Legal

Transparency Report

Published annually · Fern & Echo

Our commitment: We publish this report annually to be transparent about government and legal requests for user data. Given our zero-knowledge architecture, there is a hard limit to what we can provide even when legally compelled.

What We Can and Cannot Provide

Fern & Echo uses client-side AES-256-GCM encryption. Vault contents are encrypted in your browser before reaching our servers. We hold ciphertext we cannot read — this is not a policy, it is an architectural fact.

We can provide: account metadata (email, creation date, last login), audit log actions (no content), share relationship records, failed login IP addresses.

We cannot provide: vault contents, plaintext versions of any encrypted field, or encryption keys — with one exception: during an active Level 2 continuity release, a vault key is temporarily held on our servers. A valid legal request received during that window could compel us to produce it. Once the window closes and the key is deleted, nothing remains to produce.

All legal requests must be directed to legal@fernecho.app.

2026 Report

Request Type	Received	Complied With	Notes
Subpoenas	0	0	—
Court Orders	0	0	—
Search Warrants	0	0	—
National Security Letters	0	0	—
GDPR / CCPA Requests	0	0	—

This report covers January 1 – December 31, 2026. Updated automatically as requests are processed.

Contact

Legal requests: legal@fernecho.app

Privacy questions: privacy@fernecho.app