Privacy Policy

Introduction

Welcome to Vault. We are committed to protecting your privacy and ensuring the security of your digital assets. This Privacy Policy explains how we collect, use, and safeguard your information when you use our secure digital asset inheritance platform.

1. Information We Collect

1.1 Account Information

• Email Address: Used for account identification, authentication, and critical notifications
• Phone Number: Optional, used for enhanced security and SMS notifications
• Master Passphrase: Hashed using industry-standard encryption (never stored in plaintext)
• IP Address: Recorded at registration for policy acceptance and security audit logs

1.2 Vault Data

• Encrypted Asset Names: Metadata for organizing your vault items
• Importance Levels: LOW, MEDIUM, or HIGH (determines release timing)
• Encrypted Blobs: Your actual data, encrypted client-side before transmission
• Attachment Metadata: File information (name, size) in JSON format

1.3 Nominee Information

• Nominee Name, Email, Phone: Collected with your consent to facilitate asset transfer
• Verification Data: Temporary codes and tokens for identity verification
• Secret Code Hash: Stored securely for nominee authentication

1.4 Activity Data

• Heartbeat Timestamps: Last activity indicator to detect inactivity
• Audit Logs: System actions (login, heartbeat, state changes) for security monitoring
• Inactivity State: ACTIVE, SILENT, COOLING, or RELEASED status

2. Zero-Knowledge Encryption Guarantee

• Encryption happens locally in your browser using AES-256-GCM
• Your master passphrase never leaves your device in plaintext
• Our servers cannot decrypt your vault contents
• Nominees receive decryption keys only after verification and release stages

3. How We Use Your Information

• Account Management: Creating, authenticating, and maintaining your account
• Inactivity Detection: Monitoring heartbeats to detect prolonged absence (120 days threshold)
• Nominee Verification: Sending SMS/email codes and managing multi-step authentication
• Asset Release: Executing staged release (LOW → MEDIUM → HIGH) after cooling period
• Security Auditing: Logging critical actions to prevent unauthorized access
• Service Notifications: Sending inactivity warnings, release notifications, and verification codes

4. Inactivity & Asset Release Policy

Release Stages:

• Stage 1 (Day 148): LOW importance items released to verified nominee
• Stage 2 (Day 155): MEDIUM importance items released (+7 days)
• Stage 3 (Day 169): HIGH importance items released (+14 days)

You can stop the release process at any time by logging in or sending a heartbeat. This immediately resets your status to ACTIVE, regardless of the current stage.

5. Data Sharing & Disclosure

We do not sell, rent, or trade your personal information. We may share data only in these circumstances:

• With Your Nominee: After verification and release stages, encrypted vault items are accessible to your designated nominee
• Legal Requirements: If required by law, court order, or governmental authority
• Service Providers: Third-party services (email delivery, SMS gateways) that assist in platform operations, under strict confidentiality agreements
• Security Incidents: With law enforcement if unauthorized access is detected

6. Data Retention

• Active Accounts: Data retained indefinitely while account is active
• Released Assets: Remain accessible to nominees until they choose deletion
• Audit Logs: Retained for 7 years for security and compliance purposes
• Verification Codes: Automatically deleted after expiry (10 minutes for SMS, 72 hours for email)
• Account Deletion: You may request permanent deletion; data is removed within 30 days except where legally required

7. Your Privacy Rights

• Access: Request a copy of your personal data
• Correction: Update inaccurate or incomplete information
• Deletion: Request account and data deletion (subject to legal obligations)
• Export: Download your encrypted vault data in portable format
• Revoke Nominee: Remove nominee access at any time before release completion
• Opt-Out: Disable non-critical notifications (inactivity warnings remain mandatory)

8. Security Measures

• End-to-end encryption for all vault contents
• HTTPS/TLS for all data transmission
• Bcrypt password hashing with salt
• Rate limiting on authentication endpoints (5 attempts per 15 minutes)
• Database-level encryption at rest
• Regular security audits and penetration testing
• Multi-step nominee verification (phone + secret code + acceptance)

9. Cookies & Tracking

We use minimal cookies for essential functionality:

• Authentication Cookies: Secure, HttpOnly cookies for session management
• Refresh Tokens: Stored securely to maintain login sessions
• No Third-Party Trackers: We do not use Google Analytics, Facebook Pixel, or similar tracking tools

10. Children's Privacy

Vault is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with data, please contact us immediately for deletion.

11. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements. The "Last updated" date at the top indicates the latest revision. Continued use of the service after changes constitutes acceptance of the updated policy. Material changes will be communicated via email.

12. Contact Us

For questions, concerns, or requests regarding your privacy: