Cloud Transfer Privacy
How your data stays private during a Cloud Transfer between devices.
What is Cloud Transfer?
Cloud Transfer lets you move your Solum account and data from one device to another — even across ecosystems (e.g. iPhone to Android). It uses an encrypted relay to temporarily hold your data while you set up your new device.
This is not cloud storage. Your data passes through our server only once, encrypted, and is deleted immediately after.
How it works
- Encryption on your device — Your data is encrypted using AES-256-GCM with a key derived from your account secret. The encryption happens entirely on your device before anything is uploaded.
- Temporary upload — The encrypted blob is uploaded to our server (Cloudflare R2). It is opaque — we cannot decrypt or read it.
- QR code transfer — A QR code is generated containing your account credentials and a reference to the encrypted blob. You scan this on your new device.
- Download and decrypt — Your new device downloads the encrypted blob, decrypts it locally using your account secret, and imports the data.
- Immediate deletion — The encrypted blob is deleted from our server immediately after download. If not downloaded, it is automatically deleted after 24 hours.
What our server sees
When you use Cloud Transfer, our server stores:
- An encrypted blob it cannot decrypt (AES-256-GCM with a key only your devices know)
- A random blob ID used to retrieve it
- A timestamp for the 24-hour expiry
Camera access
Your new device needs one-time camera access to scan the QR code shown on your old device. The camera is used only during the transfer — no images are stored, and the camera is never accessed outside this flow. You can revoke camera permission at any time in your device's Settings.
What our server does NOT have access to
- Your vials, doses, schedules, observations, or any health data
- Your encryption key or account secret
- Your name, email, or any personal information
- Any data after the transfer is complete (it is deleted)
Local Transfer vs Cloud Transfer
| Local Transfer | Cloud Transfer | |
|---|---|---|
| Data leaves your device? | No — file shared directly | Temporarily — encrypted on server |
| End-to-end encrypted? | N/A — data never leaves | Yes — AES-256-GCM |
| Server can read data? | No | No — only encrypted blob |
| Auto-deleted? | N/A | Yes — after download or 24h |
| Works cross-platform? | Via file sharing | Yes — seamless QR scan |
| Requires internet? | No | Yes — for upload/download |
Technical details
- Encryption: AES-256-GCM via the Web Crypto API
- Key derivation: SHA-256 hash of your 256-bit account secret
- Nonce: 96-bit random, unique per encryption
- Storage: Cloudflare R2 with lifecycle rules for automatic 24-hour deletion
- Maximum size: 5 MB per transfer (more than sufficient for typical usage data)
Questions? Contact us at hello@getsolum.app.
See also: Privacy Policy · Terms of Use