Privacy Policy

1. Information We Collect

1.1 Information You Provide Directly

When you create an account and use the Service, we collect:

• Email address — used for authentication, notifications and communications
• Encrypted vault data — the ciphertext of your vault contents (we cannot decrypt this)
• Vault metadata — vault names, unlock dates, creation timestamps (not encrypted)
• File metadata — file names, sizes and MIME types of attachments (not encrypted)
• Emergency override data — SHA-256 hash of your secret answer (not the answer itself)
• Invitation records — email addresses of people you invite to the Service

1.2 Information Collected Automatically

• Log data — IP address, browser type, pages visited and access timestamps
• Device information — operating system and browser version
• Usage data — features used, vault creation and access events
• Firebase Analytics data — aggregated, anonymised usage patterns

1.3 What We Do NOT Collect

We are committed to data minimisation. The following data is never collected:

• Your vault passphrase — it never leaves your device
• The plaintext contents of your vaults — we store only encrypted ciphertext
• Your emergency question answer — only its SHA-256 hash is stored
• Payment card details — handled directly by Stripe when payments are introduced
• Sensitive personal data beyond what you choose to encrypt in your vaults

2. How We Use Your Information

• Providing and operating the Service — authentication, vault storage, access control
• Sending email notifications — vault access alerts, emergency override alerts, invitations
• Security and fraud prevention — detecting and preventing unauthorised access or abuse
• Service improvement — understanding usage patterns to improve features and reliability
• Legal compliance — meeting our obligations under applicable laws and regulations
• Customer support — responding to enquiries and resolving issues

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area, our legal bases for processing your personal data are:

• Contract performance — processing necessary to provide the Service you have requested
• Legitimate interests — security monitoring, fraud prevention and service improvement
• Legal obligation — compliance with applicable laws and regulations
• Consent — where you have given explicit consent, such as for marketing communications

4. Data Storage & Third-Party Services

The Sealed Vault uses the following third-party services to operate:

Google Firebase

Authentication, Firestore database, Cloud Storage and Hosting. Firebase stores your account data and encrypted vault data on Google's servers. Firebase is subject to Google's Privacy Policy and Terms of Service.

Gmail SMTP (via Firebase Extension)

Used to send email notifications. Email subject lines and recipient addresses are processed through Google's mail infrastructure.

Google Data Processing Agreement (DPA)

A separate Data Processing Agreement document is provided which links directly to Google's own DPA. Please refer to the standalone DPA document for full details.

Your encrypted vault data is stored in Google Firebase data centres. Data may be replicated to other regions for redundancy as per Firebase's infrastructure policies.

5. Data Retention

• Account data — retained for the lifetime of your account
• Vault data — retained until you delete the vault or close your account
• Email notification records — retained for 90 days in Firestore then deleted
• Access logs — retained for 12 months for security purposes
• Invitation records — retained for 12 months then deleted
• Deleted vault data — permanently removed within 30 days of deletion
• Account closure — all personal data deleted within 30 days of account closure

6. Your Rights & Choices

Depending on your location, you may have the following rights regarding your personal data:

• Access — request a copy of the personal data we hold about you
• Correction — request correction of inaccurate personal data
• Deletion — request deletion of your personal data and account
• Portability — receive your data in a structured, machine-readable format
• Restriction — request restriction of processing in certain circumstances
• Objection — object to processing based on legitimate interests
• Withdrawal of consent — withdraw consent at any time where processing is consent-based

7. Cookies & Tracking

• Authentication cookies — essential for maintaining your login session (Firebase Auth)
• Preference cookies — remembering your settings within the application
• Analytics cookies — Google Firebase Analytics for anonymised usage data

We do not use advertising cookies or third-party tracking for marketing purposes. You can control cookies through your browser settings, though disabling essential cookies may impair the functionality of the Service.

8. Children's Privacy

The Sealed Vault is not directed to children under 18 years of age. We do not knowingly collect personal information from children under 18. If we become aware that a child under 18 has provided us with personal information, we will take immediate steps to delete that information. If you believe a child under 18 has registered for the Service, please contact us immediately.

9. Security Measures

• AES-256-GCM encryption for all vault contents — client-side before upload
• PBKDF2 key derivation with SHA-256 and 200,000 iterations
• SHA-256 hashing for emergency override answers
• Firebase Security Rules restricting data access by authenticated user
• HTTPS/TLS encryption for all data in transit
• Firebase App Check to prevent unauthorised API access
• Access-controlled admin dashboard — only approved users can access the Service
• Email alerts for all vault access events including emergency overrides
• Zero-knowledge architecture — plaintext data never reaches our servers

Despite these measures, no security system is impenetrable. In the event of a data breach affecting your personal information, we will notify you and relevant authorities as required by applicable law within 72 hours of discovery.

10. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect, the right to delete your personal information, and the right to opt-out of the sale of personal information. We do not sell personal information. To exercise your CCPA rights, contact us at contact@sealed-vault.com.

11. International Data Transfers

Your data may be transferred to and stored in countries outside your own, including the United States where Google Firebase's primary servers are located. These countries may have different data protection laws than your country. By using the Service, you consent to this transfer. We take steps to ensure adequate protections are in place through Google's standard contractual clauses and other appropriate safeguards.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify registered users by email at least 14 days before the changes take effect. The updated Policy will be posted on our website with a new effective date. Your continued use of the Service after changes take effect constitutes acceptance of the revised Policy.

13. Contact Us — Privacy Officer

For privacy-related enquiries, requests to exercise your rights, or to report a privacy concern, please contact our Privacy Officer: