Privacy Policy

Last updated: 2026-05-28

KeyVault ("the app") is designed to be private by default. The short version is this: no data leaves your device, ever. The longer version is below.

1. Who this policy is from

This policy describes the privacy practices for the KeyVault mobile application published on the Apple App Store and Google Play (the "app"). For questions about this policy, contact the support address listed on the app's store page.

2. What KeyVault does with your data

2.1 Data that stays on your device

When you use KeyVault you may create the following information, all of which is stored only inside the app's sandbox on your phone:

Photographs of your keys that you capture with the camera or import from your photo library.
Labels, room names, lock types, cut/blank values, and free-form notes you attach to each key.
Ring groupings (e.g., "house", "office") that you define.
An optional encrypted local backup file (.kv) you choose to export.

2.2 Data we do not collect

KeyVault does not collect, transmit, or have access to any of the following:

Your name, email address, phone number, or any other account identifier (there is no account system).
Your contacts (see §3 below for what happens when you tap "Share with Locksmith").
Your location.
Device identifiers (IDFA, advertising ID, etc.).
Crash reports, analytics, usage telemetry, or diagnostics of any kind.
The contents of your vault, photos, or backups.

There is no KeyVault server. There is no cloud sync. There are no third-party SDKs that phone home.

3. Permissions the app requests and why

Permission	When it is requested	What it is used for
Camera	The first time you photograph a key or use Identify Mode.	Capturing photos of your keys, which are written only to local app storage.
Photo library (read)	When you tap "import existing photo" on a key entry.	Letting you attach photos you already took. KeyVault reads only the photo you pick.
Photo library (add)	If you choose to save a captured photo back to your library.	Optional only. Skipping it does not affect the app.
Contacts	Only when you tap "Share with Locksmith" and choose a contact.	Showing the contact picker so you can pick a recipient for a share-sheet message. KeyVault does not read your full contact list and does not upload contacts anywhere.
Face ID / Touch ID / Biometrics	At unlock time, after you enable biometric lock in Settings.	Verifying it is you, locally on the device. Biometric data never leaves your phone — the operating system, not KeyVault, performs the match.

You can revoke any of these permissions at any time from your operating system's Settings app. KeyVault will simply disable the corresponding feature.

4. Encryption and storage

KeyVault encrypts your vault inside the app itself — not just by relying on the operating system.

Everything is encrypted at rest. Both your key photos and the details you enter (names, room labels, lock types, notes, ring names, and who has a copy) are encrypted with AES-256-GCM. This is on top of the operating system's own at-rest encryption of the app container (iOS Data Protection, Android File-Based Encryption).
Your password and PIN unlock the encryption. They are never stored. We store only a verification value derived with PBKDF2-SHA256 at 600,000 iterations (a slow, salted process designed to resist offline guessing). The same process produces a key-wrapping key that unlocks the single AES-256 key protecting your vault. Changing your password or PIN re-wraps that key instantly; it does not weaken or expose your data.
The encryption key is never written in the clear. It is stored only in wrapped (encrypted) form in the operating system's secure keychain, via Expo SecureStore.
Biometric unlock is optional. Enable it in Settings to use Face ID, Touch ID, or Android biometrics. The biometric check is performed by the operating system; your biometric data never leaves your device and is never seen by KeyVault.
Repeated wrong attempts are throttled, and the app blocks screenshots and screen recording while the vault is open, to reduce the chance of casual exposure.
Backups you export are your responsibility. A .kv backup is encrypted with a separate password you choose at export time (also via PBKDF2). Once you share it through the system share sheet, the file leaves the app's sandbox and is governed by wherever you send it (iCloud Drive, Google Drive, AirDrop, email, etc.). Choose a strong backup password and treat the file like any other sensitive document.

5. Sharing your data

KeyVault never shares your data with anyone, because it never has your data in the first place. The only times information leaves the app are when you explicitly initiate a share:

Tapping "Share with Locksmith" hands a photo + key details to the system share sheet, which then sends it to the destination you choose (Messages, Mail, AirDrop, etc.). KeyVault has no visibility into what happens after that hand-off.
Exporting a .kv backup likewise goes through the system share sheet to the destination you pick.

We do not sell, rent, lease, or otherwise disclose your data to third parties.

6. Children's privacy

KeyVault is not directed at children under 13 and does not knowingly collect information from children. Because KeyVault does not collect any personal information at all, this is true for users of every age.

7. Your rights and choices

Because the app stores nothing about you on any server, you exercise your privacy rights directly on your device:

Access: Open the app — everything we have about you is what you see in the vault.
Export: Use the export-backup feature to take your data with you.
Deletion: Delete the entry, the ring, or the entire app. Uninstalling KeyVault removes the entire vault from the device. There is no remote copy to retrieve and nothing further you need to do.

8. International users

KeyVault processes data only on your device. No data is transferred across borders by the app itself. Local processing is subject to the laws of the jurisdiction where your phone is located.

9. Changes to this policy

If this policy materially changes, the updated version will ship in a future app update and the "Last updated" date at the top of this document will be revised. Continued use of the app after an update constitutes acceptance of the revised policy.

10. Contact

For any privacy question, write to the support address listed on the KeyVault App Store / Play Store page, or visit our support page.