Back to Password & Data Protection

Privacy Policy

Last updated: May 2026

Private Vault (the "App") is designed with user privacy as the highest priority. This policy explains the data the App handles, the principles we follow, and the few exceptions where any data leaves your device. It applies to the App on iOS, macOS, and Android.

One-line summary. We do not run a server, do not have user accounts, do not embed advertising SDKs, and never see your photos, videos, passwords, or encryption keys. Two optional features can transmit narrowly-scoped data when you enable them: iCloud sync (iOS & macOS only — opt-in, default OFF, encrypted blobs only) and Firebase diagnostics (iOS & macOS only — opt-out, default ON). The Android version embeds neither.

1. Core Principle — Zero-Knowledge Design

The App encrypts every photo, video, password, and metadata field on your device using AEAD ciphers (ChaCha20-Poly1305) keyed by a 256-bit Master Key derived from your PIN through Argon2id (64 MiB memory, 3 iterations, 4 parallelism). The Master Key only exists in volatile RAM and is wiped the moment the vault locks.

  • iOS · macOS The wrapped key is held in the Secure Enclave–backed iOS/macOS Keychain with biometry binding.
  • Android The wrapped key is held in Android Keystore via EncryptedSharedPreferences and released only after BiometricPrompt confirmation.

We do not hold the encryption keys. We do not hold the encrypted data. There is no server-side copy of anything you store in the vault.

2. Data We Collect by Default

None. Out of the box, with every optional toggle in its default state, Private Vault does not:

  • Register or manage user accounts
  • Embed any third-party advertising SDK (e.g., AdMob, Meta Audience Network)
  • Collect location data (EXIF GPS embedded in photo files stays on the device and can be stripped per-import or globally in Settings)
  • Read the system Photo Library without your explicit per-asset selection through Apple's PHPicker (iOS/macOS) or Android's system Photo Picker
  • Send vault contents — encrypted blobs, decrypted plaintext, master-key material, password fields, or file bytes — to any server controlled by us
  • Sync to the cloud by default (on iOS and macOS you may opt in to iCloud sync of encrypted blobs only — see Section 3 below; the Android version performs no cloud sync of any kind)

The App does bundle three optional features that, when enabled, transmit narrowly-scoped data to third parties. They are described in Sections 3, 4, and 5 below.

3. Optional iCloud Sync iOS · macOS

On iOS and macOS, the App offers an optional iCloud sync feature so your vault can roam between your own Apple devices. This feature is opt-in and OFF by default; you enable it from Settings → Sync with iCloud. The Android version does not sync to the cloud and has no equivalent toggle.

When you enable iCloud sync, the following — and only the following — moves through Apple's CloudKit infrastructure inside your own private iCloud database:

  • Encrypted blob ciphertext. Photo and video blobs are uploaded as CloudKit assets (CKAsset) consisting of the already-encrypted bytes that exist on disk. The sync layer never sees plaintext; the on-disk path of the ciphertext is handed to CloudKit unchanged.
  • SwiftData metadata. Non-content metadata used to enumerate items (stable identifiers, sort timestamps, sync-state flags) is persisted in a CloudKit-backed SwiftData store. Sensitive fields (password text, file bytes, names you typed) are kept in the separate non-synced store and never replicated this way.
  • The PIN-wrapped Master Key. To unlock the vault on a second device you must enter the same PIN. The PIN-wrapped key is stored in iCloud Keychain with the access class relaxed from WhenUnlockedThisDeviceOnly to WhenUnlocked so Apple's end-to-end-encrypted Keychain sync can replicate it. The Master Key itself remains wrapped — Apple only ever sees ciphertext.

What this never includes: decrypted vault content, the Master Key in plaintext, your PIN, or anything else readable without your PIN. Neither we nor Apple can decrypt your vault from iCloud alone.

iCloud data is processed by Apple under your iCloud account, governed by the Apple Privacy Policy and the iCloud terms you accepted with Apple. Turning off the toggle stops further upload; previously-uploaded ciphertext can be removed by signing out of iCloud or deleting the App's iCloud container from Settings → Apple ID → iCloud → Manage Storage.

