Privacy Policy
Effective Date: March 4, 2026 | Last Updated: March 4, 2026Overview
Upvault is operated by an individual developer (contact: [email protected]). This Privacy Policy explains what personal data we collect, how we use it, and your rights.
Upvault is a local-first application. Your conversations, documents, notes, and AI context data are stored exclusively on your device or your own Google Drive. This content never passes through Upvault's servers.
Information We Collect
Account Information
When you sign in, we collect your email address via Google OAuth or direct email. Authentication is handled by Supabase.
License & Payment
Payments are processed by Lemon Squeezy. We receive your email address, license key, and plan type. Credit card details are handled solely by Lemon Squeezy and never reach us.
Device Metadata
For multi-device sync, we store a hashed device identifier, device name, platform type, and last sync timestamp.
Website Logs
When you visit upvault.app, Cloudflare (our hosting provider) collects standard web server logs: IP address, browser type, and access timestamps. We do not use this data for tracking.
What We Do NOT Collect
The following stays on your device only and never reaches our servers:
- Chat conversations and AI responses
- Imported documents, files, and notes
- Vector embeddings (RAG data)
- Your AI API keys (encrypted in your OS keychain)
- Google Drive file contents
How We Use Your Data
| Data | Purpose |
|---|---|
| Email address | Authentication, license verification, support |
| License key | Plan verification and feature access |
| Device metadata | Multi-device sync management |
| Server logs | Security and abuse prevention |
We do not use your data for advertising, profiling, or sale to third parties.
Third-Party Services
| Service | Purpose | Privacy Policy |
|---|---|---|
| Supabase | Authentication & sync metadata | supabase.com/privacy |
| Lemon Squeezy | Payment & license management | lemonsqueezy.com/privacy |
| OAuth & Google Drive sync | policies.google.com/privacy | |
| Cloudflare | Website hosting & CDN | cloudflare.com/privacypolicy |
Note on Google Drive: When you enable sync, Upvault requests access to a specific folder in your Google Drive. Your device communicates directly with Google's API — Upvault's servers do not intermediate this connection.
Data Retention
| Data | Retention |
|---|---|
| Account data | Until account deletion |
| License data | Until license expiry or deletion |
| Device records | Until device removal or account deletion |
| Server logs | 30 days (Cloudflare default) |
| Local app data | Until you uninstall the application |
Your Rights
You have the right to access, correct, delete, and export your personal data, and to withdraw consent for optional processing. Contact us at [email protected] to exercise these rights.
Security
- API keys are encrypted using your OS keychain (Windows Credential Manager / macOS Keychain / Linux Secret Service)
- Authentication uses industry-standard OAuth 2.0 with PKCE
- All server communications use TLS
- Encrypted notes use AES-256-GCM
Children's Privacy
Upvault is not directed at children under 13 (or under 16 in the EU/UK). We do not knowingly collect data from children.
Changes
We may update this policy. Significant changes will be communicated via the app or email. Continued use after changes constitutes acceptance.
Contact
Privacy inquiries: [email protected]
Service: Upvault — upvault.app