← Back to Vault

Privacy Policy

Last updated: April 2026

1. What this service is

Vault is a personal notes application. It is operated by Omar Haji for personal and invited use. This policy explains what data is collected, why, and how it is stored.

2. Data we collect

  • Account data — username, email address, and a hashed password. Email is optional but required for password reset and security alerts.
  • Notes and folders — everything you write or organise inside the app.
  • Session metadata — device name (derived from your browser’s User-Agent), IP address, and login timestamps. Used to show you active sessions and detect new device logins.

3. Cookies

Vault uses two strictly necessary httpOnly cookies:

  • access_token — a short-lived JWT (5 minutes) that authenticates your requests.
  • refresh_token — a longer-lived JWT (7 days) used to silently renew your access token so you stay logged in.

These cookies are essential for the service to function. They cannot be disabled without logging out. No advertising, analytics, or tracking cookies are used.

4. How data is used

  • To authenticate you and keep your session secure.
  • To send security alert emails when a new device logs in.
  • To enable password reset via email.
  • Your notes are never read, shared, or sold.

5. Data storage and security

Data is stored in a PostgreSQL database hosted on Supabase. The application backend runs on Render. Both providers are SOC 2-compliant. All connections use TLS. Passwords are hashed with Django’s PBKDF2-SHA256. JWT cookies are httpOnly and Secure — JavaScript cannot access them.

6. Your rights

You can export all your data at any time from Settings → Export data. You can permanently delete your account and all associated data from Settings → Delete account. Both actions are immediate and irreversible.

7. Third parties

Vault uses Resend to deliver transactional emails (verification, password reset, security alerts). Your email address is shared with Resend only for this purpose and is not used for marketing.

8. Contact

Questions about this policy can be sent to omarhaji0002@gmail.com.

Privacy Policy · Vault · Vault