4. Diagnostics — Firebase Crashlytics iOS · macOS

On iOS and macOS, the App bundles Firebase Crashlytics (crash and non-fatal error reporting), provided by Google LLC. It is enabled by default so that we can investigate crashes and non-fatal errors. You can opt out at any time by turning off the master switch in Settings → Diagnostics; the change takes effect immediately and persists across updates.

When enabled, the diagnostics layer transmits the following — and only the following — to Google's Firebase backend:

  • Crashlytics: crash stack traces, non-fatal NSError records, opaque breadcrumb strings describing app state transitions (for example, "migration started", "import succeeded count=N"), the Crashlytics installation UUID, the App and OS versions, and the device model.
  • Filename and path arguments are SHA-256-hashed at the call site before they reach Crashlytics, so breadcrumb metadata never includes a real file path.

The diagnostics layer never transmits: photos, videos, file bytes, real filenames or paths, passwords, encryption keys, master-key material, the contents of password fields, or any decrypted vault content.

Diagnostics are on by default for new installs, and for existing installs that have never touched the toggle the new default takes effect on the next launch after this update. If you previously opted out, your choice is preserved. Once disabled, no further reports are generated, although any reports already queued on disk may finish sending. Data Google processes under this feature is governed by the Firebase Privacy and Security policy and the Google Privacy Policy.

Android The Android version embeds no analytics, no crash reporting, and no Firebase SDKs. No equivalent toggle exists because there is nothing to disable.

5. HaveIBeenPwned Breach Check All platforms

If, and only if, you opt in to the password health-check feature, the App queries api.pwnedpasswords.com using the k-anonymity protocol:

  • Your password is hashed locally with SHA-1.
  • Only the first 5 hexadecimal characters of that hash leave the device.
  • The password itself, the full hash, and any user identifier are never transmitted.
  • The HaveIBeenPwned server cannot identify the sender: a 5-character prefix is shared by hundreds of thousands of distinct hashes.
  • This feature is off by default and can be disabled at any time from Settings → Security → Password health check.

6. Device Permissions We Request

All permissions are used only when you explicitly act. No data is transmitted off the device as a side effect of granting them.

iOS · macOS Apple platforms

  • Camera — used solely for in-app capture inside the vault. Photos and videos taken in-app are never saved to the system Camera Roll.
  • Photo Library — used only to import the assets you explicitly select through Apple's PHPicker UI. The App never scans your full library.
  • Face ID / Touch ID — used to unlock the vault. Biometric templates stay inside the device's Secure Enclave; the App only receives a yes/no decision.
  • iOS AutoFill Credential Provider — used to autofill credentials into other apps via Apple's secure system mechanism. Credentials are only released after biometric or PIN confirmation.

Android Android

  • Camera — used solely for in-app capture inside the vault. Photos and videos taken in-app are never saved to the system media store.
  • Photos — used only to import the assets you explicitly select through Android's system Photo Picker. The App does not request READ_MEDIA_IMAGES / READ_MEDIA_VIDEO and cannot enumerate your library.
  • Biometric (Fingerprint / Face) — used to unlock the vault via BiometricPrompt. Biometric templates stay inside the device's secure hardware; the App only receives a yes/no decision.
  • Android Autofill Framework — used to autofill credentials into other apps via the system Autofill service. Credentials are only released after biometric or PIN confirmation.

7. Data Retention and Deletion

All vault data is stored on your device(s) and is removed when you delete it inside the App. The Reset Vault action in Settings (Danger Zone) deletes every encrypted blob, every database row, the Master Key wrap, and all preference state — completely and irreversibly. Because we never store your vault data on a server, there is no destination for a vault-data deletion request to send to us.

If you have enabled iCloud sync on iOS or macOS, ciphertext previously uploaded to your private iCloud database is removed by signing out of iCloud or by deleting the App's iCloud container from Settings → Apple ID → iCloud → Manage Storage. For Firebase Crashlytics data tied to your iOS/macOS installation, Google's standard retention policies apply; deleting and reinstalling the App generates a new anonymous installation ID.

8. Children's Privacy

The App is not directed at children under 13. We do not knowingly collect personal information from children under 13.

9. Policy Changes

If we update this policy, we will revise the "Last updated" date at the top of this page. For material changes that would expand what leaves your device, we will display an in-app notice before the change takes effect.

10. Contact

For privacy questions, contact ndlab.contact@ndlab.jp.