Zero-Knowledge Privacy: SeraVault is designed with a zero-knowledge architecture. We cannot access, read, or decrypt your files, messages, or encrypted metadata. Your data is encrypted on your device before it reaches our servers, and only you hold the decryption keys.
1. Introduction
SeraVault ("we," "us," or "our") operates a zero-knowledge, end-to-end encrypted file storage and messaging platform.
This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.
By using SeraVault, you agree to the collection and use of information in accordance with this policy. If you do not
agree with our policies and practices, please do not use our service.
2. Information We Collect
2.1 Account Information
When you create an account, we collect:
- Email Address: Used for account authentication and service communications
- Account Credentials: Authentication tokens (managed by Firebase Authentication)
- Display Name: Optional, used to personalize your account
2.2 Encrypted Data
We store the following encrypted data that we cannot access or decrypt:
- Encrypted Files: Your file contents, encrypted client-side with AES-256-GCM
- Encrypted Metadata: File names, folder structures, file types, and descriptions
- Encrypted Messages: All chat messages, encrypted end-to-end using ML-KEM-768
- Encrypted Private Keys: Your encryption keys, encrypted with your passphrase
2.3 Unencrypted Metadata
Due to technical requirements, we collect certain metadata in unencrypted form:
- File Sizes: The size of encrypted file blobs (not the original file names)
- Timestamps: Upload times, modification times, last access times
- Sharing Relationships: Which users have shared access to which encrypted files
- Public Keys: Your ML-KEM-768 public keys (required for others to share files with you)
- Contact Lists: Your encrypted contact relationships
- Storage Usage: Total storage consumed per account
2.4 Technical Data
We automatically collect certain technical information:
- IP Address: For security, fraud prevention, and service delivery
- Browser Type and Version: To ensure compatibility
- Device Information: Operating system and device type
- Log Data: Access logs, error logs, and performance metrics
- Cookies: Authentication cookies and session management
2.5 Payment Information
For paid subscriptions:
- Payment Processing: Handled by Stripe (we do not store credit card numbers)
- Billing Information: Name, billing address, email for receipts
- Transaction History: Payment dates, amounts, subscription status
3. How We Use Your Information
3.1 Service Delivery
- Provide, maintain, and improve our file storage and messaging services
- Authenticate your account and manage your session
- Store and retrieve your encrypted files and messages
- Facilitate file sharing between users
- Process payments and manage subscriptions
3.2 Security and Fraud Prevention
- Detect and prevent unauthorized access or security breaches
- Monitor for suspicious activity or abuse
- Enforce our Terms of Service
- Protect against fraud and spam
3.3 Communications
- Send service-related notifications (security alerts, system updates)
- Respond to your support requests and inquiries
- Send billing and payment confirmations
- Provide optional product updates and feature announcements (you can opt out)
3.4 Analytics and Improvement
- Analyze usage patterns to improve performance and user experience
- Debug errors and fix technical issues
- Understand which features are most valuable to users
- Optimize storage and infrastructure
4. What We CANNOT Access
Zero-Knowledge Guarantee: Due to our end-to-end encryption architecture, we have zero access to:
- File Contents: We cannot read, view, or access the content of your files
- File Names: Your file names are encrypted; we see only random encrypted strings
- Folder Structures: Your folder organization is encrypted
- Message Contents: We cannot read your chat messages
- Encryption Keys: We store only encrypted versions of your private keys
- Passphrases: Your passphrases never reach our servers
This means: Even if compelled by law enforcement or court order, we cannot provide access to your
encrypted data because we do not possess the means to decrypt it. We can only provide encrypted data and unencrypted
metadata (see section 2.3).
5. Information Sharing and Disclosure
5.1 We Do Not Sell Your Data
We never sell, rent, or trade your personal information to third parties for marketing purposes.
5.2 Service Providers
We share limited data with trusted service providers who assist in operating our service:
| Provider |
Purpose |
Data Shared |
| Google Firebase |
Backend infrastructure, authentication, database, file storage |
Email, encrypted files, encrypted metadata, public keys, technical data |
| Stripe |
Payment processing |
Billing information, payment details |
| Email Service Provider |
Service notifications |
Email address, notification content |
All service providers are contractually obligated to protect your data and use it only for specified purposes.
5.3 Legal Requirements
We may disclose information if required to do so by law or in response to:
- Valid legal process (subpoena, court order, search warrant)
- Governmental or regulatory requests
- Protection of our rights, property, or safety
- Emergency situations involving danger of death or serious physical injury
Limitation: We can only provide unencrypted metadata and encrypted data. We cannot decrypt your files
or messages, as we do not possess the decryption keys.
