1. Introduction

This Privacy Policy explains what information VaultX ("the app", "we", "us") collects and how it is used. VaultX is a local password manager designed to securely store passwords and sensitive account credentials. We are committed to protecting your privacy and operating with full transparency.

2. Information We Collect

2.1 Information We Do NOT Collect

VaultX does not collect:

• Personally identifiable information such as name, email address, or phone number
• Location data (GPS)
• Contacts, calendars, or browsing history
• Advertising identifiers
• Usage analytics or behavioral tracking data
• Your stored passwords or account credentials (never transmitted to our servers)

2.2 Information Stored Locally on Your Device

The following information is encrypted with AES-256 and stored exclusively on your device. It is never transmitted to external servers:

• Password entries: Site names, usernames, passwords, URLs, notes, and any other information you enter
• Master password: Processed through PBKDF2 key derivation — we have no access to it
• Biometric data: Stored only in the iOS Secure Enclave on your device
• App settings: Auto-lock preferences, premium status, and similar configuration

2.3 Breach Database Check (Have I Been Pwned)

When you use the password health check feature, VaultX queries the Have I Been Pwned (HIBP) service. This process uses k-anonymity:

• Only the first 5 characters of a SHA-1 hash of your password are transmitted
• Your actual password or full hash is never sent
• No identifying information (site name, username, etc.) is included in the request

2.4 RevenueCat (In-App Purchases)

We use RevenueCat to process VaultX Premium purchases. RevenueCat handles:

• An anonymous user identifier (auto-generated by the app, not personally identifiable)
• Purchase status and receipt information

Payment information and your Apple ID are handled directly by Apple. We have no access to them.

3. How We Use Information

• Password storage: Encrypt and store your entries in the local vault on your device
• AutoFill: Sync credentials to the iOS keychain on-device to enable AutoFill in apps and browsers
• Biometric authentication: Unlock your vault using Face ID or Touch ID
• Security health check: Analyze password strength and check for breaches locally + via HIBP k-anonymity
• Purchase verification: Confirm Premium status via RevenueCat

4. Data Storage & Security

4.1 Military-Grade Encryption

All password data is protected with AES-256-GCM encryption. Your master password is never stored — it is processed through PBKDF2 key derivation to produce an encryption key. Neither we nor anyone else can access your vault without the master password.

4.2 No External Servers

VaultX operates no servers of its own. Your stored passwords and account credentials are never transmitted over the internet.

4.3 iCloud Sync (Optional, Premium)

Premium users may optionally enable iCloud sync to access their vault across multiple devices. When enabled:

• Data is uploaded to iCloud in its fully encrypted form
• We cannot access data stored in your iCloud
• Apple's iCloud Privacy Policy applies

4.4 Decoy Mode (Optional, Premium)

Decoy Mode creates a separate, isolated fake vault accessible via a second password. In a coercion scenario, you can unlock this vault to show convincing but non-sensitive data. Your real vault remains protected at all times.

5. Third-Party Services

Service	Purpose	Data Shared
RevenueCat	In-app purchase management	Anonymous user ID, purchase status
Apple App Store	Payment processing	Handled directly by Apple — not by us
Have I Been Pwned	Password breach checking	First 5 chars of SHA-1 hash only (k-anonymity)

We do not use advertising networks, behavioral tracking, or analytics services of any kind.

6. App Permissions

Permission	Purpose	Required
Face ID / Touch ID	Biometric vault unlock	Optional
iCloud	Encrypted cross-device sync	Optional — Premium
AutoFill (Credential Provider)	AutoFill in apps and browsers	Optional

VaultX does not request access to your camera, microphone, location, contacts, or calendar.

7. In-App Purchases

• Payments are processed by Apple and managed via RevenueCat
• We do not receive your payment details or Apple ID
• RevenueCat only receives an anonymous identifier and purchase status
• Purchases can be restored on any device using the same Apple ID
• VaultX Premium is a one-time lifetime purchase — not a subscription

8. Data Retention

• Passwords and entries: Retained on your device until you delete them or uninstall the app
• iCloud sync data: Can be deleted directly from your iCloud settings
• Purchase history: Retained by RevenueCat per Apple's policies

Uninstalling VaultX permanently removes all local data from your device. We hold no copy of it and cannot assist with recovery.

9. Children's Privacy

VaultX is not directed at children under the age of 13. The app does not require account creation and does not collect personal information.

10. Your Rights

• View and delete all password entries within the app at any time
• Export your data via CSV at any time
• Permanently delete all local data by uninstalling the app
• Manage AutoFill and iCloud permissions via iOS Settings

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. Continued use of the app after any changes constitutes your acceptance of the revised policy.

12. Contact