Vaultove

Private vault

Log inStart free

Legal

Privacy Policy

Vaultove follows a zero-knowledge model. Your master password and plaintext secrets never reach our servers — encryption and decryption happen entirely on your device.

Version: PP-1.0Effective: February 14, 2026Updated: February 14, 2026

Zero-knowledge model

Vaultove is designed so that your master password and vault contents remain entirely on your device. Encryption and decryption happen locally using AES-256-GCM with a key derived from your master password via Argon2id. Your master password is never transmitted to our servers.

What this means in practice: even if our infrastructure were compromised, an attacker would obtain only encrypted ciphertext blobs that are computationally infeasible to decrypt without your master password. We structurally cannot read your secrets.

Information collected

Account data: Your email address, hashed login credentials managed by our authentication provider, and account metadata such as creation date and plan tier.

Encrypted vault data: Ciphertext blobs, IVs, and authentication tags that represent your encrypted vault. We store these to enable sync across your devices. We cannot read the contents.

Operational data: Standard server access logs including IP addresses, timestamps, HTTP method and status codes, and user-agent strings. These are used for security monitoring and abuse prevention and are not used for advertising.

What we do not collect: Your master password, plaintext secrets, folder names, or any information about vault contents. Recovery keys are stored in encrypted form — we hold ciphertext only, never the key itself.

How we use your data

We use your email address to authenticate your account, send transactional messages (password reset links, plan receipts, security notices), and — if you consent — occasional product update announcements.

Encrypted vault data is used solely to sync your vault to your devices. We do not analyze, index, or share vault ciphertext with any third party beyond the storage infrastructure listed in the subprocessors section.

Operational logs are used for uptime monitoring, abuse prevention, and incident investigation. Logs are not used for advertising or sold to third parties.

Data retention and deletion

Account metadata and encrypted vault data are retained while your account is active. If you delete your account, we will delete your email, authentication credentials, and all associated vault ciphertext within 30 days, except where retention is required by law or for legitimate security purposes such as active fraud investigation logs.

Operational logs are retained for up to 90 days for security and abuse monitoring purposes, after which they are purged or anonymized.

To request account deletion, email privacy@vaultove.com from your registered address. We will confirm deletion within 30 days.

Subprocessors

We use a small number of third-party infrastructure providers to deliver the service. These providers act as data processors under our instructions and are contractually bound to appropriate data protection standards.

  • Authentication and database: Supabase — handles auth tokens, user records, and encrypted vault storage.
  • Hosting and CDN: Vercel — application hosting and edge delivery.
  • Payments: Stripe — billing data for paid plans. Payment data is handled and stored by Stripe, not Vaultove.

A formal Data Processing Agreement (DPA) is available upon request at privacy@vaultove.com.

Your rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about your account.
  • Rectification: Correct inaccurate account information.
  • Erasure: Request deletion of your account and all associated data.
  • Portability: Export your encrypted vault data at any time from within the app settings.
  • Objection: Object to processing of your data for purposes beyond service delivery.

To exercise any of these rights, contact privacy@vaultove.com. We aim to respond within 30 days.

Cookies and tracking

Vaultove uses only functional cookies required for authentication (session tokens) and security (CSRF protection). We do not use advertising cookies, third-party tracking scripts, or analytics that profile individual users.

Session cookies expire when you log out or after the auto-lock period elapses. No persistent advertising identifiers are set.

Changes to this policy

We may update this policy as our services evolve. Material changes that affect how we handle personal data will be communicated via email to registered users and reflected by a new version ID and effective date at the top of this page.

Continued use of Vaultove after the effective date of an updated policy constitutes acceptance of the updated terms.

Version history

  • PP-1.0 — February 14, 2026: Initial commercial release.

Contact

For privacy-related inquiries, data access requests, or to report a concern:

privacy@vaultove.com

We aim to acknowledge all privacy requests within 5 business days and resolve them within 30 days.