Privacy Policy

Last updated: March 24, 2026

VaultSecures ("we", "our", or "the app") is a privacy-first encrypted gallery backup application. Your privacy is our core mission. This policy explains what data we collect, how we use it, and your rights.

1. Data We Collect

Account Information

• Email address — used for account creation and login
• Google account info — if you sign in with Google (name, email, profile photo from Google)
• Password — stored as a one-way hash (PBKDF2), we never store or see your plain password

Backup Data

• Photos and videos — encrypted on your device before upload using AES-256-GCM encryption. We cannot read, view, or access your files.
• File metadata — file names, sizes, and types are stored to manage your backup catalog
• Content hashes — SHA-256 hashes of your files for deduplication (not reversible to original content)

Device Information

• Device token — for push notifications (optional)
• We do not collect device IDs, location, contacts, or any other personal data

Payment Information

• Payments are processed by Stripe. We do not store your credit card number. Stripe handles all payment data under their own privacy policy.

2. Zero-Knowledge Encryption

VaultSecures uses a zero-knowledge architecture:

• Your files are encrypted on your device using AES-256-GCM before being uploaded
• The encryption key is derived from your password using PBKDF2 with 120,000 iterations
• We never have access to your encryption key or your unencrypted files
• Even if our servers were compromised, your data remains encrypted and unreadable

3. How We Use Your Data

• To provide the backup and restore service
• To manage your account and subscription
• To send you important service notifications (optional push notifications)
• To enforce storage limits and plan features

We do not:

• Sell your data to third parties
• Use your data for advertising
• Share your data with anyone except as required by law
• Access or view your encrypted files
• Train AI models on your data

4. Data Storage

• Encrypted files are stored on Cloudflare R2 (cloud storage)
• Account data is stored on Cloudflare D1 (database)
• Authentication is managed by Firebase Authentication (Google)
• All data is transmitted over HTTPS (TLS 1.2+)

5. Data Retention

• Your data is retained as long as your account is active
• When you delete your account, your data is archived (soft-deleted) and your encrypted files are retained in storage for 30 days before permanent deletion
• You can request immediate permanent deletion by contacting us

6. Your Rights

You have the right to:

• Access your data through the app
• Download your files at any time through the app's restore feature
• Delete your account and all associated data
• Export your data by downloading your backed-up files
• Opt out of push notifications through your device settings

7. Children's Privacy

VaultSecures is not intended for children under 13. We do not knowingly collect personal information from children under 13.

8. Third-Party Services

• Firebase Authentication (Google) — for secure sign-in. Privacy Policy
• Stripe — for payment processing. Privacy Policy
• Cloudflare — for data storage and CDN. Privacy Policy

9. Security

• AES-256-GCM end-to-end encryption
• PBKDF2 password hashing with 120,000 iterations
• HTTPS/TLS for all data in transit
• JWT tokens for API authentication
• Biometric authentication support
• No plaintext passwords stored anywhere

10. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of any significant changes through the app or by email.

11. Contact Us

If you have questions about this privacy policy or your data, contact us at:

• Email: [email protected]
• Website: vaultsecures.com