Reliquary
Sign In

Reliquary Privacy Policy

Effective Date: May 1, 2026
Operator: ACM Concepts, LLC, operating the Reliquary service
Contact: ACM Concepts, LLC, 56 Broad St STE 14227, Boston, MA 02109, (617) 683-1622, help@myreliquary.com

This Privacy Policy explains how ACM Concepts, LLC, operating the Reliquary service ("Reliquary," "we," "us," or "our"), collects, uses, discloses, and retains personal data in connection with Reliquary websites, applications, storage and preservation workflows, public transfer pages, billing, support, and related services that link to this Privacy Policy (collectively, the "Service").

Capitalized terms not defined in this Privacy Policy have the meanings given in the Reliquary Terms and Conditions.

1. Scope

This Privacy Policy applies to personal data we process about:

  1. website visitors;
  2. people who create Accounts;
  3. individual Customers;
  4. users, Authorized Users, Team Administrators, billing contacts, and organization representatives;
  5. people who communicate with Reliquary or request support;
  6. people who access public Transfer links, enter Transfer passwords, preview files, or download files; and
  7. people whose personal data appears in Customer Content, metadata, file names, paths, descriptions, notes, deletion requests, support messages, Transfer labels, or other materials submitted to the Service by Customers.

Customer controls what Customer Content is submitted to the Service. If you use Reliquary on behalf of an organization, your organization may control your Account, Team, Customer Content, metadata, logs, billing information, and related records. Team Administrators may be able to access, export, delete, or disclose information associated with the Team according to their permissions.

The Service is intended for users who are at least 18 years old and located in the United States. It is not directed to children.

2. Reliquary's Role

For account administration, billing, security, support, website analytics, marketing communications, Transfer recipient logs, and Service operations, Reliquary generally acts as a business or controller of personal data.

For Customer Content that a Customer uploads, stores, packages, validates, transfers, previews, or deletes through the Service, Reliquary generally processes that content to provide the Service to the Customer. Customer is responsible for determining whether Customer Content contains personal data, providing required notices, obtaining required consents, responding to requests from individuals whose data is in Customer Content, and ensuring that use of the Service complies with applicable law and Customer's obligations. A separate data processing agreement, business associate agreement, standard contractual clauses, or similar addendum applies only if signed by Reliquary.

3. Personal Data We Collect

3.1 Account, profile, and Team data

We may collect name, email address, login credentials, password hash, OAuth identifiers, verification status, user ID, organization or Team name, role, membership, permissions, settings, preferences, invitations, acceptance status, and related Account details.

3.2 Authentication, device, and security data

We may collect IP address, user agent, browser and device information, operating system, approximate location derived from IP address, cookies, session identifiers, CSRF and security tokens, login attempts, email verification events, password reset events, multi-factor authentication settings if enabled, OAuth events, rate-limiting events, access logs, and security logs.

3.3 Billing and payment data

We may collect billing contacts, billing address, tax information, subscription status, plan details, seat counts, usage charges, storage invoices, invoice records, invoice URLs or PDFs, receipts, Stripe customer IDs, payment method metadata, payment status, failed payment events, chargebacks, refunds, credits, disputes, and collection-related records. Reliquary uses Stripe or another payment processor and does not need to store full payment card numbers when the payment processor handles them.

3.4 Customer Content and Customer Content metadata

Reliquary processes Customer Content that Customers choose to submit to the Service. This may include uploaded files, BagIt packages, manifests, direct uploads, extraction artifacts, staging files, preview content, public Transfer content, metadata, file-level metadata, bag names, descriptions, tags, custom metadata fields, filenames, logical paths, object names, MIME types, file sizes, checksums, generation IDs, upload status, verification results, extraction status, direct-upload names and descriptions, transfer labels, transfer notes, deletion reasons, admin notes, and related records.

Customer Content and metadata may contain personal data, confidential information, sensitive information, or regulated data. Reliquary does not determine whether Customer Content contains personal data or regulated data and does not routinely review Customer Content for legality, sensitivity, malware, rights, or compliance status.

3.5 Operation, storage, and workflow data

We may collect operation logs, job IDs, request IDs, idempotency key scopes, upload session data, upload completion callbacks, storage object metadata, tenant or Vault identifiers, bucket names, provisioning metadata, terminal operation output or status lines, verification results, extraction results, signed URL events, staging cleanup logs, deletion review statuses, billing-run results, and similar operational records.

