DIFFRACT
Docs ↗
// app privacy policy

APP PRIVACY POLICY

GDPR Privacy Policy · Desktop Application · Last updated: June 2026

_01 · Controller

The controller responsible for data processing described in this policy (Art. 4(7) GDPR) is:

SmallSoftLoaf Software - Kevin Jung
Walkmühlenstraße 28
71397 Leutenbach, Germany
USt.ID: DE462096083

Email: [email protected]

_02 · Data Overview

Diffract is a desktop application that runs entirely on your local device. It does not transmit your files, diff results, or usage data to any server controlled by the developer. On startup, Diffract makes one outbound HTTPS request to check whether a newer version is available (see _05). This check can be disabled in Settings. Additionally, the optional Remote File Comparison feature connects to a remote host that you specify in order to fetch a file for comparison (see _12).

CategoryWhere storedTransmitted?
App settingsWindows Registry / macOS plistNo
License keyWindows Registry / macOS plistNo
Window geometryWindows Registry / macOS plistNo
Trial start timestampWindows Registry / macOS plist + app config directoryNo
Files you compareYour local filesystem onlyNo
Version check requestNot stored — one GET on startupIP address only (see _05)
Remote files you fetch (optional feature)Held in memory onlyOnly the host you specify (see _12)
Remote credentials (optional feature)In memory for the session, or — only if you choose “This device” — in the OS keychain; never in plain text (see _12)Only the host you specify (see _12)

_03 · Local Application Data

When you use Diffract, the following data is stored locally on your device using the operating system's standard preference storage (Windows Registry under HKCU\Software\diffract / macOS NSUserDefaults):

  • App preferences: theme, UI language, diff algorithm, syntax highlighting, minimap toggle, and similar display settings.
  • License key: your activation key, used to verify your license on subsequent launches. The key is validated entirely offline and never sent to any server.
  • Window geometry: size and position, to restore your layout between sessions.
  • Trial start timestamp: a cryptographically signed record of when the evaluation period was first activated, used solely to enforce the 7-day trial limit. This data does not leave your device.

Legal basis: Art. 6(1)(b) GDPR — processing necessary to perform the contract (providing a functioning application).

How to delete local data:
  • Windows: Delete the registry key HKCU\Software\diffract (run reg delete HKCU\Software\diffract /f in a command prompt) and delete the Diffract folder inside %APPDATA%.
  • macOS: Run defaults delete com.diffract.app in Terminal, and delete the diffract folder inside ~/Library/Application Support/ if present.
  • Linux: Delete ~/.config/diffract/ and ~/.local/share/diffract/ (or the equivalent XDG directories).

Uninstalling the application may not automatically remove these preferences depending on your operating system. If you have questions about how deletion interacts with your license, contact [email protected].

_04 · License Key Validation

Diffract uses an offline license validation system. Your license key encodes a cryptographic signature (Ed25519) that is verified locally against a public key embedded in the application. No network request is made during activation or validation. The developer never receives information about when or how often you activate the software.

_05 · Update Checks

On startup, Diffract sends a single HTTPS GET request to https://releases.getdiffract.com/latest.json to check whether a newer version is available. If a newer version is found, the app also fetches the associated changelog from the same domain.

  • Data sent: None beyond what is implicit in any HTTPS request (your IP address and standard HTTP headers). No personal identifiers, license keys, file contents, or usage data are included.
  • Data received: A JSON document containing the latest version number, changelog URL, and download links. No cookies are set.
  • Infrastructure:The endpoint is served via Cloudflare R2. Your IP address may appear in Cloudflare's standard access logs, subject to Cloudflare's Privacy Policy.
  • Legal basis: Art. 6(1)(f) GDPR — legitimate interest in keeping users informed of security fixes and improvements.
  • Opt-out: You can disable automatic update checks at any time via Settings → “Check for updates automatically”. When disabled, no network request is made on startup.

_06 · Payment Processing (Paddle)

Purchases are made through the Diffract website, not within the desktop application. Payment processing is handled by Paddle.com Market Limited("Paddle"), acting as Merchant of Record. Please refer to the website privacy policy and Paddle's Privacy Policy for details on how your purchase data is processed.

_07 · Recipients of Data

Apart from Paddle (see _06), the developer does not share your personal data with third parties. No advertising networks, telemetry services, or analytics SDKs are integrated into the Diffract desktop application.

_08 · Data Retention (Art. 13(2)(a) GDPR)

  • Local preferences: stored on your device indefinitely until you delete them (see _03). The developer has no access to or copy of this data.
  • Purchase records: retained for the period required by German tax law (§ 147 AO) — currently 10 years from the end of the fiscal year in which the transaction occurred.

_09 · Your Rights (Art. 15–21 GDPR)

As a data subject under the GDPR, you have the following rights:

  • Art. 15 - Right of access: Request confirmation of whether and what personal data the developer holds about you.
  • Art. 16 - Right to rectification: Request correction of inaccurate data.
  • Art. 17 - Right to erasure: Request deletion of your data where the legal basis no longer applies.
  • Art. 18 - Right to restriction: Request that processing be restricted in certain circumstances.
  • Art. 20 - Right to data portability: Receive your data in a structured, machine-readable format where processing is based on contract or consent.
  • Art. 21 - Right to object: Object at any time to processing based on Art. 6(1)(f).

To exercise any of these rights, contact: [email protected].

_10 · Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). The competent authority for the operator (resident in Baden-Württemberg) is:

Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg (LfDI BW)
Lautenschlagerstraße 20
70173 Stuttgart, Germany

Web: www.baden-wuerttemberg.datenschutz.de

_11 · Security

All data stored locally uses the security mechanisms provided by the operating system (Windows DPAPI / macOS Keychain at the OS level for Registry/plist data). The network activity initiated by the application is limited to the optional version-check request described in _05 and the optional Remote File Comparison feature described in _12; neither transmits personal data to the developer. License keys are validated using Ed25519 public-key cryptography entirely offline.

_12 · Remote File Comparison (Optional Feature)

Diffract includes an optional Remote File Comparison feature (a Pro feature) that fetches a file (or lists a directory) from a location you specify — an http:// / https:// URL, an ssh:// / scp:// path (SSH/SFTP), a cloud object-storage path (s3:// Amazon S3 and S3-compatible services, az:// Azure Blob Storage, gs:// Google Cloud Storage), or an ftp:// / ftps:// path — so it can be compared like a local file.

  • When connections happen: only when you enter a remote URL or SSH path and trigger a fetch (or refresh). Diffract does not connect to any remote host for this feature otherwise.
  • Who you connect to:only the host in the URL, SSH path, or cloud endpoint you provide (for cloud storage, the provider's API endpoint — e.g. Amazon S3, Azure, or Google Cloud — or a custom S3-compatible endpoint you set). Requests are not routed through, and no data is sent to, the developer or any third party.
  • What is sent: the request to that host, including any authentication you configure for it (an HTTP header, an SSH password/key, cloud credentials, or an FTP username/password). Your local files are not uploaded.
  • Credentials: any credentials you enter (bearer token, basic username/password, API-key header, SSH password/private key, cloud credentials such as AWS access keys, an Azure shared key or SAS token, or a GCS bearer token, or an FTP username/password) are used solely to authenticate that connection. By default they are held in memory only and discarded when you quit Diffract. If you explicitly choose “This device”, the credential is instead stored in your operating system's encrypted credential store (Windows Credential Manager / macOS Keychain / Linux secret service) so it persists across restarts; it is never written to disk in plain text or to ordinary settings, and you can remove it at any time under Settings → Remote Sources.
  • Fetched content: held in memory for the comparison and not persisted by Diffract unless you explicitly save it.
  • Transport security: the encrypted transports (https://, ssh:///SFTP, the cloud providers' HTTPS APIs, and ftps://) protect your credentials and data in transit; plain ftp:// is unencrypted, so the username, password, and file contents travel in clear text — use it only on trusted networks. For https:// you may optionally set a per-host trust rule (pin a certificate, trust a custom CA file, or — at your own risk — allow a self-signed certificate), managed under Settings → Remote Sources. SSH host keys are verified on first use and checked against your ~/.ssh/known_hosts; a changed host key aborts the connection.

Legal basis: Art. 6(1)(b) GDPR — processing necessary to provide the feature you requested. The remote host you connect to is an independent third party whose handling of your request is governed by its own terms and privacy policy.

_13 · Children

Diffract is a professional software development tool not directed at children. The developer does not knowingly collect personal data from persons under the age of 16.

_14 · Changes to This Policy

Material changes to this privacy policy will be announced via the Diffract website or release notes. The “Last updated” date at the top of this document reflects the most recent revision. Continued use of Diffract after a change is published constitutes acceptance of the updated policy.

// This privacy policy applies to the Diffract desktop application and was last updated June 2026. For the website privacy policy, see /privacy.
© 2026 Diffract
vs Beyond Comparevs WinMergevs Meld
DocsPress KitLegal NoticePrivacy PolicyTerms of Service