VAULT
LEGAL · PRIVACY

Privacy Policy

Effective May 16, 2026

VAULT Messenger ("VAULT", "we", "us") is an end-to-end encrypted messaging service. This policy describes the personal information we collect, how we use it, and the choices you have. Plain English first, legalese never.

1. Information we collect

We collect the minimum information necessary to run the service:

  • Account data. A handle you choose, optional first and last name, optional phone number, optional email address. Phone and email are stored only after you verify them.
  • Authentication data. One-time codes sent to your phone or email during sign-in. Codes are short-lived hashes — we don't keep the raw values.
  • Device data. Push notification token, app version, operating system family. Used to deliver notifications and diagnose crashes.
  • Encrypted message blobs. While a recipient is offline we hold their messages, encrypted, until delivery. We do not have the keys to decrypt them.
  • Billing data. Customer ID with our third-party payment provider, subscription state, credit balance, and a record of transactions. Card numbers are held by the payment provider and never reach VAULT.
  • Optional phone-book hashes. If you choose to find contacts who already use VAULT, your device computes SHA-256 hashes of phone numbers and sends those hashes only. We never receive the underlying numbers.

2. Information we do not collect

  • Plaintext message content or call audio.
  • Your address book in its original form.
  • Card numbers, CVCs, or banking credentials.
  • Location data.
  • Tracking data from third-party advertising networks.

3. How we use information

We use the data described above to:

  • Deliver messages, voice and video calls between you and your contacts.
  • Authenticate you when you sign in.
  • Process payments and apply credits.
  • Detect abuse, fraud, and policy violations.
  • Send you transactional emails (sign-in codes, receipts, billing alerts).
  • Improve reliability and performance through aggregated, non-identifying metrics.

We do not use your data to train AI models. We do not sell your data. We do not show advertising in VAULT.

4. AI features and third-party model providers

VAULT offers optional AI features (chat, image generation, video generation, voice). When you use one of these features, the prompt you submit is sent to a third-party model provider for processing. Examples of providers we use include OpenAI, Anthropic, Google, Black Forest Labs, Kling, and Runware. The provider list may change as models evolve.

Prompts you send to an AI feature are not end-to-end encrypted with the model provider — they need the plaintext to compute a response. Each provider's own privacy policy governs how it retains your prompt; most do not use API content for training, but you should treat prompts to AI features as you would treat any data sent to a search engine.

5. Sharing

We share personal data only with:

  • Service providers needed to operate VAULT (database and edge-function host, content-delivery network, payment processor, SMS and email delivery vendors, and the AI providers referenced above). Each is bound by contract to use the data only to deliver their service. Specific vendor names are available on request to privacy@vault-messenger.com for GDPR / CCPA verification.
  • Law enforcement in response to valid legal process. Because we have no access to message content or call audio, the records we can produce are limited to account metadata and billing history.
  • Acquirers in the event of a sale or merger, after a notice period during which you may delete your account.

We never sell personal data and we never share data for cross-context behavioral advertising.

6. Retention

Encrypted messages waiting for delivery are retained for up to 30 days, then purged. Account records are kept while your account is active. After deletion, account records are removed from our active systems within 30 days; billing records are retained as required by applicable tax and accounting law (typically 7 years).

7. Your choices

  • Edit your account. Update your handle, name, phone, or email from Settings.
  • Delete your account. Settings → Delete Account. Once confirmed, your record and queued ciphertext are purged.
  • Opt out of phone-book matching. Don't enable contact discovery, or revoke the OS-level Contacts permission at any time.
  • Control notifications. Per-OS notification settings apply to VAULT push notifications.
  • Export data. Email privacy@vault-messenger.com and we will provide a copy of the data we hold about you.

8. Regional rights

If you live in the European Economic Area, the United Kingdom, Switzerland, or California, you have additional rights under GDPR or the CCPA — including the right to access, correct, delete, port, or restrict processing of your data, and to object to certain processing. To exercise these rights, contact privacy@vault-messenger.com. We will respond within 30 days.

9. Children

VAULT is not directed to children under 13 and we do not knowingly collect personal information from anyone under 13. If you believe a child has provided us with personal information, contact privacy@vault-messenger.com and we will delete it.

10. International transfers

VAULT operates from the United States. By using the service you understand that your data may be transferred to and processed in the United States, where data-protection laws may differ from those of your country.

11. Changes

We will post material changes to this policy on this page and, for substantive changes, notify active users in-app. Continued use of VAULT after the effective date constitutes acceptance.

12. Contact

Questions or complaints? Email privacy@vault-messenger.com.