3.6 Transfer Recipient data

When a person accesses a Transfer, we may collect public slug access, password submission or unlock state, preview attempts, download attempts, selected file or object names, timestamps, IP address, user agent, browser or device information, success or failure status, cookies or session storage used to remember an unlocked Transfer, and related access logs. These logs may be visible to the Customer who created the Transfer and to applicable Team Administrators.

3.7 Support and communications data

We may collect information you provide through help@myreliquary.com, Crisp chat, support tickets, forms, email, phone, or other communications, including message content, attachments, diagnostic information, Account or Team context, and contact details.

3.8 Website, analytics, and calculator data

We may collect information about visits to Reliquary websites and public pages, including page views, referral sources, campaign data, approximate location, browser and device information, interactions with forms, public calculator inputs or interactions if submitted or logged, and analytics events. Reliquary may use Google Analytics or similar analytics tools on public or marketing surfaces and, where configured, within application surfaces.

3.9 Error monitoring and diagnostics

We may collect error monitoring data through Sentry or similar tools, including stack traces, URLs, request metadata, browser or server context, user or Team identifiers when configured, timestamps, and diagnostic details. We configure error monitoring with the goal of avoiding unnecessary capture of file content or sensitive metadata, but diagnostic context may sometimes include personal data.

3.10 Data from third-party sources

We may receive information from Team Administrators, organizations, invited users, payment processors, Google OAuth, Google Cloud Platform, Stripe, Crisp, Sentry, Google Analytics, CAPTCHA providers, email delivery providers, security providers, analytics providers, and other service providers.

4. Sources of Personal Data

We collect personal data from:

  1. you directly, when you create an Account, configure a Team, submit metadata, upload files, create Transfers, enter passwords, request deletion, set up billing, use support, or contact us;
  2. Customers and Team Administrators, when they invite users, assign roles, configure Teams, manage billing, or provide instructions;
  3. your use of the Service, through logs, cookies, upload callbacks, preview and download events, analytics, error monitoring, billing events, and security events;
  4. Customer Content and metadata submitted by Customers;
  5. Transfer activity, when Transfer Recipients unlock, preview, or download content; and
  6. third-party providers that support authentication, hosting, storage, payment, support, analytics, error monitoring, security, email, and related functions.

5. How We Use Personal Data

We use personal data to:

  1. provide, operate, maintain, and improve the Service;
  2. create and manage Accounts, Teams, roles, permissions, invitations, settings, and authentication;
  3. provision Vaults and related storage resources;
  4. enable uploads, Direct Uploads, BagIt packaging, manifests, checksums, validation, verification, extraction, previews, downloads, signed URLs, Transfers, and deletion workflows;
  5. host, store, copy, transmit, process, index metadata, search metadata, display, package, validate, preview, transfer, bill for, and delete Customer Content as needed to provide the Service;
  6. provide public Transfer pages, password unlock workflows, preview and download access, expiration and deactivation behavior, and Transfer logs;
  7. calculate usage, generate estimates, process subscriptions, invoice Customers, collect payments, handle taxes, detect fraud, resolve chargebacks, and address billing disputes;
  8. provide support, respond to requests, troubleshoot Account, upload, billing, Transfer, deletion, and workflow issues, and communicate with users;
  9. secure the Service, authenticate users, verify email addresses, rate-limit traffic, detect abuse, prevent fraud, investigate security incidents, disable abusive Transfers, enforce Terms, and protect Reliquary, Customers, providers, recipients, and the public;
  10. monitor performance, diagnose errors, improve reliability, analyze usage, maintain product quality, and develop Service improvements;
  11. comply with law, legal process, subpoenas, court orders, law enforcement requests, copyright or DMCA notices, tax obligations, accounting obligations, and other legal duties;
  12. enforce agreements, collect amounts owed, defend or bring claims, resolve disputes, and protect rights; and
  13. create aggregated or deidentified data that does not reasonably identify Customers or individuals.

Reliquary does not use Customer Content to train artificial intelligence or machine learning models unless Customer expressly agrees in a separate written agreement. If Reliquary later offers AI-assisted features that process Customer Content, Reliquary will update applicable disclosures and obtain agreements where required.

