Legal

Privacy Policy

Last updated: March 2026 Applies to hexvault.co.uk Governed by UK GDPR

01/The short version

Zero-knowledge guarantee

HexVault cannot read your passwords. Your encryption key is derived on your device and never sent to us. What we store is encrypted data that is meaningless without your key. This policy covers the other, limited data we do handle.

02/Who we are

HexVault is an independently operated service based in the United Kingdom. The service is currently in early access.

Privacy questions go to [email protected].

03/What we collect

Here is what we collect:

  • Email address.
    Collected when you register or join the waitlist. Used to identify your account and send you service-related messages.
  • Encrypted vault data.
    Your passwords, notes, and other entries, encrypted on your device before they reach us. We store ciphertext only and have no way to decrypt it.
  • Account metadata.
    Last login time, 2FA status, settings. Nothing here relates to your passwords.
  • Activity logs.
    Login events, vault access times, and security events. Kept for 90 days for security monitoring, then deleted.
  • Contact messages.
    If you get in touch, we keep your message and email address long enough to respond.
  • IP addresses.
    Captured in standard server logs and security event records. Not used for tracking.

We do not collect payment details. When billing launches, that will be handled by a third-party payment processor.

04/What we don't collect

  • Your plaintext passwords — technically impossible by design
  • Your master password — never transmitted to our servers
  • Advertising identifiers or tracking pixels
  • Behavioural or analytics data beyond server logs
  • Device fingerprints beyond what is required for trusted device functionality
  • Location data beyond your IP address

05/How your vault is protected

Your vault is encrypted on your device using AES-256-GCM. The key comes from your master password, derived locally via PBKDF2 with 250,000 iterations. That key stays on your device.

Without your master password, our database is useless. No employee, no server breach, and no legal order can produce your plaintext passwords. We simply do not have them.

Architectural guarantee

This is not a promise. It is a technical constraint built into how the system works. We could not read your passwords even if we wanted to.

06/How we use your data

  • Waitlist email.
    You get one email when HexVault launches publicly. Nothing until then.
  • Account email.
    Used for login, security alerts (breach detections, new device logins), and essential service messages.
  • Activity logs.
    Security monitoring and, if needed, account recovery.
  • Contact messages.
    Responding to you.

We do not advertise with your data, sell it, or share it with anyone outside what is described here.

07/Third-party services

  • Cloudflare.
    DNS, DDoS protection, and CDN. Cloudflare sees IP addresses and request metadata as traffic passes through their network.
  • Have I Been Pwned.
    We check for breaches using k-anonymity. Only the first 5 characters of a hashed version of your password are sent. Your actual password never leaves your device.
  • Postmark.
    Sends our transactional emails. Your address is shared with them only for delivery.

We use no analytics, tracking pixels, or advertising services.

08/Data retention

  • Waitlist emails.
    Kept until you ask us to delete them or the service has launched publicly.
  • Account data.
    Kept for as long as your account is open. Deleted within 30 days of closure.
  • Activity logs.
    90 days, then automatically deleted.
  • Contact messages.
    Up to 12 months, then deleted.
  • Server access logs.
    Up to 30 days.

09/Your rights

Under UK GDPR, you have the right to:

  1. Access the personal data we hold about you
  2. Request correction of inaccurate data
  3. Request deletion of your data
  4. Object to processing of your data
  5. Receive your data in a portable, machine-readable format
  6. Withdraw consent at any time where processing is based on consent

To use any of these, email [email protected]. We respond within 30 days.

If you think we have handled your data incorrectly, you can complain to the ICO at ico.org.uk.

10/Cookies

We use one session cookie, which is required for you to stay logged in. No tracking cookies, no analytics cookies, no banner.

11/Changes to this policy

If we make significant changes to this policy, we will email registered users before the changes take effect. The current version is always at hexvault.co.uk/privacy-policy.

12/Contact

Privacy enquiries
[email protected]
General
[email protected]
Website
hexvault.co.uk
ICO (complaints)
ico.org.uk