SecureVault
Back to home

Privacy Policy

Last updated: February 2026

1. Introduction

Secure Vault ("we," "our," or "the App") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your information when you use our password manager application.

2. Information We Collect

Account Information

  • Email address (for account creation, verification, and recovery)
  • Password hint (optional, stored on server for reminder emails)

Vault Data (Encrypted)

  • Passwords and login credentials
  • TOTP authenticator secrets
  • Secure notes
  • Bank account information
  • Credit/debit card details
  • WiFi passwords, Server credentials, API keys

Device Information

  • Device type, model, and OS version
  • App version
  • Unique device identifier (for session management)

3. Permissions We Request

Biometric Authentication

  • Face ID / Touch ID / Fingerprint access
  • Used only for local authentication
  • Biometric data never leaves your device

Camera Access

  • Used to scan QR codes for adding TOTP authenticator entries
  • Camera data is processed locally and never transmitted

Internet Access

  • Required for account authentication
  • Cloud synchronization of encrypted data
  • Email verification and password hint delivery
  • Password breach detection via Have I Been Pwned (k-Anonymity)

Storage & Clipboard

  • Local storage for encrypted vault data
  • Import/export of vault backups (JSON, CSV, PDF)
  • Password-protected PDF export for secure offline backups
  • Copy passwords and TOTP codes (clipboard auto-cleared)

4. How We Protect Your Data

Encryption

  • All vault data encrypted using AES-256-CBC with HMAC-SHA256 integrity verification
  • Keys derived using PBKDF2 (600,000 iterations) and HKDF stretching
  • Encryption occurs locally before any cloud sync
  • Your master password is never stored or transmitted to the server

Zero-Knowledge Architecture

  • We cannot access or decrypt your vault data
  • Only you hold the keys to your encrypted information
  • Server only stores a double-hashed auth hash for verification

5. How We Use Your Information

We use your information to:

  • Create and manage your account
  • Provide secure password storage services
  • Synchronize encrypted data across sessions
  • Send important security notifications
  • Enforce single-device login policy

6. Third-Party Services

Firebase (Google)

  • Custom token authentication
  • Cloud Firestore for encrypted data storage
  • Subject to Google's Privacy Policy

Have I Been Pwned

  • Password breach detection using k-Anonymity API
  • Only the first 5 characters of a SHA-1 hash prefix are sent — your actual password is never revealed

Resend

  • Transactional email delivery for verification and password hints
  • Subject to Resend's Privacy Policy

7. Data Sharing

We do NOT:

  • Sell your personal information
  • Share your data with advertisers
  • Access your encrypted vault contents
  • Use your data for marketing purposes

8. Your Rights

You have the right to:

  • Access your personal information
  • Update or correct your account details
  • Export your vault data
  • Delete your account and all associated data

9. Data Retention

  • Account data is retained while your account is active
  • Encrypted vault data is retained until you delete it
  • Upon account deletion, all associated data is removed

10. Children's Privacy

Secure Vault is not intended for children under 13 years of age. We do not knowingly collect personal information from children.

11. Contact Us

If you have questions about this Privacy Policy, please contact us at: securevault-support@imshyam.in