Native VaultNATIVEVAULT

Privacy Policy

Last updated: April 29, 2026

1. Introduction

Native Vault (“we”, “us”, or “our”) operates the website at nativevault.dev (the “Site”) and the Native Vault web dashboard (the “Service”). This Privacy Policy explains what personal information we collect, how we use it, with whom we share it, and what rights you have with respect to it.

By using the Site or the Service, you agree to the practices described in this policy. If you do not agree, please do not use the Site or Service.

This policy is provided for informational purposes and does not constitute legal advice. We recommend having it reviewed by qualified legal counsel before publishing, particularly given that users may store sensitive personal data through the Service.

2. Information We Collect

Account information (via OAuth)

When you sign in with GitHub or Google, we receive your name, email address, and profile avatar from the identity provider. We do not receive or store your GitHub or Google password.

User-uploaded content

You may upload files of any type to the Service (including but not limited to images, documents, source code, and other data). All uploaded content is encrypted at rest before being stored on Backblaze B2 cloud storage. Native Vault staff cannot access the plaintext of your uploaded content.

Payment information

If you subscribe to a paid account tier, payment is processed by Stripe. We do not receive or store your full card number, CVV, or banking credentials. Stripe provides us with a billing token and limited card metadata (last four digits, expiry, card type) for display purposes. Stripe’s handling of your payment data is governed by the Stripe Privacy Policy.

Build logs

The Service generates build logs during processing operations. These logs may include metadata about your operations (such as timestamps and file identifiers) but do not include the plaintext of your encrypted content.

Cookies and local storage

We use cookies and browser local storage for session management, authentication state, and user preferences. See Section 9 for more detail.

3. How We Use Your Information

  • To create and manage your account and authenticate you to the Service.
  • To store, encrypt, and retrieve your uploaded files and generated artifacts.
  • To retain build logs for debugging, auditing, and regulatory compliance purposes.
  • To communicate with you about your account, including security notices and service updates.
  • To detect and prevent fraud, abuse, and security incidents.

We do not use your uploaded content for training machine learning models or for any purpose other than providing the Service.

4. Sub-processors and Third Parties

We work with the following third-party service providers (“sub-processors”) that may process your personal data on our behalf:

ProviderPurposeLocation
Backblaze B2Encrypted file storageUS / EU
HarperDatabaseUS / EU
GitHubOAuth sign-inUnited States
GoogleOAuth sign-inUnited States
StripePayment processingUS / EU
ResendTransactional emailUS / EU

We do not sell your personal information to third parties, and we do not share it with third parties for their own marketing purposes.

If you access the Service via our EU-specific domain, your data is processed and stored exclusively on EU-based infrastructure. OAuth authentication requests are routed through GitHub and Google, whose services are US-based; however, no account data is persisted outside the EU as a result of sign-in. If you access the Service via our US domain, your data is processed on US-based infrastructure.

5. Data Retention

  • Account data (name, email, avatar): retained for the lifetime of your account and deleted within 30 days of account deletion.
  • Uploaded files, build logs, and generated artifacts: retained according to your account tier.

You may request early deletion of your account data and files at any time by contacting us (see Section 12), subject to the retention requirements of your account tier.

6. Security

All user-uploaded content is encrypted at rest using AES encryption before being written to Backblaze B2 cloud storage. Encryption keys are managed by Native Vault and are not accessible to Backblaze. Native Vault staff cannot access the plaintext content of your files.

Access to account metadata stored in HarperDB is restricted to authorized personnel and systems. We use industry-standard security measures including HTTPS for all data in transit, access controls, and regular security reviews.

No method of transmission over the internet or electronic storage is 100% secure. While we take the protection of your data seriously, we cannot guarantee absolute security.

7. Your Rights (GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR):

  • Right of access: request a copy of the personal data we hold about you.
  • Right to rectification: request correction of inaccurate or incomplete personal data.
  • Right to erasure: request deletion of your personal data where we no longer have a lawful basis to retain it.
  • Right to data portability: receive your personal data in a machine-readable format.
  • Right to restriction: request that we limit how we use your personal data while a complaint is being resolved.
  • Right to object: object to processing based on our legitimate interests.

To exercise any of these rights, please contact us at privacy@nativevault.dev. We will respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority.

Our lawful bases for processing personal data are: performance of a contract (providing the Service), legitimate interests (security and fraud prevention), and legal obligation (log retention).

8. Your Rights (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you the following rights:

  • Right to know: request disclosure of the categories and specific pieces of personal information we collect, use, disclose, and sell.
  • Right to delete: request deletion of personal information we have collected from you, subject to certain exceptions.
  • Right to opt out of sale: we do not sell your personal information. No opt-out action is required.
  • Right to non-discrimination: we will not discriminate against you for exercising your CCPA rights.

To submit a CCPA request, contact us at privacy@nativevault.dev. We may need to verify your identity before processing your request.

9. Cookies

We use the following types of cookies and similar technologies:

  • Strictly necessary cookies: required for authentication and session management. These cannot be disabled.
  • Preference cookies: used to remember your settings (e.g., theme preferences).

Most web browsers allow you to control cookies through their settings. Disabling strictly necessary cookies may prevent you from using the Service.

10. Children’s Privacy

The Site and Service are not directed to children under the age of 13 (or under 16 in the EEA). We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us immediately and we will delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date at the top of this page. For material changes, we will also provide a more prominent notice (such as an in-app notification or an email to the address associated with your account).

Your continued use of the Site or Service after any changes become effective constitutes your acceptance of the revised policy.

12. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us:

Email: privacy@nativevault.dev