VaultKeepR
English·Français

Privacy Policy

Last updated: March 2025

1. Overview

VaultKeepR is built so that your vault secrets are encrypted on your device. This policy explains what categories of information may be processed when you use the website, browser extension, mobile apps where available, and our hosted APIs—including newer features such as optional IPFS sync, wallet-linked registry entries, email aliases, fragmented recovery helpers, premium billing, and signed delegations.

2. Data we do not access

We do not have access to:

  • Your master password or other secrets you use to encrypt the vault locally.
  • Your wallet private keys or seed phrase.
  • The plaintext contents of your vault (passwords, notes, identities, TOTP secrets, etc.).

Decryption for normal use is intended to occur on your device (browser, extension, or app). Encrypted blobs you upload to decentralised storage remain unintelligible to us without your keys and passphrase.

3. Categories of data we may process

Depending on the features you enable, we or our infrastructure providers may process:

  • Public wallet address: used to authenticate signed requests, associate your account with optional cloud-side helpers (e.g. latest vault CID), or provide alias management. It is not a secret but can be personal data in some jurisdictions.
  • Signatures and signed messages: used to verify that a request comes from the holder of an address (e.g. updates to a CID pointer, alias operations, time-limited autosave delegation). We process them to validate intent, not to derive private keys.
  • Vault sync metadata: if you use sync, we may store a mapping from your wallet address to the latest content identifier (CID) you published, and timestamps. The underlying vault file on IPFS (or similar) should remain encrypted; the CID itself may be discoverable on public networks.
  • Fragmented recovery metadata: if you use fragmented backup flows, we may store manifests keyed by a cryptographic hash of recovery material you hold (e.g. lookup id hash), including references (CIDs) to encrypted shards. This is designed so operators cannot reconstruct your vault without your recovery information.
  • Email alias service: if you create forwarding aliases, we process the alias addresses, your real destination inbox you provide for forwarding, optional labels (e.g. site name), and wallet linkage in our database so mail can be routed. This is personal data and is more extensive than vault- only use.
  • Premium / payments: if you subscribe via Stripe (or similar), the processor handles payment details, billing email, subscription status, and tax where applicable. We receive limited billing and customer identifiers from the processor as needed to provide premium features.
  • Support and communications: information you send us when you contact support or report issues.
  • Technical and security logs: server logs, IP addresses, user agent strings, error reports, rate limits, and abuse detection signals on our infrastructure. These are used to operate and protect the Service and are not intended to contain vault plaintext.
  • Local storage on your device: the extension or app may persist settings, encrypted vault copies, session state, or delegation tokens locally in your browser or device storage—under your control and subject to platform policies.

4. Browser extension and autofill

The extension may access web pages you visit to detect login fields, show overlays or prompts, and fill credentials when you choose. It does not send your vault password to us by design; processing happens locally unless you explicitly trigger a network feature (e.g. sync, alias creation, checkout).

5. Decentralised storage (IPFS) and public networks

Content uploaded to IPFS or similar systems may be replicated across nodes and referenced by CIDs. Even when encrypted, metadata (timing, size, CID relationships) may be observable. You choose whether to use these features and should assess residual risks (e.g. future cryptanalysis, misconfiguration exposing keys).

6. Purposes and legal bases (EEA / UK)

Where GDPR applies, we rely on appropriate bases such as: performance of a contract (providing the Service you request); legitimate interests (security, abuse prevention, product improvement, analytics that do not override your rights); and consent where required (e.g. certain cookies or marketing, if offered). Payment processing is necessary to perform premium subscriptions.

7. Retention

We retain information only as long as needed for the purposes above, legal obligations, dispute resolution, and enforcement of agreements. Technical logs may be rolled on a short cycle. Wallet-linked registry data persists until you delete or overwrite it via the product flows. Alias and billing records may be retained longer where required for legal or accounting reasons.

8. Sharing and processors

We use subprocessors (hosting, database, email delivery, payment, blockchain RPC, IPFS infrastructure, error monitoring) who process data on our instructions. We do not sell your personal data. We may disclose information if required by law or to protect rights, safety, and integrity of the Service.

9. International transfers

Our providers may process data in countries outside your own, including outside the EEA. Where required, we use appropriate safeguards (e.g. Standard Contractual Clauses) in agreements with processors.

10. Your rights

Depending on your location, you may have rights to access, rectify, erase, restrict, or port certain personal data, and to object to certain processing. You may withdraw consent where processing is consent- based. To exercise rights, contact us using the channels on the website or app. You may also lodge a complaint with a supervisory authority.

11. Children

The Service is not directed at children under the age where parental consent is required for data processing in your region. We do not knowingly collect personal data from such children.

12. Changes

We may update this Privacy Policy. The "Last updated" date will change. For material changes, we will provide notice as appropriate. Continued use after the effective date constitutes acceptance unless applicable law requires otherwise.

13. Contact

For privacy-related requests or questions, contact us through the channels indicated on the main website or in the application.

Terms of ServiceDocumentationSecurity← Back to home