← Back to home

Privacy Policy

Last updated: March 2026 — Effective: March 2026

Summary: We collect only what is necessary to provide the service. Your files are encrypted. Your data stays in Europe. We never sell, share, or analyze your content. You can delete everything at any time.

1. Data Controller

OneSecureVault is the data controller responsible for processing your personal data in connection with the Secure Vault application and website.

Contact: legal@onesecurevault.com
Data Protection inquiries: privacy@onesecurevault.com

We are committed to protecting your privacy in compliance with the General Data Protection Regulation (EU) 2016/679 (GDPR), the Digital Services Act (EU) 2022/2065 (DSA), and all applicable European Union data protection law.

2. Scope of This Policy

This Privacy Policy applies to:

  • The Secure Vault mobile application (Android, iOS)
  • The Secure Vault website (onesecurevault.com)
  • All related services, APIs, and infrastructure operated by OneSecureVault

By using any of the above, you acknowledge that you have read and understood this policy.

3. Minimum Age & Children's Privacy

GDPR Art. 8 • COPPA

Secure Vault is not directed to children. You must be at least 16 years old to create an account and use the service, in compliance with Article 8 of the GDPR for digital services in the European Union.

If you are located in a jurisdiction where the minimum age of digital consent is higher, that higher age applies to you.

We do not knowingly collect personal data from anyone under the minimum applicable age. If we become aware that a user is underage, we will immediately suspend the account and permanently delete all associated data. If you believe a child has created an account, please contact us at privacy@onesecurevault.com.

4. Data We Collect

We apply strict data minimisation. We only collect what is strictly necessary to operate the service.

4.1 Account Data

  • Email address — used for account creation, authentication, and essential communications
  • Username — used to personalise your experience
  • Password — stored as a bcrypt hash, never in plain text
  • Account creation date
  • Terms acceptance timestamp — recorded when you accept these terms

4.2 Content You Upload

  • Photos and videos — media files you explicitly choose to upload or capture through the app
  • Notes — text notes you create within the app
  • Folder names and structure — the organisation you create for your files
  • File metadata — file name, size, MIME type, upload timestamp

We do not read, scan, or analyze the content of your files. Files are encrypted at rest using AES-256.

4.3 Technical & Security Data

  • IP address — logged at authentication events for security and fraud prevention
  • User agent / device type — logged at authentication for security purposes
  • Authentication timestamps — login and logout events
  • JWT authentication token — stored securely on your device for session management
  • Rate limiting counters — to protect against abuse, stored temporarily

4.4 Data We Do NOT Collect

We explicitly do not collect:

  • Advertising identifiers (IDFA, GAID)
  • Location data or GPS coordinates
  • Contacts or address book
  • Device serial numbers or hardware identifiers
  • Biometric data
  • Behavioural analytics or usage telemetry
  • Cookies or cross-app tracking identifiers
  • Social profile data

5. Mobile App Permissions

The Secure Vault app may request the following device permissions. Each permission is optional unless explicitly noted, and access is only used for the stated purpose.

Permission Purpose Required
Camera Capture photos and videos directly within the app for upload to your vault Optional
Photo Library / Storage Select and upload existing photos and videos from your device Optional
Internet / Network Connect to the Secure Vault servers to sync and access your files Required

We never access your camera, microphone, or photo library in the background. Access occurs only when you actively use a related feature. You can revoke any permission at any time in your device settings.

6. How We Use Your Data & Legal Basis (GDPR Art. 6)

Purpose Legal Basis Details
Providing the storage service Contract (Art. 6.1.b) Storing and retrieving your files, managing folders, authenticating your identity
Account management Contract (Art. 6.1.b) Creating and managing your account, sending essential service emails
Security & fraud prevention Legitimate interest (Art. 6.1.f) Logging authentication events, detecting unauthorised access, rate limiting
Legal compliance Legal obligation (Art. 6.1.c) Retaining records required by applicable law, responding to lawful requests
Terms acceptance record Legal obligation (Art. 6.1.c) Recording consent and terms acceptance timestamps

7. Data Storage, Location & Security

7.1 Storage Location

All personal data and user files are stored exclusively on servers located within the European Union. Our infrastructure provider is OVHcloud SAS (2 rue Kellermann, 59100 Roubaix, France), with data centre infrastructure in the European Union. Your data never leaves the EU.

