Privacy Policy

Effective Date: 1st July 2025
Last Updated: 15th July 2025

At Eternal Vault, your privacy is our top priority. This Privacy Policy explains how we collect, use, protect, and handle your information when you use our service to help your family.

1. Information We Collect

1.1 Account Information

Personal Information: Name, email address, phone number (if provided)
Authentication Data: Account credentials, security questions, and two-factor authentication settings
Profile Information: User preferences, account settings, and service configuration

1.2 Vault Content

Documents and Files: All files you upload to your vault (encrypted before transmission)
Messages and Notes: Personal messages, instructions, and metadata you create
Contact Information: Details about your trusted contacts and their trust levels

1.3 Usage and Activity Data

Service Usage: Login times, feature usage, heartbeat responses, and account activity
Technical Data: IP addresses, device information, browser type, and operating system
Communication Records: Support requests, feedback, and correspondence with us

1.4 Trusted Contact Information

Contact Details: Names, email addresses, and verification data for trusted contacts
Verification Records: OTP generation, verification attempts, and access logs
Access Activity: When and how trusted contacts interact with shared content

2. How We Use Your Information

2.1 Service Provision

Account Management: Creating and maintaining your account
Content Storage: Securely storing your encrypted documents and data
Access Control: Managing trusted contacts and their access permissions
Heartbeat Monitoring: Tracking your activity to determine vault access triggers

2.2 Communication

Service Notifications: Account alerts, security notifications, and system updates
Heartbeat Reminders: Periodic check-ins and missed heartbeat notifications
Support Services: Responding to your questions and providing assistance
Emergency Communications: Contacting trusted contacts when access conditions are met

2.3 Security and Fraud Prevention

Account Security: Detecting and preventing unauthorized access
Service Integrity: Monitoring for abuse, fraud, and policy violations
System Security: Maintaining and improving our security measures

2.4 Service Improvement

Analytics: Understanding how users interact with our service (aggregated and anonymized)
Performance Monitoring: Identifying and fixing service issues
Feature Development: Developing new features based on user needs

3. Our Zero-Knowledge Architecture

3.1 Encryption

Client-Side Encryption: All sensitive data is encrypted on your device before transmission
Master Key Security: Your master key never leaves your device in unencrypted form
Server-Side Storage: We store only encrypted data that we cannot decrypt

3.2 Access Limitations

No Access to Content: We cannot view, access, or decrypt your stored documents
Limited Metadata: We only access necessary metadata for service operation
Trusted Contact Privacy: Contact OTPs and sensitive details are encrypted

3.3 Security Measures

Encryption Standards: AES-256 encryption with secure key derivation (Scrypt)
Transport Security: TLS 1.3 for all data transmission
Infrastructure Security: Secure servers, regular security audits, and penetration testing

4.1 General Policy

No Sale of Data: We never sell, rent, or trade your personal information
Limited Sharing: We share information only as described in this policy
User Control: You control who can access your vault content through trusted contacts

4.2 Trusted Contacts

Authorized Access: Trusted contacts receive access only when you’ve configured it
Contact Verification: We share verification codes and access instructions as needed
Content Sharing: Vault content is shared with trusted contacts according to your settings

4.3 Service Providers

Third-Party Services: We may use trusted service providers for hosting, analytics, and support
Data Processing Agreements: All providers sign strict data processing agreements
Limited Access: Providers receive only the minimum data necessary for their services

4.4 Legal Requirements

Legal Compliance: We may disclose information when required by law
Court Orders: We comply with valid court orders and legal processes
Emergency Situations: We may disclose information to prevent imminent harm

5. Data Retention and Deletion

5.1 Account Data

Active Accounts: Data is retained while your account is active
Account Deletion: Data is permanently deleted within 60 days of account termination
Backup Retention: Encrypted backups are retained for 60 days for recovery purposes

5.2 Trusted Contact Access

Shared Content: Trusted contacts may retain access to shared content
Access Logs: We maintain access logs for security and audit purposes
Deletion Requests: You can request deletion of specific data types

5.3 Legal Retention

Legal Holds: We may retain data longer when required by law
Dispute Resolution: Data may be retained during active legal proceedings
Regulatory Compliance: We comply with applicable data retention regulations

