Privacy Policy
Last updated: March 18, 2025
1. What Vaulted does
Vaulted is a free web-based service for sharing encrypted, self-destructing secrets. You write a secret, it gets encrypted in your browser, and you receive a one-time link to share. The secret is permanently deleted after the view limit is reached or the expiration time passes.
2. Zero-knowledge architecture
All encryption and decryption happens in your browser using the Web Crypto API (AES-256-GCM). The encryption key is placed in the URL fragment (the part after #), which is never sent to our server per RFC 3986.
Our server stores only encrypted ciphertext, a view counter, and an expiration timestamp. We cannot decrypt your data because we never possess the key. Even a complete server compromise would yield only encrypted blobs.
3. Data we collect
Secret content
We store only AES-256-GCM encrypted ciphertext. We never see or store plaintext. Encrypted data is permanently deleted when the view limit is reached or the TTL expires.
IP addresses
IP addresses are processed in memory for rate limiting (10 creates/min, 30 views/min per IP) but are not logged or stored persistently.
Analytics
We use privacy-focused analytics (Umami) that collect no personal data, no cookies, and no cross-site tracking. Analytics data is aggregated and cannot be used to identify individual users.
No accounts or identifiers
Vaulted requires no user accounts, no email addresses, and no registration. There is no way to associate a secret with a specific person.
4. Cookies
Vaulted does not set any first-party tracking cookies. Our analytics provider (Umami) is cookieless. Your browser may store standard functional data (e.g., theme preference) via localStorage, but this data never leaves your device.
5. Third-party services
Upstash Redis
Encrypted secret data is stored in Upstash Redis with automatic TTL-based expiry. Upstash processes data in accordance with their privacy policy. They only ever receive encrypted ciphertext.
Vercel
Vaulted is hosted on Vercel. Vercel may process standard HTTP metadata (IP addresses, user agents) as part of serving requests. See Vercel's privacy policy.
Web3Forms
The feedback button uses Web3Forms to deliver messages. If you submit feedback, your message and any information you include is sent to Web3Forms for delivery.
6. Data sharing
We do not sell, trade, or share your data with third parties. The only data that exists on our servers is encrypted ciphertext that we cannot read. We will comply with valid legal requests, but can only provide encrypted data that is useless without the decryption key we do not possess.
7. Data retention
Secrets are permanently deleted when the view limit is reached or the expiration time passes, whichever comes first. The maximum expiration is 30 days. Unretrieved secrets are automatically purged after expiry. There are no backups, recycle bins, or recovery mechanisms.
8. Children
Vaulted is not intended for children under 16. We do not knowingly collect any personal information from children.
9. Changes to this policy
We may update this policy from time to time. Changes will be posted on this page with an updated date. For significant changes, we will provide a notice on the home page.
10. Contact
If you have questions about this privacy policy, contact us at [email protected].