← Back to home

Privacy Policy

Last updated: January 2025

The Short Version

We can't read your data. We don't want to. Your vault is encrypted on your device before it ever reaches our servers, and only someone with your passphrase can decrypt it.

What We Collect

Your encrypted vault data: When you create a vault, we store the encrypted contents on our servers. This data is encrypted using your passphrase before it leaves your browser. We cannot read, access, or decrypt this information.

Technical information: Like most websites, our servers may log basic technical information such as IP addresses and request timestamps for security and debugging purposes. We do not use this information to track or identify you.

What we don't collect: We don't collect names, emails, phone numbers, or any other personal information. There are no accounts, no profiles, no tracking cookies, and no analytics that follow you around the web.

How Your Data is Protected

Your vault is encrypted using XChaCha20-Poly1305 authenticated encryption with a key derived from your passphrase using Argon2id (a memory-hard key derivation function). The encryption happens entirely in your browser — we never see your passphrase, and we never see your unencrypted data.

This means that if you lose your passphrase, we cannot help you recover your data. There is no "forgot password" option because we genuinely cannot access your information.

Rate Limiting

To protect the service and prevent abuse, we implement rate limiting on API requests. This means we temporarily track request counts by IP address, but this data is not stored long-term or used for any other purpose.

Data Retention

Your encrypted vault remains on our servers until you delete it. We may remove vaults that have not been accessed for an extended period (typically more than 2 years) to manage storage costs, but we will make reasonable efforts to notify users before doing so if we implement such a policy.

Third Parties

We do not sell, rent, or share your data with third parties. Your encrypted vault data is stored on secure servers, but since it's encrypted, even our hosting providers cannot read its contents.

Your Rights

You can delete your vault at any time. When you delete your vault, all associated encrypted data is permanently removed from our servers.

Changes to This Policy

If we make significant changes to this privacy policy, we will update the "Last updated" date at the top of this page. We encourage you to review this policy periodically.

Contact

If you have questions about this privacy policy or how we handle your data, please reach out to us at whensomethinghappens@proton.me.