Privacy Policy

Vaultixs is a zero-knowledge service. Your vault data is encrypted on your device using a key derived from your master password before it ever reaches our servers. We never receive your master password, your unencrypted vault contents, or any of the credentials you store. This is not a policy — it is a technical constraint. Even if we wanted to read your data, or were compelled to provide it to a third party, we could not do so in a usable form.

We collect the minimum data required to operate the service: • Account information: your email address, used to identify your account and send transactional emails. • Encrypted vault data: the ciphertext of your vault, stored on our servers so it can be synced across your devices. This is unreadable to us. • Usage metadata: aggregate, anonymised data about feature usage (e.g. "how many users activated the CLI this week"). This data cannot be linked to an individual. • Billing data: if you are a paid subscriber, your payment is processed by Stripe. We store only the subscription status and last-four digits of your card — we never see or store your full card details. • Support communications: if you email us, we keep your message for as long as necessary to resolve your request.

We do not collect: • Your master password (not even a hash) • The URLs of websites you visit via autofill • The names of credentials in your vault • The contents of any item in your vault • Your device's location • Any advertising or tracking identifiers

We use your email address to: • Send you a verification email when you sign up • Send transactional emails (password change confirmations, billing receipts) • Contact you about critical security notices We do not send marketing email unless you have explicitly opted in. We never sell your data to third parties.

We share data with third parties only where strictly necessary: • Stripe — payment processing. Stripe receives your card details directly and is PCI-DSS Level 1 certified. • Our cloud infrastructure provider — stores the encrypted ciphertext of your vault. They cannot decrypt it. We do not use advertising networks, analytics brokers, or data enrichment services.

If you delete your Vaultixs account, all data associated with your account — including your encrypted vault — is permanently deleted within 30 days. Backup copies are purged on the same schedule. Billing records are retained for 7 years as required by UK tax law.

Under UK GDPR and the Data Protection Act 2018, you have the right to: • Access a copy of your personal data • Correct inaccurate data • Request deletion of your account and associated data • Object to processing • Data portability (export your vault in a standard format) To exercise any of these rights, email privacy@vaultixs.com. We will respond within 30 days.

Vaultixs uses a single session cookie to keep you authenticated in the web application. We do not use advertising cookies, tracking pixels, or third-party analytics cookies.

All data in transit is encrypted using TLS 1.3. Vault data is encrypted at rest using AES-256-GCM. Our encryption model is described in detail on the Security page. We conduct regular internal security reviews and disclose material incidents to affected users promptly.

We will notify you by email if we make material changes to this policy. The effective date at the top of this page will be updated. Continued use of the service after a notified change constitutes acceptance of the revised policy.

Vaultixs Ltd is registered in England and Wales. Data Protection enquiries: privacy@vaultixs.com General: hello@vaultixs.com