7.2 Security Measures

  • Encryption at rest: All files are encrypted using AES-256
  • Encryption in transit: All communications are secured with TLS 1.3
  • Password hashing: Passwords are hashed with bcrypt — we cannot recover your password
  • Folder passwords: Hashed and never stored in plain text
  • Authentication tokens: Short-lived JWT tokens; stored securely on your device using platform secure storage (iOS Keychain / Android Keystore)
  • Signed media URLs: Files are accessed via HMAC-signed, time-limited URLs — not publicly accessible
  • Security logging: Authentication events are logged for intrusion detection
  • Rate limiting: Login attempts are strictly rate-limited to prevent brute-force attacks
  • File validation: All uploaded files are validated for MIME type and size before storage
  • UUID filenames: Uploaded files are renamed with UUIDs — original filenames are not exposed on storage

7.3 Third-Party Processors

We use the following data processors, all operating under GDPR-compliant Data Processing Agreements (DPAs):

  • OVHcloud SAS — Cloud infrastructure and object storage (EU data centres). OVHcloud DPA

We do not use any advertising networks, analytics platforms, or data brokers. We do not share your data with any third party for commercial purposes.

8. Data Retention

Data Type Retention Period Reason
Account data & files Until account deletion, then purged within 30 days Service provision
Security logs (IP, user agent) 90 days Security monitoring & incident response
Terms acceptance timestamp Duration of account + 5 years Legal compliance
Deleted files (soft-deleted) Purged within 30 days of deletion Recovery window, then permanent removal
Backups Overwritten within 30 days of account deletion Infrastructure backup cycles

When your account is deleted, all your personal data and files are permanently and irreversibly removed from our systems within 30 days. Backup copies are overwritten within the same period.

9. Your Rights Under GDPR

GDPR Chapter III

As a data subject under the GDPR, you have the following rights:

  • Right of access (Art. 15) — Request a copy of all personal data we hold about you
  • Right to rectification (Art. 16) — Correct inaccurate or incomplete data
  • Right to erasure / "right to be forgotten" (Art. 17) — Request deletion of your account and all associated data
  • Right to data portability (Art. 20) — Receive your data in a machine-readable format
  • Right to restriction of processing (Art. 18) — Request that we limit how we use your data
  • Right to object (Art. 21) — Object to processing based on legitimate interests
  • Right not to be subject to automated decision-making (Art. 22) — We do not make automated decisions that significantly affect you

How to exercise your rights

  • In-app: You can delete your account directly from Settings → Account → Delete Account. This immediately initiates permanent deletion of all data.
  • By email: Send a request to privacy@onesecurevault.com. We will respond within 30 days as required by GDPR Art. 12.

Right to lodge a complaint

If you believe your data protection rights have been violated, you have the right to lodge a complaint with your national supervisory authority. You can find your local data protection authority at: edpb.europa.eu

10. Cookies & Trackers

Mobile application: The app does not use cookies. It stores only the following data locally on your device:

  • Authentication token (JWT) — stored in the device's secure storage
  • Local cache for recently accessed file thumbnails — stored only in app sandbox

Website: The website uses only a single session cookie strictly necessary for authentication. No advertising cookies, tracking pixels, or analytics scripts are used.

No third-party tracking: We do not integrate Facebook Pixel, Google Analytics, Firebase Analytics, Amplitude, Mixpanel, or any other behavioural analytics or advertising SDK.

11. Data Safety (Google Play Store)

The following summarises our data practices as declared in the Google Play Data Safety section:

Category Data Types Collected Shared Required
Personal info Email address, name Yes No Yes (account creation)
Photos & videos Photos, videos uploaded by user Yes No Optional
App activity Authentication timestamps Yes No Yes (security)
Device & other IDs None No No N/A
Location None No No N/A
Contacts None No No N/A

Data is encrypted in transit (TLS 1.3) and at rest (AES-256). Data can be deleted by users at any time via in-app settings.

12. International Data Transfers

Your personal data is stored and processed exclusively within the European Union. We do not transfer personal data to third countries outside the EEA. All our infrastructure providers operate within EU territory under GDPR-compliant agreements.

13. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. When we make significant changes, we will:

  • Update the "Last updated" date at the top of this page
  • Display an in-app notification informing you of the changes
  • For material changes affecting your rights, request your renewed acknowledgement before continued use

We encourage you to review this policy periodically. Continued use of the service after changes are published constitutes acceptance of the updated policy.

14. Contact & Data Protection Requests

For any questions, requests, or complaints regarding this Privacy Policy or the processing of your personal data:

We will respond to all verifiable requests within 30 days as required by GDPR Article 12(3).