Legal

Privacy Policy

Last updated: 21 April 2026 · Effective immediately · HexVault Ltd, England & Wales

The short version

We cannot read your passwords. They are encrypted on your device before reaching our servers. We store only ciphertext. We collect the minimum data necessary to run the service. We do not sell your data. We do not use your credentials for anything other than delivering the service to you.

1. Overview

HexVault Ltd ("HexVault", "we", "us", "our") operates the HexVault identity and secrets management platform available at hexvault.co.uk and associated subdomains. This Privacy Policy explains how we collect, use, store, and protect your information when you use our service.

This policy applies to all users of HexVault, including Personal, Pro, Family, Team, and Enterprise tier subscribers. By using HexVault you agree to the collection and use of information in accordance with this policy.

HexVault is registered in England and Wales. We are subject to the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Data we collect

Account information

Email address — required for account creation, login, and password reset
Username — your chosen display name within the vault
Password hash — your master password is never stored. We store a bcrypt hash derived from your password. This hash cannot be reversed to reveal your password
Subscription tier and status — which plan you are on and whether it is active

Vault data (encrypted)

Encrypted credential entries (ciphertext only — we cannot decrypt these)
Encrypted secure notes (ciphertext only)
Initialisation vectors (IVs) and entry salts used for encryption — these are not secrets and cannot reveal plaintext
Folder names and structure (not encrypted — visible to us)
Breach counts per entry (a count of how many times a password hash appeared in known breach databases)

Technical data

Session tokens (server-side, expire on logout or after configured timeout)
IP address (logged per session and per API request for security purposes)
Device fingerprint (for trusted device management — you control this)
Approximate browser/OS information from the User-Agent header
Timestamps of login, last activity, and credential access events

Payment data

Payment processing is handled by Stripe. We do not store credit card numbers, CVVs, or bank details. We store a Stripe customer ID and subscription ID for subscription management.

3. What we don't collect

We cannot read your passwords. All encryption happens client-side, in your browser, before data reaches our servers. The plaintext of your credentials never leaves your device.

We do not collect your plaintext passwords, secure notes, or any decrypted vault data
We do not use analytics scripts that track your behaviour across websites
We do not sell your data to third parties under any circumstances
We do not use your email for marketing unless you explicitly opt in
We do not collect data beyond what is necessary to provide the service

4. How we use your data

We use the data we collect solely to:

Authenticate you and manage your session
Store and retrieve your encrypted vault data
Process your subscription and billing
Send you transactional emails (password reset, email verification, security alerts)
Detect and respond to security incidents (using IP logs and device fingerprints)
Provide the audit trail you have requested for your organisation (Team and Enterprise tiers)
Improve the reliability and security of the service

The legal basis for processing under UK GDPR is: performance of contract (to deliver the service), legitimate interests (security monitoring), and consent (marketing communications where opted in).

5. Data storage and security

Your data is stored on servers located in the United Kingdom and the European Economic Area. We use PostgreSQL with encrypted connections. Data at rest is stored on encrypted volumes.

Your vault credentials are encrypted with AES-256-GCM before leaving your device. The encryption keys are derived from your master password using Argon2id. We do not have access to your master password and therefore cannot decrypt your vault.

We retain your account data for as long as your account is active. On account deletion, your encrypted vault data is deleted within 30 days. IP logs and security audit logs are retained for 12 months.

6. Third-party services

Stripe — payment processing. Subject to Stripe's Privacy Policy.
Postmark — transactional email delivery (password resets, verification). We share only your email address and the content of the transactional email.
Have I Been Pwned (HIBP) — password breach checking uses the k-anonymity model. Only the first 5 characters of a SHA-1 hash of your password are sent to HIBP. Your actual password is never transmitted.
Cloudflare — DNS and DDoS protection. IP addresses may pass through Cloudflare's network.

We do not use advertising networks, social media tracking pixels, or third-party analytics.

A full sub-processor list including data categories, jurisdictions, and transfer mechanisms is available at hexvault.co.uk/sub-processors.

7. Browser extension

If you install the HexVault browser extension, the following additional data flows apply. The extension never transmits your master password or the plaintext of any vault entry — all encryption and decryption happen locally on your device.

Hostname of the active tab. When the extension's phishing protection is enabled, the hostname (for example, example.com) of the currently active tab is sent to our servers for a real-time safety check. We send the hostname only — not the full URL, not the path, not query parameters, and not page content. Hostnames are cached in the extension's memory for 30 seconds to avoid repeated lookups, and we do not retain a per-user browsing history on the server. Phishing protection can be disabled from the extension's settings panel.
Login form captures. When you submit a login form on a website, the extension captures the username and password so it can offer to save them to your vault. The password is held only in the extension's in-memory cache (with a two-minute expiry) until you confirm or dismiss the save prompt. Nothing is sent to our servers unless you click "Save", at which point the password is encrypted on your device before upload.
Locally stored settings. The extension stores your auto-lock timeout, feature toggles, and the list of sites you have asked it to never offer to save, in the browser's own extension storage. This data never leaves your device.

The extension requests a small set of browser permissions — storage, activeTab, alarms, tabs, and offscreen — each used solely for the functionality described above. The extension communicates only with hexvault.co.uk; no third-party hosts are contacted.

8. Your rights under UK GDPR

You have the following rights regarding your personal data:

Right of access — you can request a copy of the personal data we hold about you
Right to rectification — you can correct inaccurate data through your account settings or by contacting us
Right to erasure — you can delete your account and all associated data at any time from Settings → Account → Danger Zone
Right to data portability — you can export your vault data in JSON or CSV format at any time from Settings → Data
Right to object — you can object to processing of your data for legitimate interests
Right to restrict processing — you can request we restrict processing of your data in certain circumstances

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

9. Cookies

HexVault uses only strictly necessary cookies. We do not use advertising or analytics cookies.

Session cookie — stores your encrypted session token. Required for authentication. Expires on logout or after your configured session timeout.
CSRF token — protects against cross-site request forgery. Required for security.
Theme preference — stores your light/dark mode preference. Not transmitted to our servers.

You can view our full Cookie Policy at hexvault.co.uk/cookies.

10. Data breach notification

In the event of a data breach that poses a risk to your rights and freedoms, we will notify the ICO within 72 hours and notify affected users without undue delay, as required by UK GDPR Article 33 and 34.

Note: because your vault credentials are encrypted client-side, a breach of our servers would not expose your passwords — only encrypted ciphertext that we cannot decrypt. We would still notify you of any breach.

To report a security vulnerability, contact [email protected]. We operate a responsible disclosure policy.

11. Contact

HexVault Ltd
Registered in England and Wales

Privacy enquiries & data subject rights: [email protected]
Security disclosures: [email protected]
General: [email protected]

Changes to this policy will be communicated by email to registered users and by updating the "Last updated" date above. Continued use of the service after changes constitutes acceptance of the updated policy.