Privacy Policy

Last updated: March 25, 2026

1. Data We Collect

  • Email address -- used for authentication and account communication
  • Hashed password -- bcrypt-hashed, never stored in plaintext
  • Encrypted key shares -- Shamir shares encrypted with AES-256-GCM; we never store or see your full plaintext API keys
  • Usage logs -- timestamps, endpoint paths, and HTTP status codes for proxy calls
  • Stripe customer ID -- for processing billing on paid plans

2. Data We Do NOT Collect

  • Full API keys -- keys are Shamir-split on the client before transmission; the server never receives the complete key
  • Browsing history -- we do not track pages you visit outside VaultProof
  • IP addresses -- IPs are used in-memory for rate limiting only and are not persisted or logged

3. How We Use Your Data

  • Authenticate you and manage your account
  • Store encrypted Shamir shares so your keys can be reassembled for proxied API calls
  • Process billing through Stripe
  • Monitor and improve service reliability and performance

4. Third-Party Services

We use the following third-party services to operate VaultProof:

  • Stripe -- payment processing and subscription management
  • Supabase -- PostgreSQL database hosting and authentication infrastructure
  • Cloudflare -- CDN, DDoS protection, and edge proxy workers
  • Sentry -- error tracking and performance monitoring (no PII is sent to Sentry)

5. Data Retention

While your account is active, all associated data is retained. When you delete your account, all data is permanently destroyed via cascading delete -- this includes encrypted shares, usage logs, billing references, and account metadata. Deletion is irreversible.

6. Security

We take security seriously. Our architecture includes:

  • AES-256-GCM encryption for all stored key shares
  • Shamir Secret Sharing -- keys are split before leaving your device
  • Zero-knowledge proofs (Noir) for key verification without exposure
  • HMAC-based proxy authentication to prevent unauthorized API calls

7. Your Rights

You have the right to:

  • Access your stored data through the Dashboard
  • Export your data at any time
  • Delete your account and all associated data
  • Revoke any stored API key at any time

8. GDPR

We process personal data under the lawful basis of legitimate interest (providing the Service you signed up for). Data is stored in the United States via Supabase (AWS infrastructure). If you are located in the EU/EEA, you may request access to, correction of, or deletion of your personal data by contacting us. We will respond to GDPR requests within 30 days.

9. Cookies and Local Storage

VaultProof does not use tracking cookies. We use localStorage for two purposes only:

  • Storing your authentication token (so you stay logged in)
  • Storing notification read state (so dismissed notices stay dismissed)

No third-party tracking cookies are set.

10. Children

VaultProof is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from minors. If we learn that we have collected data from a user under 18, we will delete their account and data promptly.

11. Contact

If you have questions about this Privacy Policy or want to exercise your data rights, contact us at hello@vaultproof.dev.