6. Customer Content, Metadata, and Search/Indexing

Customer Content and metadata may be processed automatically to create BagIt packages, generate manifests, calculate checksums, validate upload completion, verify files, extract files, create previews, stream preview bytes, generate signed URLs, create Transfer pages, calculate usage, display storage information, support search, and process deletion requests. Large uploads may be transmitted directly from a user's browser to Google Cloud Storage or another cloud storage provider using signed URLs or upload sessions; those providers may receive upload bytes, object metadata, IP addresses, request headers, and related technical data needed to perform the upload. Public previews may stream bytes through Reliquary-controlled routes before delivery to the recipient's browser.

Filenames, paths, object names, bag metadata, file-level metadata, descriptions, notes, transfer labels, transfer notes, deletion reasons, and admin notes may contain personal data. This metadata may be stored in databases or indexing systems separate from raw file storage and may be searchable or visible within a Customer's Team according to permissions.

Deleting a file or storage object does not necessarily delete all associated metadata, logs, billing records, security records, support messages, deletion-review records, backups, or other records we retain for legitimate business, legal, security, billing, or operational purposes.

7. Public Transfers and Recipient Privacy

Public Transfer pages may be accessed by people who do not have Reliquary Accounts. When a Transfer Recipient accesses, unlocks, previews, or downloads a Transfer, Reliquary may log the access and may share access logs with the Customer who created the Transfer and applicable Team Administrators.

Transfer logs may include IP address, user agent, timestamp, selected file or object name, password unlock event, preview attempt, download attempt, success or failure status, and related technical data. Preview attempts may be logged separately from downloads and may not increment a download count. Cookies or session storage may be used to remember that a Transfer has been unlocked during a session.

Reliquary is not responsible for a Customer's decision to create a Transfer, include particular content, share a link or password, select recipients, select access modes, or disclose content to a recipient. Transfer Recipients should not access content unless authorized by the Customer who provided the link or password.

8. How We Disclose Personal Data

We may disclose personal data as described below.

8.1 Within Teams and organizations

Team Administrators, organization owners, billing contacts, and Authorized Users may see information associated with their Team, including user names, email addresses, roles, metadata, Customer Content, Transfer settings, Transfer logs, deletion requests, billing records, and operational activity, depending on permissions and product configuration.

8.2 To Transfer Recipients

Customer-selected content, metadata, file names, previews, downloads, Transfer labels, Transfer notes, and other Transfer page information may be disclosed to anyone with the Transfer link and any required password or access state.

8.3 To Customers

Reliquary may disclose Transfer Recipient logs, support context, billing information, operation logs, deletion-review records, security-relevant events, and other Team-related records to the Customer or Team Administrators.

8.4 To service providers and subprocessors

Reliquary may disclose personal data to service providers that host, store, transmit, process, bill, authenticate, monitor, analyze, support, secure, or operate the Service. These may include Google Cloud Platform services such as Google Cloud Storage, Cloud SQL, Cloud Run, Cloud Scheduler, and Secret Manager; Stripe; Crisp; Sentry; Google Analytics; Google OAuth; CAPTCHA providers; email delivery providers; file-preview libraries or related technical components; static, media, or content delivery providers; security providers; and professional advisors.

8.5 For legal, safety, security, and enforcement reasons

We may disclose personal data when we believe disclosure is necessary or appropriate to comply with law, legal process, subpoenas, warrants, court orders, law enforcement requests, tax obligations, copyright or DMCA notices, or regulatory requests; to enforce Terms, Orders, and policies; to collect amounts owed; to prevent fraud or abuse; to investigate security incidents; to protect rights, property, safety, or security; or to respond to emergencies.

8.6 Business transfers

We may disclose or transfer personal data in connection with a merger, acquisition, financing, reorganization, bankruptcy, diligence process, sale of assets, change of control, or similar transaction.

8.7 Aggregated or deidentified data

We may disclose aggregated or deidentified data for analytics, benchmarking, pricing, performance, product improvement, security, reporting, or other lawful purposes, provided the data does not reasonably identify Customers or individuals.

8.8 No sale of Customer Content

Reliquary does not sell Customer Content. Reliquary does not use Customer Content for targeted advertising. Reliquary does not sell personal data for money. Some analytics tools on public websites may collect online identifiers or browsing activity; depending on applicable law, this may be considered a "sale," "sharing," or targeted advertising. Where required, Reliquary will provide legally required choices, opt-outs, or cookie controls.

9. Cookies, Analytics, CAPTCHA, OAuth, Support Chat, and Similar Technologies

Reliquary and its providers may use cookies, pixels, local storage, session storage, and similar technologies for:

  1. login, authentication, session management, CSRF protection, security, and fraud prevention;
  2. preferences, settings, and user experience;
  3. Transfer unlock state and public Transfer access;
  4. analytics, performance, and product diagnostics;
  5. support chat and customer support context;
  6. payment, checkout, and billing flows;
  7. CAPTCHA, abuse prevention, and bot detection; and
  8. OAuth login and account linking.