5.4 Business Transfers
In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity.
We will notify you via email and/or prominent notice on our website before your information is transferred and becomes
subject to a different privacy policy.
5.5 With Your Consent
We may share information with third parties when you explicitly consent to such sharing.
6. Data Retention
6.1 Active Accounts
We retain your data for as long as your account is active or as needed to provide services.
6.2 Account Deletion
When you delete your account:
- Encrypted Files: Deleted within 30 days
- Account Information: Deleted within 30 days
- Backups: Removed from backups within 90 days
- Shared Files: If you shared files with others, they retain access to their copies
- Legal Holds: Data subject to legal preservation requirements may be retained longer
6.3 Inactive Accounts
Free accounts inactive for 12+ months may be deleted after email notification. Paid accounts remain active until
subscription cancellation.
6.4 Legal and Compliance
We may retain certain information to comply with legal obligations, resolve disputes, and enforce our agreements,
even after account deletion.
7. Data Security
7.1 Encryption
- In Transit: All data transmitted using TLS 1.3 encryption
- At Rest: Files encrypted with AES-256-GCM; private keys encrypted with passphrase-derived keys
- Post-Quantum: ML-KEM-768 (NIST FIPS 203) for key encapsulation
7.2 Access Controls
- Employee access to production systems is restricted and logged
- Two-factor authentication required for all administrative access
- Regular security audits and penetration testing
- Automated security monitoring and alerting
7.3 Infrastructure Security
- Firebase infrastructure with enterprise-grade security
- Regular security patches and updates
- DDoS protection and rate limiting
- Isolated database per customer (logical separation)
7.4 Limitations
No method of transmission over the Internet or electronic storage is 100% secure. While we implement industry-standard
security measures, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of
your passphrase and hardware keys.
8. Your Rights and Choices
8.1 Access and Portability
- Access: You can access all your data through the SeraVault application
- Download: You can download all your files at any time
- Export: Bulk export functionality available for data portability
8.2 Correction and Deletion
- Update: You can update your account information at any time
- Delete Files: You can delete individual files or folders
- Delete Account: You can request full account deletion in settings
8.3 Communication Preferences
- Marketing Emails: Opt out via unsubscribe link
- Service Notifications: Cannot be disabled (security alerts, billing notices)
8.4 Regional Rights
Depending on your location, you may have additional rights:
European Union (GDPR)
- Right to access personal data
- Right to rectification
- Right to erasure ("right to be forgotten")
- Right to restrict processing
- Right to data portability
- Right to object to processing
- Right to withdraw consent
- Right to lodge a complaint with supervisory authority
California (CCPA/CPRA)
- Right to know what personal information is collected
- Right to know if personal information is sold or shared
- Right to opt out of sale/sharing
- Right to deletion
- Right to correct inaccurate information
- Right to non-discrimination
To exercise these rights, contact us at privacy@seravault.com.
9. International Data Transfers
SeraVault uses Firebase infrastructure, which stores data in the United States and other countries. By using our
service, you consent to the transfer of your information to countries outside your country of residence, which may
have different data protection laws.
For European users, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Google's EU-U.S. Data Privacy Framework certification
- Adequate safeguards as defined by GDPR Article 46
10. Children's Privacy
SeraVault is not intended for children under the age of 13 (or 16 in the European Union). We do not knowingly collect
personal information from children. If we become aware that a child has provided us with personal information, we will
delete it immediately.
If you are a parent or guardian and believe your child has provided us with personal information, please contact us at
privacy@seravault.com.
11. Cookies and Tracking
11.1 Cookies We Use
| Type |
Purpose |
Duration |
| Authentication Cookies |
Keep you logged in and manage your session |
Session / 30 days |
| Security Cookies |
Detect and prevent fraudulent activity |
Session |
| Preference Cookies |
Remember your settings (language, theme) |
1 year |
| Analytics Cookies |
Understand how you use our service (optional) |
1 year |
11.2 Third-Party Tracking
We do not allow third-party advertisers or tracking scripts. Our analytics are privacy-focused and aggregate.
11.3 Your Choices
You can control cookies through your browser settings. Note that disabling certain cookies may affect functionality.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last Updated"
date. For material changes, we will provide prominent notice:
- Email notification to registered users
- In-app notification upon login
- Notice on our homepage
Continued use of SeraVault after changes become effective constitutes acceptance of the revised policy.
14. Transparency Report
We are committed to transparency. We publish an annual transparency report detailing:
- Number of government requests for user data
- Number of users affected
- Number of requests complied with or rejected
- Types of data requested
Our latest transparency report is available at transparency-report.html.