How we process and protect your personal data — and why our zero-knowledge design means we can't read your vault.
This Privacy Policy sets out the basis on which we process any Personal Data we may collect about you as a visitor to our website at www.vaultneur.com and as a customer or potential customer using our personal digital vault application and services ("Services"). It also sets out how we protect your privacy and your rights in respect of our use of your Personal Data.
A "data controller" is a person or organization who, alone or jointly, determines the purposes for which, and the manner in which, any personal data is processed. Vaultneur PTY LTD, Pretoria, Gauteng, South Africa ("Vaultneur", "we", "us", "our") is the data controller for the Personal Data described in this policy.
If you have any questions about data protection at Vaultneur, you can reach us by email at info@vaultneur.com.
Vaultneur is built so that the contents of your vault are encrypted on your own device before they reach us. We do not hold any key that can decrypt your vault contents, and we cannot read the documents and records you store. This shapes everything in this policy: while we process limited account information and metadata (described below), we do not have access to the actual contents of your vault.
Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute Personal Data.
Special category data is Personal Data that needs more protection because it is sensitive. This includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, and data concerning a person's health, sex life or sexual orientation. Where such data is stored in your vault, it is encrypted on your device and we cannot access its contents.
South Africa's Protection of Personal Information Act (POPIA), the UK Data Protection Act 2018, and the EU's General Data Protection Regulation ("GDPR") govern how your Personal Data is used by us. We are also required to explain which Personal Data we collect from you, what we use it for, when we delete it, and how it is protected.
All Personal Data we obtain from you will only be processed for the purposes described below, within the framework of POPIA, the UK Data Protection Act and the GDPR, and only where at least one of the following applies: (a) you have given your consent; (b) the processing is necessary to perform a contract or take pre-contractual steps; (c) the processing is necessary to comply with a legal obligation; or (d) the processing is necessary for our legitimate interests, provided your interests are not overridden.
When you visit our website, your browser automatically transmits certain data to our server, which is technically necessary to display the website and ensure its stability and security. This includes: the IP address of the requesting device; date and time of access; the name and URL of the file accessed; the referring website; the browser used and, where applicable, your operating system and access provider. The legal basis is our legitimate interest.
Our website is built on WordPress. Our application back-end, authentication, database and encrypted storage are provided by Supabase. Encrypted vault data and limited account information and metadata are stored on this infrastructure. The legal basis is our legitimate interest in providing the website and Services securely and efficiently, together with the performance of our contract with you.
For the processing of personal data using cookies and similar technologies on our website, please refer to our Cookie Policy. The legal basis is our legitimate interest or your consent, as explained in that policy.
For business reasons, we analyze aggregated and anonymized data about website usage and business transactions. These analyses are for our own use and are not disclosed externally. For website analytics we use Google Analytics, as described in our Cookie Policy. The legal basis is our legitimate interest and your consent.
If you contact us, we process the data you provide solely to respond to and handle your enquiry — usually your name, email address, the topic and your message. The legal basis is our legitimate interest, the initiation or performance of a contract, and your consent.
If you subscribe to our newsletter, we collect your email address to send you updates and promotional material. The legal basis is your consent.
To register and use our personal digital vault, you provide an email address and a password. Your password is used to derive the key that encrypts your vault; it is never transmitted to us and we never store it. We may also collect basic profile details you choose to provide. This data is used to create and operate your account and to provide the Services.
When you use the vault, you may enter documents and records ("Service Data"), which may include Personal Data and Special Category Data. You own your Service Data. Because of our zero-knowledge design, this content is encrypted on your device before it reaches us, and we cannot read it. We act as your Data Processor in respect of Service Data and process it only to provide the Services, in accordance with our Processing Addendum.
The types of information you may choose to store in your vault include identity, contact, medical, financial, business, login and other personal records, as well as documents and notes. All such content is encrypted on your device. We can see only limited metadata, such as the type of record (for example, "Medical" or "Login"), file sizes, timestamps and system identifiers — never the contents.
Where you enable it, your account may be protected by additional authentication. We currently support app-based and device authentication. We plan to introduce SMS-based two-factor authentication in the future, provided by Twilio; if and when we do, we will update this policy and our Processing Addendum to reflect that Twilio processes your mobile number for that purpose, and we will treat your mobile number accordingly. Until then, no SMS is sent and no mobile number is shared with Twilio.
If you contact support, we process the information you provide to handle your request, which may include your name, email address and any details you choose to share. Because of our zero-knowledge design, we cannot access your vault contents in order to assist you; we can only help with matters that do not require reading your encrypted data. The legal basis is the performance of our contract and our legitimate interest in handling your request.
Subscriptions to our paid tier are managed in-app through RevenueCat and the relevant app store (Apple App Store or Google Play). Payment card details are handled by those providers and the app stores, not by us; we receive only your subscription and entitlement status. The legal basis is the performance of our contract.
We process data in the course of administering and organizing our business and complying with legal obligations such as record-keeping. The legal bases are our legal obligations and our legitimate interest.
