Privacy Policy

Last updated: April 5, 2026

Overview

This Privacy Policy explains how Mefi's Asset Bridge (the "Service") collects, uses, stores and protects personal data. The Service is provided and operated by the responsible officer in Castellón de la Plana, Spain. Furthermore, "Client-side" is considered everything hosted and used by the final user, including user's server, user's computer and so on. This website will be referred to as "Website" and the company providing the Service will be referred to as "we", "us" or "our". By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with this policy, please do not use our Service.

Data we collect

We collect only the minimal data necessary to provide and secure the Service. This includes:

  • Account data: name and email address to create and manage accounts and provide support.
  • Site data: domain from which the Service is accessed.
  • Technical & security data: IP addresses, user agent strings, and YOOtheme PRO/CMS version for security, debugging and compatibility purposes.
  • Asset metadata: asset name, asset id, category name, and time of modification are kept to enable management, filtering and searching.

What we do NOT collect

We do not collect personal information beyond what is listed above. We do not track user behavior or use analytics tools. Passwords are never stored in plaintext and are securely hashed. All sensitive content (assets/thumbnails) is encrypted by your system before it reaches our servers.

Client-side encryption

All asset data (including images) is encrypted Client-side by the component before it is submitted to our server. Encryption is performed on the Client-side by the component using AES-256-GCM where available and AES-256-CBC as a fallback. You control the master key used for encryption; we do not store or retain your master key and therefore cannot decrypt your asset data if you lose the key.

Important: Encryption and decryption occur locally within your site/component. The master key is never transmitted to our servers. Because we do not have access to your master key, we cannot provide decrypted copies of your asset data. If you request an export of your data (for example upon account termination), we can only deliver the raw encrypted files; we cannot decode them outside the normal application workflow without the master key. In short, encrypted assets are unreadable to us and to anyone who does not possess your master key.

Where is your data stored?

We use a third-party hosting provider to store and serve your data. Big data, such as assets, thumbnails are stored in AWS S3, for as long as your subscription is active. Data passed along to these centers is encrypted Client-side by your master key, and can't be decrypted without it.

How we use your data

  • To provide the Service and maintain your account.
  • To secure the Service, detect and prevent abuse, fraud or other malicious activity.
  • To respond to support requests and troubleshoot issues you report.
  • To comply with legal obligations and enforce our Terms of Service.

Legal basis (EU/EEA)

If you are in the EU/EEA, we process personal data necessary to perform the contract with you (providing the Service), and where necessary for our legitimate interests (security, fraud prevention, service improvement), except where such interests are overridden by your rights under applicable law.

Data retention and deletion

Your account and associated data are retained while your account is active. If your account is terminated or canceled, the data will be made inaccessible immediately. We will permanently delete data from active systems within 30 days, except where we are required to retain data to comply with legal obligations or to resolve disputes. Because asset data is encrypted with your master key, if you lose the key we cannot recover that data. If you have been a paying customer, we will keep records of your subscription and payment history for accounting and legal purposes.

Third-party services

We do not sell your personal data. We may share personal data with subprocessors and third-party service providers that help us operate the Service (hosting, storage, payments). Those providers process data under our instructions and are required to protect it. We use 3 third party services:

  • Hosting: to host platform, database, API.
    Platform and database is currently hosted on Hostgator.
    Your name, email, access logs, asset meta data and other technical data are stored on our hosting provider.
    Refer to their privacy policy for details: https://www.hostgator.com/help/article/general-data-protection-regulation
  • Storage: AWS S3 is used to store your assets and thumbnails (encrypted).
    AWS S3 processes encrypted asset data and may receive technical information such as IP address and user agent as part of standard network requests. No unencrypted asset content or direct personal identifiers are stored in S3.
    Refer to their privacy policy here: https://aws.amazon.com/privacy/
  • Payments: Paddle, Merchant of Record for processing payments.
    When you decide to purchase a subscription, we will generate a unique identifier which will be sent to Paddle, along with the information you provide yourself (name, email, address, payment details). Paddle acts as the Merchant of Record and is responsible for billing, payment processing, refunds, and handling payment-related customer data.
    Refer to their privacy policy here: https://paddle.com/privacy/

Cookies and tracking

The Service uses only necessary cookies to track signed-in/signed-out status and it is part of your Joomla! website. Website uses cookies and sessions to let you authenticate and manage your subscription plans. Any cookie generated by Paddle is subject to their privacy policy.

Your rights

Depending on where you live, you may have rights to access, correct, export, restrict or delete your personal data, and to object to or restrict certain processing. To exercise your rights, contact us at yootheme@ugoran.com. We will respond to requests in accordance with applicable law.

Data transfers

We may process and store personal data in countries other than the country in which you reside. This includes transfers of data outside the European Economic Area (EEA).

Your personal data may be transferred to and processed by service providers located in various jurisdictions, including but not limited to:

  • European Union, Spain, where our company is established
  • The United States, where hosting may operate (HostGator)
  • Ireland and the United Kingdom, where certain service providers (such as Paddle) are located
  • European Union, Stockholm, where our storage provider (AWS) has data centers

When personal data is transferred outside the EEA, we ensure that appropriate safeguards are in place in accordance with applicable data protection laws, including the use of Standard Contractual Clauses approved by the European Commission, and/or other legally recognized transfer mechanisms. We also implement additional technical and organizational measures where appropriate to protect personal data during such transfers.

By using the Service, you acknowledge that your personal data may be transferred to and processed in jurisdictions that may have different data protection standards than those in your country of residence.

Security

We implement reasonable administrative, technical and physical safeguards to protect personal data. Because your asset data is encrypted Client-side prior to transmission, we do not have the ability to read encrypted asset content without your master key. However, no system is perfectly secure; we cannot guarantee absolute security.

Children

The Service is not intended for children under the applicable local minimum age. If we learn that we have collected personal data of a child in a manner inconsistent with applicable law, we will take steps to delete that information.

Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date above and notify users as appropriate (for example via the app or email).

Contact

Support: yootheme@ugoran.com
Responsible officer: Goran Usljebrka
Address: Castellón de la Plana, Spain
Registered private entity (autonomo).

By using Mefi's Asset Bridge you agree to the terms of this Privacy Policy.

© 2026 Mefi's Asset Bridge. All rights reserved.

Terms of Service | Privacy Policy