the use of non-essential cookies, direct marketing communications, and optional link analytics. You may withdraw consent at any time.

6. Storage, Service Providers & Transfers

We utilize a combination of in-house infrastructure and carefully selected third-party service providers, including AWS S3, Backblaze B2, and self-hosted MinIO. Payment processing is handled by Stripe, Inc.

Data Residency: Personal data is primarily stored within the European Economic Area (EEA). Where data is transferred outside the EEA, such transfers are safeguarded by Standard Contractual Clauses (SCCs) and supplementary measures as required by applicable data protection laws.
Transparency: We maintain an up-to-date list of our subprocessors and will notify you of any material changes in accordance with our obligations.
Encryption: All personal data is encrypted both in transit and at rest. Vault data and client-side files benefit from end-to-end encryption for enhanced security.

7. Cookies & Tracking

The app (available via browser on app.hashthat.app, mobile and desktop) relies on essential functional cookies to ensure it operates securely and functions correctly.

On our marketing / secondary websites, we also use necessary functional cookies. We may also use marketing and analytics cookies to enhance your experience – your consent is required for these. See our Cookie Policy for complete information.

8. Data Retention

We retain your personal data exclusively for the period which is lawfully permissible to retain your personal data. Thereafter, your personal data shall be immediately and irrevocably destroyed.

In view of Our contractual relationship with you, We typically retain your personal data for up to five (5) years from the end of Our contractual relationship on the basis of Our legitimate interests to protect ourselves in civil cases which you might institute against Us in relation to Our contractual relationship.

Payment information such as invoices and transactional documentation and information, may be kept by Us for up to ten (10) years from the completion of the relevant transaction, on the basis of legal obligations imposed on Us to retain such information.

We may also have a legitimate interest to retain your data for longer periods such as when your personal data is required for exercising or defending legal claims.

9. Your Rights

9.1 EEA/UK

You have several rights under applicable data protection laws, particularly the General Data Protection Regulation (GDPR), in relation to the personal data we process about you:

Right of Access – You have the right to obtain confirmation as to whether or not we are processing personal data concerning you, and, if so, to request access to such data and receive a copy thereof.
Right to Rectification – You have the right to request the rectification of inaccurate personal data concerning you and to have incomplete personal data completed.
Right to Erasure ("Right to be Forgotten") – In certain circumstances, you have the right to request the erasure of your personal data, such as where the data are no longer necessary for the purposes for which they were collected or otherwise processed.
Right to Data Portability – Where processing is based on your consent or on a contract and is carried out by automated means, you have the right to receive the personal data concerning you in a structured, commonly used and machine-readable format, and to request that we transmit those data directly to another controller, where technically feasible.
Right to Object – You have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data where such processing is based on our legitimate interests or those of a third party. In such cases, we shall cease processing your data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms.
Right to Restriction of Processing – You have the right to request the restriction of processing in specific circumstances, such as when you contest the accuracy of the data or object to processing.
Right to Withdraw Consent – Where we rely on your consent for processing, you have the right to withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
Right to Lodge a Complaint – If you have concerns about how your personal data are being processed, you have the right to lodge a complaint with us using the contact details provided below. You also have the right to file a complaint with the Information and Data Protection Commissioner in Malta, available at idpc.org.mt.

To exercise any of these rights, please contact us at: info@hashthatpassword.com. Please note: We may require verification of your identity. Technical limitations may apply to encrypted content.

9.2 Your U.S. State Privacy Rights

If you are a resident of certain U.S. states (including, but not limited to, California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Delaware, Iowa, and Tennessee), you may have the following rights under applicable state privacy laws:

Right to Know/Access – You have the right to request access to the categories and specific pieces of personal information we have collected about you.
Right to Correct – You may request the correction of inaccurate personal information.
Right to Data Portability – You may request that we provide your personal data in a portable and readily usable format.
Right to Opt-Out of Sale or Sharing – You may opt out of the sale or sharing of your personal information, where applicable.
Right to Limit Use of Sensitive Personal Information (California residents only) – You may request that we limit the use or disclosure of your sensitive personal information.
Right to Non-Discrimination – You will not be discriminated against for exercising your privacy rights.
Right to Appeal – If we deny your request (where applicable), you have the right to appeal our decision. To do so, please respond to our decision email with “Privacy Appeal” in the subject line.

To exercise any of these rights, please contact us at: info@hashthatpassword.com. Please note: We may require verification of your identity. Technical limitations may apply to encrypted content.

10. Children's Privacy

Our services are not directed to, and we do not knowingly collect personal data from, children under the age of 16. If you are under 16, please do not provide any personal data through our website or services.

If we become aware that we have inadvertently collected personal data from a child under the applicable age threshold without verifiable parental consent, we will take steps to delete such data as soon as possible.

If you believe that we may have collected personal data from a child, please contact us immediately at info@hashthatpassword.com .

11. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, misuse, loss, or destruction.

Our safeguards include encryption (in transit and at rest), access controls, authentication mechanisms, and ongoing monitoring. Where applicable, additional layers such as client-side encryption, device verification and two-factor authentication are also used.

Although no system is entirely secure, we are committed to maintaining a high level of data security and will notify you of any data breaches in accordance with applicable laws.

12. Disclosures & Corporate Events

We do not sell your personal data.

We may share your data only in the following circumstances, and always subject to appropriate confidentiality and security safeguards:

Personnel and Contractors – With employees and independent contractors who require access to perform their duties, subject to confidentiality obligations.
Service Providers and Subprocessors – With trusted third parties who provide services on our behalf, such as hosting, payment processing, and infrastructure support.
Legal and Regulatory Authorities – Where required to comply with applicable laws, regulations, legal processes, or enforceable governmental requests.
Corporate Transactions – In connection with a merger, acquisition, financing, or sale of assets, where personal data may be transferred to a successor entity, provided appropriate protections are maintained.

We ensure that any third parties accessing your personal data do so in compliance with applicable data protection laws and only for specified, legitimate purposes.

13. Contact Details

If you have any questions, requests, or concerns regarding this Privacy Policy or the way we handle your personal data, you may contact us via email on: support@hashthat.app

14. Updates

We may update this Notice to reflect changes in processing or law. We will notify you before material changes and seek consent if required.