VaultKeepR
English·Français

Privacy Policy

Last updated: March 2026

1. Overview

VaultKeepR is a zero-knowledge password manager. All encryption and decryption happens on your device. We have designed the Service to collect as little data as possible. This policy describes what data is processed when you use specific features.

2. Data we never have access to

By design, the following data never leaves your device and we cannot access or recover it:

  • Your master password.
  • Your wallet private keys or NFC hardware seed.
  • The plaintext contents of your vault (passwords, usernames, notes, TOTP secrets, identities, cards).
  • Websites you visit or credentials you autofill (the extension processes this 100% locally).
  • Your browsing history or page content.

3. Data we process (only when you use specific features)

We do not use cookies, analytics, or tracking. The only data we process is data you explicitly send to our server when you use one of the following features:

  • Vault sync (IPFS): if you enable sync, we store a mapping of your public wallet address to the latest IPFS content identifier (CID) and a timestamp. The vault itself is encrypted and stored on IPFS — we only keep the pointer, not the data.
  • Wallet signatures: when you update your vault CID or perform authenticated actions, we verify your wallet signature to confirm you are the address owner. Signatures are checked and discarded — they are not stored.
  • Email aliases: if you create forwarding aliases, we store the alias address, your real destination email, optional labels, and wallet linkage in our database so that mail can be routed. This is personal data.
  • Fragmented recovery: if you use fragmented backup, we store a recovery manifest keyed by a hash you provide, with references (CIDs) to encrypted shards. We cannot reconstruct your vault without your recovery information.
  • Premium payments: payments are handled entirely by Stripe or Apple. We receive only a customer identifier and subscription status from the payment processor — we never see your card details or billing address.
  • Contact form: if you contact us, we receive the information you choose to send.

4. Browser extension

The extension accesses web pages to detect login fields and fill credentials. All processing is 100% local. No page content, credentials, browsing data, or autofill activity is ever sent to our servers. The only network requests the extension makes are those you explicitly trigger: vault sync, alias management, or premium features.

5. Decentralised storage (IPFS) and public networks

Content uploaded to IPFS or similar systems may be replicated across nodes and referenced by CIDs. Even when encrypted, metadata (timing, size, CID relationships) may be observable. You choose whether to use these features and should assess residual risks (e.g. future cryptanalysis, misconfiguration exposing keys).

6. Purposes and legal bases (EEA / UK)

Where GDPR applies, we rely on appropriate bases such as: performance of a contract (providing the Service you request); legitimate interests (security, abuse prevention, product improvement, analytics that do not override your rights); and consent where required (e.g. certain cookies or marketing, if offered). Payment processing is necessary to perform premium subscriptions.

7. Retention

We retain information only as long as needed for the purposes above, legal obligations, dispute resolution, and enforcement of agreements. Technical logs may be rolled on a short cycle. Wallet-linked registry data persists until you delete or overwrite it via the product flows. Alias and billing records may be retained longer where required for legal or accounting reasons.

8. Sharing and processors

We use subprocessors (hosting, database, email delivery, payment, blockchain RPC, IPFS infrastructure, error monitoring) who process data on our instructions. We do not sell your personal data. We may disclose information if required by law or to protect rights, safety, and integrity of the Service.

9. International transfers

Our providers may process data in countries outside your own, including outside the EEA. Where required, we use appropriate safeguards (e.g. Standard Contractual Clauses) in agreements with processors.

10. Your rights

Depending on your location, you may have rights to access, rectify, erase, restrict, or port certain personal data, and to object to certain processing. You may withdraw consent where processing is consent- based. To exercise rights, contact us using the channels on the website or app. You may also lodge a complaint with a supervisory authority.

11. Children

The Service is not directed at children under the age where parental consent is required for data processing in your region. We do not knowingly collect personal data from such children.

12. Changes

We may update this Privacy Policy. The "Last updated" date will change. For material changes, we will provide notice as appropriate. Continued use after the effective date constitutes acceptance unless applicable law requires otherwise.

13. Operator

VaultKeepR is operated by an independent developer based in France. Detailed legal identification information is available upon explicit written request sent to the contact address below.

14. Contact

For privacy-related requests or questions, contact us at [email protected] or through the channels indicated on the main website.

Terms of ServiceDocumentationSecurity← Back to home