Legal
Privacy Policy
Last updated: 28 March 2026 · Effective immediately · HexVault Ltd, England & Wales
The short version
We cannot read your passwords. They are encrypted on your device before reaching our servers. We store only ciphertext. We collect the minimum data necessary to run the service. We do not sell your data. We do not use your credentials for anything other than delivering the service to you.
1. Overview
HexVault Ltd ("HexVault", "we", "us", "our") operates the HexVault identity and secrets management platform available at hexvault.co.uk and associated subdomains. This Privacy Policy explains how we collect, use, store, and protect your information when you use our service.
This policy applies to all users of HexVault, including Personal, Family, and Business tier subscribers. By using HexVault you agree to the collection and use of information in accordance with this policy.
HexVault is registered in England and Wales. We are subject to the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. Data we collect
Account information
- Email address — required for account creation, login, and password reset
- Username — your chosen display name within the vault
- Password hash — your master password is never stored. We store a bcrypt hash derived from your password. This hash cannot be reversed to reveal your password
- Subscription tier and status — which plan you are on and whether it is active
Vault data (encrypted)
- Encrypted credential entries (ciphertext only — we cannot decrypt these)
- Encrypted secure notes (ciphertext only)
- Initialisation vectors (IVs) and entry salts used for encryption — these are not secrets and cannot reveal plaintext
- Folder names and structure (not encrypted — visible to us)
- Breach counts per entry (a count of how many times a password hash appeared in known breach databases)
Technical data
- Session tokens (server-side, expire on logout or after configured timeout)
- IP address (logged per session and per API request for security purposes)
- Device fingerprint (for trusted device management — you control this)
- Approximate browser/OS information from the User-Agent header
- Timestamps of login, last activity, and credential access events
Payment data
Payment processing is handled by Stripe. We do not store credit card numbers, CVVs, or bank details. We store a Stripe customer ID and subscription ID for subscription management.
3. What we don't collect
We cannot read your passwords. All encryption happens client-side, in your browser, before data reaches our servers. The plaintext of your credentials never leaves your device.
- We do not collect your plaintext passwords, secure notes, or any decrypted vault data
- We do not use analytics scripts that track your behaviour across websites
- We do not sell your data to third parties under any circumstances
- We do not use your email for marketing unless you explicitly opt in
- We do not collect data beyond what is necessary to provide the service
4. How we use your data
We use the data we collect solely to:
- Authenticate you and manage your session
- Store and retrieve your encrypted vault data
- Process your subscription and billing
- Send you transactional emails (password reset, email verification, security alerts)
- Detect and respond to security incidents (using IP logs and device fingerprints)
- Provide the audit trail you have requested for your organisation (Business tier)
- Improve the reliability and security of the service
The legal basis for processing under UK GDPR is: performance of contract (to deliver the service), legitimate interests (security monitoring), and consent (marketing communications where opted in).
5. Data storage and security
Your data is stored on servers located in the United Kingdom and the European Economic Area. We use PostgreSQL with encrypted connections. Data at rest is stored on encrypted volumes.
Your vault credentials are encrypted with AES-256-GCM before leaving your device. The encryption keys are derived from your master password using Argon2id. We do not have access to your master password and therefore cannot decrypt your vault.
We retain your account data for as long as your account is active. On account deletion, your encrypted vault data is deleted within 30 days. IP logs and security audit logs are retained for 12 months.
6. Third-party services
- Stripe — payment processing. Subject to Stripe's Privacy Policy.
- Postmark — transactional email delivery (password resets, verification). We share only your email address and the content of the transactional email.
- Have I Been Pwned (HIBP) — password breach checking uses the k-anonymity model. Only the first 5 characters of a SHA-1 hash of your password are sent to HIBP. Your actual password is never transmitted.
- Cloudflare — DNS and DDoS protection. IP addresses may pass through Cloudflare's network.
We do not use advertising networks, social media tracking pixels, or third-party analytics.
7. Your rights under UK GDPR
You have the following rights regarding your personal data:
- Right of access — you can request a copy of the personal data we hold about you
- Right to rectification — you can correct inaccurate data through your account settings or by contacting us
- Right to erasure — you can delete your account and all associated data at any time from Settings → Account → Danger Zone
- Right to data portability — you can export your vault data in JSON or CSV format at any time from Settings → Data
- Right to object — you can object to processing of your data for legitimate interests
- Right to restrict processing — you can request we restrict processing of your data in certain circumstances
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
8. Cookies
HexVault uses only strictly necessary cookies. We do not use advertising or analytics cookies.
- Session cookie — stores your encrypted session token. Required for authentication. Expires on logout or after your configured session timeout.
- CSRF token — protects against cross-site request forgery. Required for security.
- Theme preference — stores your light/dark mode preference. Not transmitted to our servers.
You can view our full Cookie Policy at hexvault.co.uk/cookies.
9. Data breach notification
In the event of a data breach that poses a risk to your rights and freedoms, we will notify the ICO within 72 hours and notify affected users without undue delay, as required by UK GDPR Article 33 and 34.
Note: because your vault credentials are encrypted client-side, a breach of our servers would not expose your passwords — only encrypted ciphertext that we cannot decrypt. We would still notify you of any breach.
To report a security vulnerability, contact [email protected]. We operate a responsible disclosure policy.