Skip to main content
Legal

Privacy Policy

Effective date: April 2026

Zero-Knowledge Architecture

Your data is encrypted in your browser with a key generated on your device before it reaches VaultPass. We store only the scrambled result (ciphertext). To deliver your vault to your heir automatically, we hold the encrypted heir and sentinel shards and combine them only when the dead man's switch fires.

What We Collect — and What We Never Do
Data
Why
Collected
Email address
Authentication, check-in reminders, heir notification
Encrypted vault ciphertext
Storing your inheritance instructions (unreadable by us)
Check-in timestamps
Tracking your check-in schedule and triggering the switch
Payment status
Subscription management (via Stripe/BTCPay — not card details)
Seed phrases / private keys
Unencrypted wallet data
Master password
IP address (transient)
Rate-limiting & abuse prevention only — never stored for tracking or geolocation
Behavioural / tracking data
Payment card details
01

How We Use Your Data

We use your email address to: authenticate your account, send check-in reminders, send warning emails when the dead man's switch approaches, and deliver the vault access token to your heir when triggered. We use payment status to maintain subscription access. We do not sell, share, or use your data for advertising, analytics, or any purpose beyond providing the VaultPass service.

02

Data Storage & Security

Encrypted vault data is stored on Supabase infrastructure exclusively within the European Economic Area. All data in transit is protected with TLS 1.3. Encryption at rest uses AES-256. We do not store payment card details — all card processing is handled by Stripe under their PCI-DSS compliance.

03

Cookies

We use only essential authentication cookies required to keep you logged in. No tracking cookies. No advertising. No third-party analytics that identify you personally. We do not use Google Analytics, Meta Pixel, or any behavioural tracking tools.

04

Data Retention

Your encrypted vault data is retained for the duration of your active subscription plus 90 days after cancellation. You may request immediate deletion at any time. When you delete your account, all data is permanently and irreversibly removed from our systems within 7 days.

Third-Party Services
Stripe
Payment processing (PCI-DSS compliant)
stripe.com/privacy
BTCPay Server
Self-hosted crypto payment processing (no third-party card data)
btcpayserver.org
Supabase (EU)
Encrypted data storage, EU region only
supabase.com/privacy
Resend
Transactional email delivery
resend.com/privacy
Your GDPR Rights
Access
Request a copy of all personal data we hold about you.
Rectification
Correct inaccurate personal data at any time.
Erasure
Request deletion of your account and all associated data (right to be forgotten).
Portability
Receive your data in a machine-readable format (JSON export available).
Object
Object to processing of your personal data for specific purposes.
Withdraw Consent
Withdraw consent at any time where processing is based on consent.

To exercise any GDPR right, email [email protected]. We respond within 30 days.

Last updated: April 2026 · VaultPass · Warsaw, Poland · EU