1. Introduction

Welcome to Envault ("we," "our," or "us"). We respect your privacy and are committed to protecting your personal data. This privacy policy will inform you as to how we look after your personal data when you visit our website and tell you about your privacy rights and how the law protects you. By using our Service, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

We collect several different types of information for various purposes to provide and improve our Service to you.

Personal Data: While using our Service, we may ask you to provide us with certain personally identifiable information that can be used to contact or identify you ("Personal Data"). Personally identifiable information may include, but is not limited to: Email address, First name and last name, Cookies and Usage Data.
Usage Data: We may also collect information how the Service is accessed and used ("Usage Data"). This Usage Data may include information such as your computer's Internet Protocol address (e.g. IP address), browser type, browser version, the pages of our Service that you visit, the time and date of your visit, the time spent on those pages, unique device identifiers and other diagnostic data.

3. Data Security & Encryption

The security of your data is important to us. Envault employs end-to-end encryption for your stored environment variables. Your secrets are encrypted on the client-side before being transmitted to our servers (if applicable) or stored securely using our provider's infrastructure.

We use industry-standard AES-256-GCM encryption. However, please remember that no method of transmission over the Internet, or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security.

Our encryption model uses a hierarchical key system:

Master Key: A 32-byte key stored in server environment variables, used solely to encrypt/decrypt Data Keys.
Data Keys: Unique keys for each project, encrypted with the Master Key and stored in our database.
Key Rotation: Data keys can be rotated periodically to limit the impact of potential compromises.

4. Modern Authentication Methods

Envault supports multiple secure authentication methods to protect your account:

WebAuthn Passkeys: When you register or authenticate with passkeys, we store cryptographic public keys and device metadata. No passwords or private keys are stored by Envault.
OAuth Providers (Gmail, GitHub): When linking OAuth providers, we receive your email address, name, and OAuth profile ID from the provider. These are used solely for account linking and authentication purposes. We do not store your OAuth tokens or access sensitive OAuth scopes.
Device Flow Authentication: For CLI authentication, we generate temporary device codes and authorization tokens with short expiration times. Tokens are sent over HTTPS only and are never logged or stored in plaintext.
Authentication Logs: We maintain security logs of authentication attempts and successful logins for 1 year to detect suspicious activities and prevent unauthorized access.

5. Environment Management Data

Envault enables managing multiple environments (development, staging, production) with workspace-aware scoping:

Environment Metadata: We store environment names, descriptions, types, and creation timestamps for organizational purposes.
Environment-Level Permissions: Access control data for each environment, including which team members can view or modify secrets in specific environments.
Environment Context: CLI and API usage data that tracks which environment is being accessed during operations for audit and security purposes.
Environment State: Workspace mode context data that remembers your last-used environment to streamline your workflow.

Environment data is encrypted consistently with your secrets and is subject to the same access control and retention policies.

6. CLI Data Collection

When you use the Envault CLI, we may collect certain information to provide and improve the service:

Usage Analytics: Anonymous usage statistics such as command frequency, error rates, and performance metrics to improve CLI functionality. This can be disabled in your account settings.
Device Information: Basic device identifiers, operating system, and CLI version for compatibility and support purposes.
Authentication Data: Temporary authentication tokens for CLI sessions, which are encrypted and have short expiration times.
Error Logs: Error messages and stack traces (without sensitive data) to diagnose and fix issues.

All CLI communications occur over HTTPS, and sensitive operations require proper authentication.

7. Team Collaboration Data

Envault enables secure team collaboration. When you participate in team features, we process additional data:

Project Membership: Information about team members, their roles (Owner, Editor, Viewer), and access permissions.
Access Requests: Records of pending and approved access requests to projects, including timestamps and approval history.
Collaboration Activity: Logs of team activities such as secret modifications, project sharing, and member management (for audit purposes).
Shared Projects: Metadata about projects you've been invited to, including project names and your access level.

Team data is encrypted and access is strictly controlled by role-based permissions. Project owners have control over member access and data visibility.

8. Notification Data

Envault provides notifications for team collaboration, security alerts, and service updates:

Notification Preferences: Your choices regarding email and in-app notifications, which you can manage in account settings.
Notification History: Records of notifications sent, including delivery status and interaction data.
Security Alerts: Critical security notifications that cannot be disabled, such as account access from new devices.
Service Communications: Updates about new features, maintenance, or policy changes.

Notification data helps us keep you informed about important account and security matters while respecting your communication preferences.

9. Use of Data

Envault uses the collected data for various purposes:

To provide and maintain the Service
To notify you about changes to our Service
To allow you to participate in interactive features of our Service when you choose to do so
To provide customer care and support
To provide analysis or valuable information so that we can improve the Service
To monitor the usage of the Service
To detect, prevent and address technical issues

10. Third-Party Service Providers

We may employ third party companies and individuals to facilitate our Service ("Service Providers"), to provide the Service on our behalf, to perform Service-related services or to assist us in analyzing how our Service is used. These third parties have access to your Personal Data only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.

Key Service Providers:

Supabase: Provides database services, authentication, and real-time features. Your encrypted data and authentication information are stored here.
OAuth Providers (Gmail, GitHub): Used for optional account linking and multi-provider authentication. We receive your email and profile ID for identity verification only.
Upstash Redis: Used for high-performance caching of permissions and temporary data storage to improve application performance.
Vercel Analytics: Collects anonymous usage analytics to help us improve the user experience (optional and can be disabled).
Email Service Providers: Used for sending transactional emails like password resets and notifications, with your email address processed securely.

All third-party providers are selected for their strong security practices and compliance with data protection regulations. We regularly review our service providers to ensure they meet our security and privacy standards.

11. Data Retention

We will retain your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy. We will retain and use your Personal Data to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies.

Retention Periods by Data Type:

Account Data: Retained for the duration of your account. Deleted within 30 days of account deletion, except where required for legal compliance.
Encrypted Secrets: Retained until you delete them or terminate your account. Backup copies may be retained for up to 90 days for disaster recovery.
Authentication Logs: Security-related logs retained for 1 year for audit and security purposes.
CLI Usage Analytics: Anonymous analytics data retained for 2 years to improve service quality.
Notification History: Retained for 6 months, or until you delete your account.
Team Activity Logs: Project-related activity logs retained for 1 year for audit purposes.

You can request deletion of your data at any time by contacting us. Some data may be retained longer if required by law or for legitimate business purposes.

12. Your Data Rights

Depending on your location, you may have the following rights regarding your personal data:

The right to access, update or to delete the information we have on you.
The right of rectification.
The right to object.
The right of restriction.
The right to data portability.
The right to withdraw consent.

13. Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page. We will let you know via email and/or a prominent notice on our Service, prior to the change becoming effective and update the "effective date" at the top of this Privacy Policy. You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

14. Contact Us

If you have any questions about this privacy policy, please contact us at dashdinanath056@gmail.com.