Privacy Policy

1. Zero-Knowledge Architecture

Privault uses a zero-knowledge encryption architecture. This means your master password and decrypted credentials never leave your device. All encryption and decryption happens entirely in your browser using AES-256-GCM. Our servers only store encrypted ciphertext that is computationally impossible to decrypt without your master password.

2. Data We Collect

We collect the minimum data necessary to provide the service:

• Email address (for authentication and account recovery)
• Encrypted vault data (unreadable without your master password)
• Account metadata (creation date, last login timestamp)
• Security event logs (login attempts, vault access patterns)

3. Data We Cannot Access

Due to our zero-knowledge design, we cannot access:

• Your master password
• Your decrypted passwords, notes, or credentials
• Your derived encryption keys

4. Data Storage

Your encrypted data is stored securely on Supabase infrastructure with row-level security policies ensuring each user can only access their own data. All data at rest is encrypted by the hosting provider in addition to our client-side encryption.

5. Data Deletion

You can delete your account and all associated data at any time from the Settings page. Account deletion is permanent and irreversible — all encrypted data is removed from our servers.

6. Contact

For privacy-related inquiries, please open an issue on our project repository or contact us via email.