You may be able to control cookies through browser settings, cookie banners, consent tools, or provider opt-out mechanisms. Blocking cookies may affect login, security, Transfer access, support, payment, or other Service functionality. Reliquary does not respond to all "Do Not Track" signals. Where applicable law requires recognition of certain opt-out preference signals or specific cookie choices, Reliquary will handle those signals as legally required for the applicable surfaces and processing activities.

10. Data Retention

Reliquary retains personal data for as long as reasonably necessary for the purposes described in this Privacy Policy, including Service operation, Customer instructions, billing, tax, accounting, security, abuse prevention, legal compliance, dispute resolution, enforcement, audit, backups, and legitimate business needs.

Retention practices include:

  1. Customer Content. Customer Content may remain stored while an Account or Team is active, while Fees are owed, while retention settings apply, while legal or technical constraints exist, while a dispute or investigation is pending, or until deleted through the applicable deletion process.
  2. Archival storage. Standard archival storage may have a default 30-day retention period. Retention policies, object versioning, provider behavior, legal requirements, account disputes, nonpayment, security review, and technical constraints may delay deletion.
  3. Staging and operations files. Standard operations or staging storage may have a default 7-day retention period. Staging Files may be deleted sooner or later depending on operation status, Customer action, technical issues, support, billing, security, or legal requirements.
  4. Manual deletion requests. Deletion requests are reviewed and processed manually on a reasonable timeline. A "permanently deleted" status means the applicable deletion action has been completed for the relevant production storage object, but related records may remain.
  5. Logs and review records. Operation logs, billing logs, Transfer access logs, and deletion review events may be retained indefinitely for billing, tax, audit, legal, security, abuse prevention, dispute resolution, and Service operation purposes.
  6. Account and billing records. Account records, invoices, receipts, tax records, payment records, billing disputes, chargebacks, and collection records may be retained as long as needed for business, legal, accounting, tax, audit, and dispute purposes.
  7. Support records. Support messages, chat transcripts, attachments, and diagnostic records may be retained as long as needed to provide support, maintain business records, improve the Service, resolve disputes, and protect rights.
  8. Backups and residual copies. Backup, cache, replicated, residual, or archival copies may persist for a period after deletion from active systems and may not be immediately deleted unless required by law and technically feasible.

Deletion of Customer Content does not require deletion of logs, billing records, security records, support records, deletion-request records, legal records, aggregated or deidentified data, or other records Reliquary is permitted or required to retain.

11. Security

Reliquary uses administrative, technical, and organizational measures designed to protect personal data. These measures may include access controls, cloud infrastructure safeguards, credential protections, logging, rate limiting, security monitoring, and other controls appropriate to the nature of the Service.

No Internet or cloud service is perfectly secure. Reliquary cannot guarantee that personal data or Customer Content will be secure, uninterrupted, error-free, available, preserved, uncorrupted, or protected from all unauthorized access, disclosure, alteration, loss, or destruction.

Customers and users are responsible for Account security, strong passwords, MFA configuration if available, secure devices and browsers, email and OAuth account security, Team membership controls, recipient selection, Transfer passwords, public link handling, and independent backups.

Suspected vulnerabilities should be reported to help@myreliquary.com. Reliquary does not operate a formal bug bounty program unless separately announced in writing.

12. International Processing

Reliquary is operated from the United States and is intended for use in the United States. Personal data may be processed in the United States and by service providers in the United States or other countries where they operate. If you access the Service from outside the United States, you understand that your personal data may be transferred to and processed in the United States and other jurisdictions that may not provide the same level of data protection as your location, subject to rights that cannot be waived by law.

Reliquary does not intentionally target or localize the Service for jurisdictions outside the United States unless expressly agreed in writing. International data processing terms, data processing agreements, standard contractual clauses, or similar cross-border transfer mechanisms apply only if signed by Reliquary or required by applicable law.

13. Privacy Rights and Choices

Depending on where you live and the nature of the data, you may have rights to request access, correction, deletion, portability, restriction, objection, opt-out of certain processing, withdrawal of consent, or appeal of a rights decision. Reliquary will honor legally required rights.

