Privacy Policy

Your privacy is of the utmost importance to us. This Privacy Policy describes how PlainSpeech Vault ("we", "us", or "our") handles information when you use the PlainSpeech Vault web application (the "Service").

1. Collection of Personal Data

Because the Service runs entirely client-side, we do not collect or store any personal data.

• No Accounts: You do not register for a PlainSpeech Vault account. There is no central user database.
• No Passphrase/Key Transmission: Your master passphrase, derived encryption keys, and 2FA secrets never leave your device. They are kept in your browser's active memory session and are destroyed when you lock the vault or close the browser tab.
• No File Transmission: Your files, notes, and stored 2FA (TOTP) credentials are encrypted locally on your device and sent directly to your authorized cloud storage provider. They are never sent to us or any intermediary servers.

2. Third-Party Integration and Permissions

To store your encrypted files, the Service integrates directly with your cloud storage accounts (Google Drive or Apple iCloud).

Google Drive API Usage

If you select Google Drive as your storage provider, the Service requests authorization for the Google Drive API.

• Limited Sandbox Scope (appDataFolder): PlainSpeech Vault only requests access to the https://www.googleapis.com/auth/drive.appdata scope. This is a special, hidden application-specific folder that is completely invisible to you in your normal Google Drive interface and isolated from all other files.
• No General File Access: The Service cannot view, modify, or delete any of your other Google Drive files, photos, or documents.
• Compliance: Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Apple iCloud API Usage

If you select Apple iCloud, the Service uses CloudKit to store encrypted configurations and file payloads in your private CloudKit database container. We have no developer access to your private database.

3. Cookies and Local Storage

The Service does not use marketing cookies. It relies solely on local browser storage for essential technical functionalities:

• localStorage: Used to remember your choice of storage provider and user interface preferences (such as light or dark theme).
• sessionStorage: Used temporarily during your active session to hold the decrypted Master Encryption Key (MEK). This allows you to work with your files without typing your passphrase on every action. It is immediately wiped when you click "Lock Vault", sign out, or close the tab/window.

4. Google Analytics

We use Google Analytics to gather anonymous, aggregate usage statistics to improve the Service.

• Tracked Events: We track page views (e.g. active tab switches), total count of files encrypted or decrypted, and setting selections (e.g. theme changes).
• Sensitive Data Excluded: We absolutely do not track passphrases, keys, filenames, file contents, file paths, notes, or search queries. All tracked events are strictly anonymous and contain no identifying or cryptographic details.

5. Security of Data

We use the industry-standard Web Crypto API supported by modern browsers to secure your data. Your files, notes, and 2FA credentials are encrypted using AES-GCM 256-bit encryption before upload. Since your keys are derived from your master passphrase using PBKDF2 (100,000 iterations), your security depends entirely on the complexity of your master passphrase.

6. Changes to this Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date at the top.

7. Contact Us

If you have questions or suggestions about our Privacy Policy, do not hesitate to contact us at [email protected].