Privacy Policy

Effective date: June 9, 2026 · Last updated: June 9, 2026

This Privacy Policy explains how Vault Desk (“Vault Desk”, “we”, “us”) collects, uses, and protects information when you use Vault Desk, our zero-knowledge, end-to-end encrypted cloud storage service (the “Service”). It should be read together with our Terms of Service.

The short version. Vault Desk is zero-knowledge. Your files and your file/folder names are encrypted on your device before they ever reach us, your password never leaves your device (we use the OPAQUE protocol), and we only store ciphertext and “wrapped” keys we cannot open. We cannot read your files, see your filenames, recover your password, or hand anyone a readable copy of your content — including in response to a legal request.

1. Information we collect

Account information

Your email address, used as your account identifier and to send essential service and security messages.
An OPAQUE registration record — a cryptographic verifier used to authenticate you. This is not your password; we never receive or store your password.

Encrypted content (unreadable to us)

The encrypted contents of files you upload, stored as opaque blobs.
Encrypted file and folder names and wrapped (encrypted) keys. We hold only the wrapped keys and cannot decrypt them.

Operational metadata

Minimal data needed to run the Service: file sizes, created/updated timestamps, folder relationships, storage identifiers, your subscription plan, and total storage used. This is not the content of your files.

Billing information

Payments are handled by our processor, Polar. We receive your subscription/plan status and limited transaction metadata. We do not receive or store your full card number.

Technical & usage data

Server logs (e.g., IP address, timestamps, request type) retained for security and abuse prevention.
Privacy-friendly analytics via Piqo — aggregate, cookieless page-visit statistics. No cross-site tracking and no advertising profiles.

2. What we cannot access

The contents of your files.
Your file and folder names (encrypted on your device).
Your password (handled via OPAQUE — never transmitted to us).
Your encryption keys (we store only wrapped keys we cannot open).

We do not sell your personal data and do not use your data for advertising.

3. How we use information

Provide, maintain, and secure the Service (store and retrieve your encrypted data, authenticate you).
Process subscriptions and enforce storage quotas.
Detect, prevent, and investigate abuse, fraud, and security incidents.
Communicate with you about your account, security, and material changes.
Comply with legal obligations.

4. Legal bases (EEA/UK users)

Where the GDPR or UK GDPR applies, we process personal data under one or more of: performance of a contract (providing the Service), legitimate interests (security, abuse prevention, improving the Service), legal obligation (tax, accounting, lawful requests), and consent where required.

5. Sharing & subprocessors

We do not sell personal data. We share limited data with service providers (“subprocessors”) strictly to operate the Service. Your encrypted content remains unreadable to them:

Neon — managed PostgreSQL database (account records and encrypted metadata).
Cloudflare R2 — encrypted file storage.
Polar — payments and subscription management.
Render — application hosting.
Piqo — cookieless web analytics.

We may disclose information if required by law or to protect rights and safety — but because of end-to-end encryption, we cannot produce decrypted content.

6. Data location & international transfers

Your data may be processed in the European Union and the United States. Where personal data is transferred internationally, we rely on appropriate safeguards such as Standard Contractual Clauses.

7. Data retention

Account & encrypted data: kept while your account is active. When you delete a file or your account, the associated records and blobs are deleted within 30 days; routine backups age out within 35 days.
Logs: retained for up to 90 days.
Billing records: retained as required by law (e.g., for tax purposes).

8. Your rights

Depending on where you live (e.g., under GDPR/UK GDPR or CCPA/CPRA), you may have rights to access, correct, delete, port, or restrict the processing of your personal data, and to object or withdraw consent. Note that for end-to-end encrypted content, only you can decrypt it — we can provide the ciphertext we hold but cannot decrypt it for you. To exercise your rights, contact privacy@vaultdesk.io. You may also lodge a complaint with your local data protection authority.

9. Security

We protect your data with end-to-end encryption (XChaCha20-Poly1305), the OPAQUE password-authenticated key exchange, key transparency, TLS in transit, and access controls. No method of transmission or storage is perfectly secure, and you are responsible for safeguarding your password and recovery key.

10. Account recovery & key loss

Because we never hold your password or your unwrapped keys, if you lose both your password and your recovery key, we cannot restore access to your encrypted data. Please store your recovery key somewhere safe.

11. Cookies

We use a strictly-necessary mechanism to keep you signed in during a session. Our analytics (Piqo) is cookieless. We do not use advertising or cross-site tracking cookies.

12. Children

Vault Desk is not directed to children under 16, and we do not knowingly collect their personal data.

13. Changes to this policy

We may update this Privacy Policy from time to time. We will revise the “Last updated” date and, for material changes, provide additional notice.

14. Contact

Vault Desk, Athens, Greece. Privacy questions: privacy@vaultdesk.io.