To make a privacy request, contact:

ACM Concepts, LLC
Attn: Reliquary Privacy
56 Broad St STE 14227
Boston, MA 02109
(617) 683-1622
help@myreliquary.com

We may need to verify your identity and authority before responding. If you submit a request through an authorized agent, we may require proof of authorization and may ask you to verify your identity directly.

13.1 Customer-controlled content

If your personal data appears in Customer Content controlled by a Reliquary Customer, you should direct your request to that Customer. For example, if your data appears in files, metadata, descriptions, notes, or Transfers uploaded or created by an organization using Reliquary, that organization may be responsible for responding to your request. Reliquary may refer your request to the Customer or act on the Customer's instructions where appropriate.

13.2 Limits on requests

Privacy rights may be limited by applicable law, identity verification, Customer instructions, retention settings, billing records, tax obligations, legal obligations, security needs, abuse prevention, disputes, backups, logs, deletion-review records, and technical feasibility. Deleting an Account or file may not delete all records associated with billing, security, support, legal compliance, operations, or prior Transfers.

13.3 Marketing choices

You may opt out of marketing emails by using the unsubscribe link in the message or contacting us. You may still receive transactional or Service-related messages, including account, security, billing, support, legal, and operational notices.

13.4 Analytics and targeted advertising choices

Reliquary does not use Customer Content for targeted advertising. For public website analytics or advertising technologies, you may have rights to opt out of sale, sharing, or targeted advertising where applicable law treats those activities as sale, sharing, or targeted advertising. Reliquary will provide required opt-out mechanisms where legally required for the applicable activity.

14. U.S. State Privacy Disclosures

This section provides additional disclosures for U.S. state privacy laws where applicable. The categories of personal data we may collect are described in Section 3 and may include identifiers, commercial information, internet or electronic network activity, approximate geolocation, professional or employment-related information if provided by a Customer or organization, inferences from Service usage, and sensitive personal data only if you or a Customer submit it to the Service or if credentials or security information are considered sensitive under applicable law.

We collect these categories from the sources described in Section 4, use them for the purposes described in Section 5, disclose them as described in Section 8, and retain them as described in Section 10.

Reliquary does not knowingly sell personal data for money. Reliquary does not knowingly sell or share Customer Content for cross-context behavioral advertising. Analytics tools on public websites may involve disclosures of online identifiers or browsing data that some laws treat as sale, sharing, or targeted advertising. Where required, you may opt out through legally required mechanisms or by contacting us.

Reliquary does not knowingly collect personal data from children under 13 and does not knowingly sell or share personal data of minors.

15. Legal Bases Where Required

Where a legal basis is required, Reliquary may process personal data based on performance of a contract, legitimate interests, consent, compliance with legal obligations, protection of rights and safety, or other legal bases recognized by applicable law. Examples of legitimate interests include providing and securing the Service, billing, preventing abuse, supporting users, improving reliability, enforcing Terms, and protecting rights.

16. Automated Decision-Making

Reliquary may use automated systems for security, rate limiting, fraud prevention, billing calculations, upload processing, validation, verification, extraction, preview generation, cost estimation, and operational workflows. Reliquary does not intentionally use personal data to make automated decisions that produce legal or similarly significant effects about individuals, unless disclosed separately or required to provide the Service.

17. Regulated or Sensitive Data

Reliquary is not intended for protected health information, payment card data, student education records, children's data, classified information, controlled unclassified information, export-controlled or ITAR-controlled technical data, sanctions-restricted data, highly sensitive biometric or genetic data, or other regulated or high-risk data unless Reliquary expressly agrees in a separate written agreement. Customers are responsible for not submitting regulated or sensitive content unless appropriate agreements and safeguards are in place.

18. Third-Party Links and Services

The Service may contain links to third-party websites, integrations, login services, payment pages, support tools, or public resources. Third-party privacy practices are governed by their own policies. Reliquary is not responsible for third-party privacy, security, or content practices except as required by law or a separate written agreement.

19. Changes to This Privacy Policy

Reliquary may update this Privacy Policy from time to time. The updated policy will be posted with a new effective date. Reliquary may also provide notice by email, in-app notice, website notice, or other reasonable means where appropriate. Continued use of the Service after an updated Privacy Policy becomes effective means you acknowledge the updated Policy.

20. Contact

Questions or requests about this Privacy Policy may be directed to:

ACM Concepts, LLC
Attn: Reliquary Privacy
56 Broad St STE 14227
Boston, MA 02109
(617) 683-1622
help@myreliquary.com