Privacy Policy

Last Updated: November 23, 2025

VerityVault Privacy Policy

1. Introduction

VerityVault ("we," "us," or "our") is committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our web application and browser extension.

We believe privacy is a fundamental right. Our zero-knowledge architecture ensures that we cannot access your vault data, even if we wanted to. Your information is encrypted with your master passphrase before it ever reaches our servers.

2. Information We Collect

2.1 Information You Provide

Account Information: When you create an account, we collect:

  • Email address (for account identification and communication)
  • Name (optional, for personalization)
  • Payment information (processed through secure third-party payment processors)

Vault Data: All data you store in your vault (documents, credentials, notes, etc.) is encrypted on your device before transmission. We store this encrypted data but cannot decrypt or access its contents.

2.2 Automatically Collected Information

  • Device Information: Browser type, operating system, device type
  • Usage Data: Feature usage, error logs, performance metrics (anonymized)
  • IP Address: For security and fraud prevention purposes
  • Cookies: Session cookies for authentication and functional cookies for preferences

2.3 Information We Cannot Access

Due to our zero-knowledge architecture, we cannot access:

  • Your master passphrase
  • The contents of your encrypted vault data
  • Decrypted credentials, documents, or notes
  • Any information stored in your vault

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Service Delivery: To provide, maintain, and improve the VerityVault service
  • Account Management: To create and manage your account
  • Communication: To send service updates, security alerts, and support messages
  • Payment Processing: To process subscription payments and manage billing
  • Security: To detect and prevent fraud, abuse, and security threats
  • Analytics: To understand usage patterns and improve our service (using anonymized data)
  • Legal Compliance: To comply with legal obligations and enforce our terms

4. Zero-Knowledge Architecture

VerityVault implements a zero-knowledge security model:

  • Client-Side Encryption: All encryption and decryption occurs on your device using your master passphrase
  • Master Passphrase: Your passphrase never leaves your device and is never transmitted to our servers
  • Encrypted Storage: We store only encrypted data that we cannot decrypt
  • Encryption Keys: Your encryption keys are derived from your passphrase and never stored in plaintext

This means that even in the unlikely event of a data breach, your vault contents remain secure and inaccessible without your master passphrase.

5. How We Share Your Information

We do not sell your personal information. We may share your information in the following circumstances:

5.1 Service Providers

We work with third-party service providers who help us operate our service:

  • Cloud Infrastructure: For hosting our application and storing encrypted data
  • Payment Processors: For processing subscription payments (they never receive vault data)
  • Email Services: For sending transactional emails
  • Analytics Services: For understanding service usage (anonymized data only)

These service providers are contractually obligated to protect your data and use it only for the services they provide to us.

5.2 Legal Requirements

We may disclose information if required by law, such as:

  • In response to valid legal process (subpoenas, court orders)
  • To protect our rights, privacy, safety, or property
  • To prevent fraud or security threats
  • In connection with a merger, acquisition, or sale of assets

Note: Due to our zero-knowledge architecture, we cannot provide access to your encrypted vault contents, as we do not have the ability to decrypt them.

5.3 With Your Consent

When you share vault items with circle members, we facilitate the secure sharing of that encrypted data. The recipient must have their own account and appropriate access permissions.

6. Data Security

We implement comprehensive security measures to protect your information:

6.1 Encryption

  • At Rest: All vault data is encrypted using AES-256 encryption
  • In Transit: All communications use TLS 1.3 or higher
  • Client-Side: Encryption occurs on your device before transmission

6.2 Infrastructure Security

  • Secure cloud infrastructure with enterprise-grade security
  • Regular security audits and penetration testing
  • Automated vulnerability scanning
  • Access controls and authentication for internal systems
  • Continuous monitoring for security threats

6.3 Security Best Practices

  • Multi-factor authentication (MFA) support
  • Session timeout and automatic logout
  • Password strength requirements
  • Account activity monitoring
  • Security event logging

7. Data Retention

Active Accounts: We retain your account information and encrypted vault data as long as your account is active.

Deleted Accounts: When you delete your account, we:

  • Immediately disable access to your account
  • Retain data for 60 days to allow for account recovery
  • Permanently delete all data after the 60-day period
  • May retain anonymized usage data for analytics purposes

Legal Requirements: We may retain certain data longer if required by law or for legitimate business purposes (e.g., fraud prevention, financial records).

8. Your Privacy Rights

Depending on your location, you may have the following rights:

8.1 Access and Portability

  • Access your personal information
  • Export your vault data
  • Request a copy of your information

8.2 Correction and Deletion

  • Update or correct your personal information
  • Delete your account and associated data
  • Request deletion of specific information

8.3 Control and Objection

  • Control cookie and tracking preferences
  • Opt-out of marketing communications
  • Object to certain data processing activities

To exercise these rights, contact us at privacy@verity-vault.com. We will respond to your request within 30 days.

9. Cookies and Tracking

We use cookies and similar technologies for:

9.1 Essential Cookies

  • Authentication and session management
  • Security features and fraud prevention
  • Core functionality of the service

9.2 Functional Cookies

  • Remembering your preferences and settings
  • Improving user experience

9.3 Analytics Cookies

  • Understanding how users interact with our service
  • Identifying and fixing issues
  • Improving features and functionality

You can control cookie preferences through your browser settings. Note that disabling essential cookies may affect service functionality.

10. International Data Transfers

VerityVault operates globally. Your information may be transferred to and stored in countries other than your country of residence. We ensure appropriate safeguards are in place for international transfers:

  • Standard contractual clauses approved by regulatory authorities
  • Adequate data protection measures in recipient countries
  • Compliance with GDPR and other privacy regulations

Remember, your vault data is encrypted before transfer, providing an additional layer of protection regardless of where it's stored.

11. Children's Privacy

VerityVault is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected information from a child, we will promptly delete it.

If you believe we have inadvertently collected information from a child, please contact us immediately at privacy@verity-vault.com.

12. Browser Extension Privacy

Our browser extension:

  • Does not track your browsing history
  • Does not monitor websites you visit
  • Only accesses pages when you explicitly use autofill or save features
  • Stores encrypted data locally in your browser
  • Requires explicit permissions for each feature

You can review and revoke extension permissions at any time through your browser settings.

13. Third-Party Services

We integrate with third-party services (payment processors, cloud providers, etc.). These services have their own privacy policies. We recommend reviewing their policies:

  • Payment processors (Stripe, PayPal, etc.)
  • Cloud infrastructure providers
  • Email service providers
  • Analytics services

We select third-party services that maintain high privacy and security standards and are compliant with relevant regulations.

14. Data Breach Notification

In the unlikely event of a data breach that affects your personal information:

  • We will notify affected users within 72 hours of discovery
  • We will inform relevant regulatory authorities as required by law
  • We will provide details about the breach and steps being taken
  • We will offer guidance on protecting your account

Note: Due to our zero-knowledge encryption, a breach of our systems would not compromise your encrypted vault data without your master passphrase.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes:

  • We will notify you via email
  • We will display a prominent notice in the application
  • We will update the "Last Updated" date
  • We will maintain a changelog of significant modifications

Continued use of the service after changes constitutes acceptance of the updated Privacy Policy.

16. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

VerityVault Privacy Team
Email: privacy@verity-vault.com
Website: www.verity-vault.com

By using VerityVault, you acknowledge that you have read and understood this Privacy Policy and agree to the collection and use of information as described herein.