Privacy Policy
Last updated: July 17, 2026
Velora Vault is a private, encrypted home for your passwords, documents, notes, and financial essentials. This policy explains what we collect, what we can and cannot see, and how your data is protected.
What we collect
We collect the minimum needed to run your account:
- Account information — your email address and sign-in password, provided when you sign up.
- Encrypted vault contents — your passwords, documents, notes, cards, and bank details, but only in encrypted form. See below for what this means in practice.
- Session and device metadata — sign-in timestamps and basic device information, used to keep your account secure and to detect suspicious activity.
How your vault is encrypted
Everything you save to your vault is encrypted with AES-256-GCM on your device before it is ever sent to our servers. The encryption key is derived from your master key using PBKDF2 with 600,000 iterations, and that master key is never transmitted to us, stored on our servers, or written to any log.
PIN and supported platform-authenticator unlock are optional, device-local convenience layers. They protect a local wrapper and recover the master key into memory for the active unlocked session; they do not replace the master key.
In practice, this means we store encrypted data we cannot read. We do not have the ability to decrypt your vault contents, view your passwords, or open your documents.
AI-assisted import is an explicit exception to local-only content processing: source text or images you select are sent to the configured processing service before reviewed results are encrypted and saved. See How security worksfor the full recovery and threat boundaries.
How we use your information
We use the information above only to:
- Create and confirm your account when you sign up
- Authenticate you and maintain your session
- Enforce that only your own active account can access your data
- Detect and prevent abuse or unauthorized access
- Provide customer support when you contact us
We do not sell your information, and we do not use your vault contents for advertising, analytics, or model training — we cannot, since we cannot decrypt it.
Access control
Every request to your data is checked at the database level against your own account and its active status, not just whether you are signed in. If your access is suspended or revoked, your encrypted data becomes inaccessible even to our own systems in the normal course of operation.
Third-party services
We rely on Supabase for authentication, database hosting, and storage infrastructure. Supabase stores the encrypted data described above; it does not have access to your master key or the ability to decrypt your vault contents.
Data retention and deletion
We retain your account information and encrypted vault data for as long as your account is active. You can request deletion of your account and all associated data at any time by contacting us; we will remove it within a reasonable timeframe, except where retention is required by law.
Your rights
Depending on where you live, you may have the right to:
- Access the account information we hold about you
- Request a copy of your encrypted vault data
- Request correction of inaccurate account information
- Request deletion of your account and data
To exercise any of these rights, contact us using the details below.
Children’s privacy
Velora Vault is not directed at children, and we do not knowingly collect information from anyone under the age of 16.
Changes to this policy
We may update this policy as the service evolves. If we make material changes, we will update the date at the top of this page.
Contact us
Questions about this policy or your data can be sent to privacy@velora.vault.
The short version: your master key never leaves your device, so we can’t read your vault even if we wanted to. We only handle what’s needed to run the account system around it.