Legal

Privacy Policy

Last updated: April 4, 2026

The short version: Vaultaro is built on a zero-knowledge architecture. Your vault data is encrypted on your device before it ever leaves. We cannot read your passwords — not now, not ever.

Introduction

Vaultaro ("we", "our", or "us") is a zero-knowledge password manager. This Privacy Policy explains what information we collect, how we use it, and what rights you have in relation to it.

By using the Vaultaro app or website, you agree to the practices described in this policy.

Who We Are

Vaultaro is developed and operated independently. We do not operate a backend server that stores your personal data or vault content.

Information We Do NOT Collect

The Vaultaro Android app collects no personal data. Specifically:

  • We do not collect your name, email address, or any profile information
  • We do not collect your passwords, vault entries, or any content you store in the app
  • We do not track your usage, behavior, or in-app actions
  • We do not use any analytics SDK, crash reporting service, or advertising framework
  • We do not access your contacts, camera, microphone, location, or any other device data

How Your Vault Is Stored

Your vault is encrypted entirely on your device before being stored. It is saved to your own Google Drive account in a hidden application data folder (appDataFolder) that is not visible in your Google Drive UI.

  • We cannot read your vault. It is encrypted with AES-256-GCM using a key derived from your master password or recovery key. We have no copy of your key and no mechanism to decrypt your data.
  • Your vault never touches our servers. It goes directly from your device to your Google Drive account via Google's API.
  • Your master password is never stored. It is used transiently on your device to derive a cryptographic key and is not written to disk or transmitted anywhere.
  • Your recovery key is shown to you once during setup. We do not store it. If you lose it, we cannot help you recover your vault.

Google Account and Drive Access

Vaultaro uses Google Sign-In to access your Google Drive. The OAuth scope we request is:

https://www.googleapis.com/auth/drive.appdata

This scope grants access only to the hidden application data folder that Vaultaro itself creates. We cannot read, list, modify, or delete any other files in your Google Drive.

Vaultaro's use of Google user data complies with the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google user data for any purpose other than storing and retrieving your encrypted vault file.

We do not share Google user data with any third party.

Biometric Authentication

If you enable biometric unlock, a cryptographic vault key is stored in your device's secure storage using hardware-backed encryption where available.

  • We do not access, read, or store your biometric data (fingerprints, face data, etc.)
  • Biometric authentication is handled entirely by your device's operating system
  • The stored vault key is cleared automatically when you disable biometric unlock, delete your vault, or create a new vault

Clipboard

When you copy a password or sensitive field, Vaultaro automatically clears the clipboard after 30 seconds.

Information Collected via the Website Contact Form

If you contact us through the website contact form, we collect:

  • Your name
  • Your email address
  • Your subject and message

This information is used solely to respond to your inquiry. It is transmitted via Resend, a third-party email delivery service, to our operator email address. It is not stored in any Vaultaro-owned database.

Resend may retain email delivery logs in accordance with their own Privacy Policy.

Third-Party Services

ServicePurposeData shared
Google DriveVault storageEncrypted vault file only
Google Sign-InAuthenticationGoogle account identity (used locally only)
ResendContact form email deliveryName, email, message (website only)

We do not sell, rent, or share your data with any other third party.

Data Retention and Deletion

Your vault data is stored in your Google Drive account. You control it entirely:

  • To delete your vault: Use the "Delete Vault" option in the app settings. This permanently removes the vault file from your Google Drive and signs you out.
  • To revoke access: You can remove Vaultaro's access to your Google account at any time via your Google Account settings (Security → Third-party apps). Important: Revoking access will cause Google to permanently delete your vault's application data folder. This action is irreversible. Ensure you no longer need the vault data before revoking access.

Children's Privacy

Vaultaro is not directed at children under the age of 13. We do not knowingly collect any personal information from children. If you believe a child has provided us with personal information, please contact us and we will take steps to delete it.

Security

All vault data is encrypted client-side using AES-256-GCM with Argon2id key derivation before leaving your device. We apply reasonable technical measures to protect the integrity of the app and the website. However, no method of electronic storage or transmission is 100% secure, and we cannot guarantee absolute security.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by updating the "Last updated" date at the top of this page. Your continued use of Vaultaro after changes are posted constitutes acceptance of the updated policy.

Contact

If you have any questions or concerns about this Privacy Policy, please reach out through the contact form on our website.

© 2026 Vaultaro. All rights reserved.Terms & Conditions →