6. Your Rights and Choices

6.1 Access and Control

Account Access: You can access and modify your account information at any time
Content Management: You control what content is stored and shared
Trusted Contacts: You can add, remove, or modify trusted contacts

6.2 Data Rights

Data Portability: You can export your data in standard formats
Correction Rights: You can correct inaccurate personal information
Deletion Rights: You can request deletion of your account and data

6.3 Communication Preferences

Email Notifications: You can manage email notification preferences
Heartbeat Settings: You can adjust heartbeat frequency and methods
Marketing Communications: You can opt out of non-essential communications

7. International Data Transfers

7.1 Data Processing

Primary Location: Data is primarily processed in Helsinki, Finland
Cross-Border Transfers: Data may be transferred to other countries for processing
Adequacy Decisions: We ensure adequate protection for international transfers

7.2 Safeguards

Standard Contractual Clauses: We use approved contractual clauses for transfers
Encryption: All data is encrypted during transfer and storage
Access Controls: Strict access controls limit data exposure

8. Children’s Privacy

8.1 Age Restrictions

Minimum Age: Our service is not intended for users under 18
Age Verification: We may verify age during account registration
Parental Consent: We do not knowingly collect data from minors without consent

8.2 Discovery of Minor Data

Immediate Action: We delete accounts of users under 18 when discovered
Parental Contact: We may contact parents/guardians when appropriate
Data Deletion: All associated data is permanently deleted

9. Security Measures

9.1 Technical Safeguards

Encryption: Industry-standard encryption for all sensitive data
Access Controls: Role-based access controls and multi-factor authentication
Network Security: Firewalls, intrusion detection, and secure networks

9.2 Organizational Safeguards

Employee Training: Regular security training for all staff
Background Checks: Security clearance for employees with data access
Incident Response: Comprehensive incident response and breach notification procedures

9.3 Physical Security

Secure Facilities: Data centers with physical security controls
Access Restrictions: Limited physical access to servers and infrastructure
Environmental Controls: Climate control and disaster prevention measures

10. Cookies and Tracking

Essential Cookies: Required for basic service functionality
Preference Cookies: Store your settings and preferences
Analytics Cookies: Help us understand service usage (anonymized)

Browser Controls: You can control cookies through browser settings
Opt-Out Options: You can opt out of non-essential cookies
Third-Party Cookies: We limit third-party cookie usage

11. Third-Party Services

11.1 Service Integration

Payment Processing: Secure payment processing through trusted providers
Analytics: Privacy-focused analytics to improve our service
Support Services: Customer support and communication tools

11.2 Third-Party Policies

Independent Policies: Third parties have their own privacy policies
Limited Data Sharing: We share only necessary data with third parties
Vendor Management: We regularly review and assess third-party practices

12. Data Breach Notification

12.1 Incident Response

Immediate Action: We investigate and contain breaches immediately
Risk Assessment: We assess the impact and risk to user data
Notification Timeline: We notify affected users within 72 hours when required

12.2 Breach Communication

User Notification: Direct notification to affected users
Regulatory Reporting: Compliance with breach notification laws
Remediation Steps: Clear guidance on protective actions users can take

13. Changes to This Policy

13.1 Policy Updates

Regular Review: We review and update this policy regularly
Material Changes: Significant changes are communicated clearly
Effective Date: Updates take effect on the specified date

13.2 User Notification

Email Notification: We email users about policy changes
In-App Notifications: Important changes are highlighted in the app
Website Updates: The current policy is always available on our website

14. Contact Information

For questions about this Privacy Policy or your data, please contact us:

Email: [email protected]
Website: https://eternalvault.app/contact

15. Regulatory Compliance

Legal Basis: We process data based on legitimate interests and consent
Data Protection Officer: Akash Rajpurohit
EU Representative: Akash Rajpurohit

15.2 Other Regulations

CCPA Compliance: We comply with California Consumer Privacy Act requirements
Industry Standards: We follow relevant industry privacy standards
Regular Audits: We conduct regular compliance audits and assessments

By using Eternal Vault, you acknowledge that you have read, understood, and agree to the collection and use of your information as described in this Privacy Policy.