Privacy Policy

Last updated: May 6, 2026

ShadowVault is built on a fundamental principle: your data belongs to you. We have designed our systems so that we cannot access your private information, even if we wanted to.

What We Collect

Nothing. ShadowVault operates on a zero-knowledge architecture:

• We do NOT collect your name, email, or phone number
• We do NOT log IP addresses
• We do NOT track usage patterns or behavior
• We do NOT store message metadata (who messages whom, when, how often)
• We do NOT use cookies for tracking
• We do NOT use analytics tools (no Google Analytics, no Mixpanel, nothing)
• We do NOT share any data with third parties
• We do NOT serve advertisements

What We Store (Encrypted)

Our servers store only encrypted data that we cannot read:

• Username — your chosen pseudonym (no real name required)
• Password hash — Argon2id hash (we cannot reverse this)
• Encrypted messages — Signal Protocol ciphertext (we cannot decrypt)
• Encrypted files — AES-256-GCM ciphertext (we cannot decrypt)
• Encrypted keys — public prekeys for Signal Protocol key exchange

Encryption

All user data is encrypted end-to-end using:

• Signal Protocol (X3DH + Double Ratchet) for messages
• AES-256-GCM for files, notes, passwords, and local storage
• Argon2id for password hashing and key derivation
• Ed25519/X25519 for digital signatures and key exchange

Decryption happens exclusively on your device. Our servers never see plaintext.

Third-Party Services

We use minimal third-party services:

• Cloudflare — DDoS protection and CDN (they process IP addresses in transit but we do not access these logs)
• NowPayments — cryptocurrency payment processing (for premium subscriptions only, no personal data shared)

Data Retention

We retain encrypted data for as long as your account exists. When you delete your account, all associated encrypted data is permanently deleted within 30 days. We have no backups of your encryption keys, so deletion is irreversible.

Law Enforcement

Due to our zero-knowledge architecture, we have no useful data to provide in response to legal requests. We cannot decrypt your messages, files, or passwords. We do not have IP logs or metadata. We will notify users of any legal requests to the extent permitted by law.

Tor Access

ShadowVault is accessible via a Tor hidden service (.onion address) for users who require network-level anonymity. We support and encourage the use of Tor for accessing our services.

Children's Privacy

ShadowVault is not directed at children under 16. We do not knowingly collect information from children.

Changes to This Policy

We will notify users of significant changes via the application. This policy will always be available at vault.shadowroot.ai/privacy.

Contact

For privacy-related inquiries: [email protected]

← Back to ShadowVault Home