Privacy Policy

Last updated: April 8, 2026

Welcome to VaultLink! This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website and use our application. Because we operate on a strictly zero-knowledge architecture, our ability (and desire) to collect data about you is intentionally minimized.

1. Zero-Knowledge Architecture

VaultLink is a zero-knowledge, end-to-end encrypted platform. This means:

  • Keys are never stored: Your master decryption keys are generated and stored exclusively on your device. We never have access to them. If your device fails or is lost without a manual backup of your keys, your access to your data is permanently lost.
  • Data is incomprehensible: The items you store in VaultLink are encrypted locally (using AES-256-GCM) before being transmitted anywhere. We only ever see unreadable ciphertext blobs.
  • Local Fallbacks: Much of our functionality uses IndexedDB, keeping data strictly on your physical device. This means your data is only as safe as your device and your backups.
  • P2P & Transit: When utilizing direct browser transfers, VaultLink uses third-party signaling services (specifically PeerJS Cloud) to facilitate the initial handshake between devices. These services orchestrate the exchange of connection metadata (such as IP addresses). All transmitted vault bytes remain end-to-end encrypted and are never accessible to the signaling provider or our infrastructure.

2. Data Collection and Usage

While we cannot see your vault data, we do collect minimal information required to operate the service and provide Pro subscriptions:

  • Account Information: If you sign in (e.g., via NextAuth/GitHub/Google), we collect your email address and profile name strictly for authentication and subscription tracking.
  • Usage Data: We may collect standard usage metrics, interaction logs, and device capability checks (like WebAuthn availability) to ensure robust application performance.

VaultLink does not sell your data, use your vault metadata for marketing, or repurpose your information for third-party modeling.

3. Payment Processing & LemonSqueezy

VaultLink uses LemonSqueezy as our Merchant of Record (MoR) for managing Pro plan subscriptions. LemonSqueezy handles all payment processing, billing, and tax compliance globally.

  • No Sensitive Payment Data: VaultLink does not collect, process, or store sensitive payment details (such as full credit card numbers). All payment routing is handled directly and securely through LemonSqueezy APIs.

4. Cookies, Local Storage & Biometrics

Because of our Zero-Knowledge architecture, we leverage secure modern Web APIs to handle sensitive functionality directly on your device rather than our servers:

  • Storage (IndexedDB, LocalStorage & SessionStorage): We use these essential browser storage mechanisms to securely maintain your vault instances, active sessions, and persistence preferences. These are strictly required for our offline-capable, local-first architecture to function. Important: IndexedDB is a local browser technology and does not guarantee permanent data storage. Your data may be cleared by the browser or lost due to device failure. You are solely responsible for exporting and downloading manual backup files (.vault) regularly to ensure your data is permanently secured.
  • Biometric Authentication (WebAuthn): For Pro users utilizing biometric unlock (Touch ID, Face ID, Windows Hello), we use standard WebAuthn APIs. Your actual biometric data never leaves your device's Secure Enclave. VaultLink never collects, transmits, or possesses your fingerprint or facial scans. We only receive a secure cryptographic signature proving successful local verification.
  • Cookies & Analytics: VaultLink uses "Strictly Necessary" cookies for session management. We also use Google Analytics (GA4) to help us analyze how users interact with our site. This service uses cookies to collect anonymous information (such as your IP address, browser type, and pages visited).

    Google Analytics ID: G-KC4EBLPN34.

    We only activate Google Analytics if you provide explicit consent via our cookie banner. You can withdraw your consent or manage your preferences at any time by clearing your browser cache or using the settings provided by your browser.

5. Global Data Rights

We comply with standard global data protection frameworks (including GDPR):

  • Access & Correction: Because we are zero-knowledge, we cannot extract your encrypted data for you. You must use your own keys to access it. For account metadata (like email), you may request a copy or correction.
  • Deletion: You may request the permanent deletion of your account and any encrypted blobs we hold. Once deleted, the ciphertext is permanently unreachable.

6. Children's Privacy

Our Service does not address anyone under the age of 16. We do not knowingly collect personally identifiable information from children under 16. If you are a parent or guardian and you are aware that your child has provided us with personal data, please contact us.

7. Updates to this Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date at the top of this policy.