Legal

Privacy Policy

Last updated: January 1, 2025

At SecureVault, we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our password management platform. Please read this policy carefully. If you disagree with its terms, please discontinue use of the platform.

1. Information We Collect

We collect information in the following ways:

  • Account Information: When you register, we collect your name, email address, and a securely hashed password.
  • Credential Data: Passwords, TOTP secrets, and other vault items you store are encrypted client-side using AES-256 before being transmitted and stored. We cannot read this data.
  • Usage Data: We log access events, login attempts, and administrative actions for security and audit purposes.
  • Technical Data: IP addresses, browser type, and device information may be collected for security monitoring and fraud prevention.

2. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the SecureVault platform
  • Authenticate users and enforce access control policies
  • Detect, prevent, and investigate security incidents and fraudulent activity
  • Send critical security notifications and service announcements
  • Comply with legal obligations and regulatory requirements
  • Improve the platform based on aggregate, anonymized usage patterns

3. Zero-Knowledge Architecture

SecureVault is designed on a zero-knowledge principle. Your vault data (passwords, TOTP secrets, notes) is encrypted using AES-256 before it ever leaves your browser. The encryption keys are derived from your master password and are never transmitted to or stored on our servers. This means:

  • We cannot see, read, or decrypt your stored credentials
  • In the event of a server breach, your credentials remain protected
  • We cannot recover your data if you lose your master password

4. Data Storage & Security

Your data is stored on servers with the following protections in place:

  • AES-256 encryption for all vault data at rest
  • TLS 1.3 encryption for all data in transit
  • Regular automated backups with encrypted storage
  • Access restricted to authorized personnel only under strict need-to-know policies
  • Security event logging and anomaly detection

5. Information Sharing & Disclosure

We do not sell, trade, or otherwise transfer your personal information to third parties. We may share information only in these limited circumstances:

  • Service Providers: Trusted vendors who assist in operating our infrastructure (hosting, email delivery) under strict confidentiality agreements
  • Legal Compliance: When required by applicable law, court order, or governmental regulation
  • Security Incidents: To protect the rights, property, or safety of our users or the public
  • Business Transfer: In connection with a merger or acquisition, with prior notice to affected users

6. Data Retention

We retain your account data for as long as your account is active. You may delete your account at any time through the dashboard settings, which will permanently delete all associated data within 30 days. Anonymized audit logs may be retained for up to 90 days for security purposes.

7. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate or incomplete data
  • Request deletion of your personal data ("right to be forgotten")
  • Export your vault data in a portable format
  • Object to or restrict certain types of data processing
  • Withdraw consent where processing is based on consent

To exercise any of these rights, please contact us via the contact form.

8. Cookies & Tracking

We use strictly necessary cookies for:

  • Session Management: To maintain your authenticated session securely (HttpOnly, Secure flags enabled)
  • Language Preference: To remember your selected interface language
  • CSRF Protection: Anti-forgery tokens to protect against cross-site request forgery attacks

We do not use advertising cookies, third-party tracking, or analytics cookies that identify individual users.

9. Children's Privacy

SecureVault is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us immediately so we can delete it.

10. Changes to This Policy

We may update this Privacy Policy periodically. When we make material changes, we will notify registered users via email and update the "Last updated" date at the top of this page. Continued use of the platform after changes constitutes acceptance of the updated policy.

11. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please reach out:

Back to Home Terms of Use →