Privacy Policy

Effective Date: January 1, 2025
Last Updated: January 1, 2025

1. Introduction

SharedVault Pty Ltd ("SharedVault", "we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our secure secrets management platform (the "Service").

By using our Service, you agree to the collection and use of information in accordance with this Privacy Policy. This policy should be read in conjunction with our Terms of Service and Cookie Policy.

2. Information We Collect

2.1. Account Information

When you create an account, we collect:

  • Email address (used for authentication and communication)
  • Name and display name (optional)
  • Avatar identifier (if you upload a profile picture)
  • Password (hashed using Argon2id - we never store plain text passwords)

2.2. Authentication Information

To ensure security, we collect:

  • TOTP (Time-based One-Time Password) secret (encrypted)
  • Login timestamps and IP addresses (for security monitoring)
  • Session tokens (temporary, encrypted)

2.3. Secrets Data

Critical: All secrets (passwords, notes, files, certificates) are encrypted on your device before being sent to our servers. We cannot decrypt or view your secrets. We only store:

  • Encrypted secret envelopes (encrypted with keys you control)
  • Secret metadata (names, types, versions - not the actual secret content)
  • Encryption keys are derived from your authentication credentials and never stored on our servers

2.4. Usage Information

We collect minimal usage data to improve the Service:

  • Feature usage patterns (anonymized)
  • Error logs (for debugging and service improvement)
  • Performance metrics (page load times, API response times)

2.5. Technical Information

Automatically collected technical data:

  • Browser type and version
  • Device information (type, operating system)
  • IP address (for security and fraud prevention)
  • Cookies and similar tracking technologies (see our Cookie Policy)

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Service Provision: To provide, maintain, and improve our Service
  • Authentication: To verify your identity and secure your account
  • Encryption: To enable end-to-end encryption of your secrets
  • Communication: To send you important service updates, security alerts, and support responses
  • Security: To detect, prevent, and address security threats and fraud
  • Compliance: To comply with legal obligations and enforce our Terms of Service
  • Analytics: To understand how users interact with our Service (anonymized data only)

4. Data Security

Security is at the core of our Service. We implement industry-leading security measures:

Security Measures:

  • End-to-End Encryption: All secrets are encrypted on your device before transmission
  • Zero-Knowledge Architecture: We cannot decrypt or view your secrets
  • Post-Quantum Cryptography: We use quantum-resistant encryption algorithms
  • Password Hashing: Passwords are hashed using Argon2id (industry standard)
  • Multi-Factor Authentication: TOTP support for enhanced security
  • Secure Transmission: All data transmitted over HTTPS/TLS
  • Regular Security Audits: We conduct regular security assessments
  • Access Controls: Strict access controls and authentication for our systems

Despite our security measures, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security.

5. Data Sharing and Disclosure

We do not sell, trade, or rent your personal information to third parties. We may share your information only in the following circumstances:

  • Service Providers: With trusted third-party service providers who assist us in operating our Service (e.g., hosting, analytics) - these providers are contractually bound to protect your information
  • Legal Requirements: When required by law, court order, or government regulation
  • Security: To protect the rights, property, or safety of SharedVault, our users, or others
  • Business Transfers: In connection with a merger, acquisition, or sale of assets (with notice to users)
  • With Your Consent: When you explicitly consent to sharing

Important: We never share your encrypted secrets with third parties. Your secrets remain encrypted and accessible only to you.

6. Data Retention

We retain your information for as long as necessary to provide the Service and comply with legal obligations:

  • Account Data: Retained while your account is active and for a reasonable period after account deletion (to comply with legal obligations)
  • Secrets Data: Retained until you delete them or your account is deleted
  • Audit Logs: Retained for security and compliance purposes (duration depends on your subscription tier)
  • Deleted Data: Soft-deleted data may be retained for a limited period before permanent deletion

You can request deletion of your account and associated data at any time. We will delete your data in accordance with our data retention policies and legal requirements.

7. Your Privacy Rights

Depending on your location, you may have certain rights regarding your personal information:

Your Rights (GDPR, CCPA, and other applicable laws):

  • Right to Access: Request a copy of your personal information
  • Right to Rectification: Correct inaccurate or incomplete information
  • Right to Erasure: Request deletion of your personal information
  • Right to Restrict Processing: Request limitation of how we process your information
  • Right to Data Portability: Receive your data in a portable format
  • Right to Object: Object to certain types of processing
  • Right to Withdraw Consent: Withdraw consent for data processing (where applicable)

To exercise these rights, please contact us at [email protected]. We will respond to your request within 30 days.

8. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that differ from those in your country.

We ensure that appropriate safeguards are in place to protect your information in accordance with this Privacy Policy, including:

  • Standard contractual clauses approved by relevant data protection authorities
  • Compliance with applicable data protection laws (GDPR, CCPA, etc.)
  • Regular security assessments of our data processing infrastructure

9. Children's Privacy

Our Service is not intended for children under the age of 18. We do not knowingly collect personal information from children under 18. If you become aware that a child has provided us with personal information, please contact us immediately, and we will take steps to delete such information.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. We will notify you of any material changes by:

  • Updating the "Last Updated" date at the top of this policy
  • Posting a notice on our Service
  • Sending you an email notification (for significant changes)

Your continued use of the Service after such changes constitutes your acceptance of the updated Privacy Policy.

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

SharedVault Pty Ltd
Email: [email protected]
Address: New South Wales, Australia

For data protection inquiries, please include "Privacy Inquiry" in the subject line of your email.

Last Updated: January 1, 2025