Within the legally permitted scope, we may use your email address to tell you about promotions and offers. This serves our legitimate interest, and you may opt out at any time.
If you sign up via a referral link or select a referring company at checkout, we collect referral-source data (such as the link used or company selected, your IP address and sign-up timestamp) to track referrals for commission purposes. The legal basis is your consent and our legitimate interest in running the program. We may share aggregated or anonymized referral data with referring companies for verification, but will not share your full personal details without your consent. You can withdraw consent by emailing info@vaultneur.com.
We will only use your Personal Data for the purposes for which it was collected, unless we reasonably believe another purpose is compatible. If we need to use it for an unrelated purpose, we will notify you and explain the legal basis.
We will not disclose your Personal Data to third parties unless: (a) it is necessary to perform our Services (including referral-program administration); (b) you have consented; or (c) we are legally obliged to do so, for example by court order or in connection with legal proceedings. Because of our zero-knowledge design, even where we are legally compelled to disclose data, we are technically unable to provide the plaintext contents of your encrypted vault, as we do not hold the keys to decrypt it.
We may transfer your Personal Data internationally as necessary for the purposes described in this policy, including to our sub-processors. Where we do so, we put in place appropriate safeguards (such as the Standard Contractual Clauses) and take reasonable technical and organizational measures to protect it. Further detail is set out in our Processing Addendum.
We maintain a presence on social media based on our legitimate interest. If you interact with us on these platforms, we and the platform provider may be jointly responsible for the resulting data processing. The legal basis is our legitimate interest and your consent.
We delete your Personal Data when we no longer need it — for example, where it is no longer necessary for the purpose for which it was collected, where we believe it is inaccurate, or where you have withdrawn consent on which the processing relied. Where legal or regulatory requirements oblige us to retain data for a set period (including in relation to legal disputes), we will retain it for that period.
You may delete your account at any time. On deletion, your vault data, records, recovery data and account are removed by a single server-side operation. Encrypted copies that exist in routine backups are overwritten in line with our backup cycle. Data cannot be recovered after deletion.
Vaultneur uses a zero-knowledge architecture. The contents of your vault — your documents and records — are encrypted on your own device using AES-256-GCM before they are transmitted to us. The key that encrypts your vault is derived from your password (which never leaves your device, using PBKDF2-SHA256) and is held only in your device's hardware-backed secure storage (the iOS Keychain or Android Keystore), optionally protected by your device biometrics. We do not hold any key capable of decrypting your vault contents.
As a result, our servers only ever store and process encrypted (ciphertext) data, together with limited account information and metadata such as file sizes, timestamps and record types. Data is encrypted in transit using TLS 1.3. Access to our systems is limited on a least-privilege basis, and our database enforces row-level security so that each account can only ever reach its own data. A 24-word recovery passphrase lets you restore your vault if you forget your password; we store only a one-way hash of it for verification and never the passphrase itself.
Please remember that no method of storage or transmission is completely secure, and that you are responsible for your password, your recovery passphrase and access to your device. Because of our design, if you lose both your password and your recovery passphrase, we cannot recover your data for you.
Our website may contain hyperlinks to other websites. We are not responsible for, and this policy does not apply to, the privacy practices of websites we do not own or control. We encourage you to read the privacy policy of each website you visit.
You can exercise the following rights in respect of your Personal Data: the right to access; to rectification; to erasure; to restrict processing; to object to processing; and to data portability. To exercise any of these, or to update your information or withdraw consent, please contact us at info@vaultneur.com.
In the case of a Data Subject Access Request, we will respond as soon as reasonably possible. If we cannot respond within thirty (30) days, we will tell you why and when we expect to respond. Note that, because of our zero-knowledge design, requests that require access to the contents of your vault must be carried out by you through your own account, as we cannot decrypt that content on your behalf.
The Information Regulator (South Africa) and the Information Commissioner's Office (UK) are the relevant authorities for data protection complaints in South Africa and the UK respectively. If you are in the EU, you can lodge a complaint with the data protection supervisory authority in your member state. We would, however, appreciate the chance to address your concerns first.
For users in the United States, we are committed to adhering to relevant state privacy and consumer data protection laws, such as those in California, Colorado and Virginia, and aim to provide all US users with the rights set out in this policy. California residents may request information about disclosures of Personal Data for direct marketing ("Shine the Light"). We do not knowingly collect Personal Data from children under 13 (COPPA). We comply with the CAN-SPAM Act, and you can unsubscribe from marketing emails at any time. Our website does not currently respond to Do-Not-Track signals, as no uniform standard is finalized.
For users in Canada and Mexico, we apply the same rights and privileges set out in this policy, recognizing the similarities of PIPEDA (Canada) and the LFPDPPP (Mexico) to the GDPR. In case of ambiguity, the most stringent provision applies. The Office of the Privacy Commissioner (www.priv.gc.ca) is Canada's national authority; in Mexico the relevant national authority is INAI.
If you have any questions about this policy or the information we hold about you, please contact us at info@vaultneur.com.
This version of the policy is effective from the date stated above and is the current version. Any prior versions are superseded. If we make changes, we will revise the effective date.