CLIENT.ENCRYPTED SERVER.BLIND AGENT.NATIVE
v0.22.1
// AGENT-NATIVE SECRETS

Privacy Policy

Effective: April 19, 2026  ·  Wundervault

We built Wundervault to be private by default. This policy explains what data we collect, why, and what we never touch.

Zero-Knowledge Architecture

Your secrets are encrypted on your device before they leave it. We store only ciphertext — we have zero knowledge of your vault contents and cannot decrypt them even if compelled to. Your passphrase is never transmitted to our servers. This is by design, not policy — it is technically impossible for us to access your secrets.

What We Collect

  • Email address — for account creation, verification, and optional newsletter
  • Encrypted vault blob — AES-256-GCM encrypted client-side; we cannot read it
  • Access logs — IP address, timestamp, action type; retained 90 days for security and abuse prevention
  • WebAuthn credential metadata — for biometric unlock; contains no secret data
  • Account preferences — settings you configure in the dashboard

What We Don't Collect

  • Plaintext secrets — ever
  • Your passphrase — never transmitted to our servers
  • Device fingerprints or tracking identifiers
  • Browsing history or cross-site behavior
  • Any data for advertising purposes

Cookies

We use a single httpOnly JWT session cookie — required for secure authentication. We do not use tracking cookies, analytics cookies, or advertising cookies.

Newsletter

If you opt in to the Wundervault newsletter — during registration or via the newsletter signup page — your email address is shared with Beehiiv (our newsletter platform) solely for the purpose of delivering newsletter emails. Beehiiv processes your email in accordance with their own privacy policy. You can unsubscribe at any time using the one-click link in any newsletter email.

We do not share your email for any other purpose and do not combine newsletter subscription data with your vault usage data.

Third-Party Services

  • Resend — transactional email (verification emails, contact form). Receives your email address for delivery purposes only.
  • Beehiiv — newsletter platform. Receives your email address only if you subscribe to the newsletter.

No third-party analytics. No ad networks. No data sold or shared beyond what is described above.

Data Retention

  • Access logs — retained for 90 days, then deleted
  • Encrypted vault blobs — retained until account deletion
  • Email address — retained until account deletion, or until you unsubscribe (for newsletter-only)
  • Backups — encrypted backups are retained for up to 30 days after account deletion before being purged

Security

  • All data in transit over TLS
  • Vault encryption: AES-256-GCM, key derived via PBKDF2 (600,000 iterations)
  • Passwords hashed with bcrypt (cost factor 13)
  • Zero-knowledge architecture — vault key never known to server

Your Rights (GDPR)

  • Right to access — you can view your account data in the dashboard
  • Right to erasure — account deletion permanently removes all your data
  • Right to rectificationcontact us to correct inaccurate account data
  • Right to portability — export feature planned for a future release
  • Right to object — you may opt out of the newsletter at any time; we have no other marketing uses of your data

Children's Privacy

Wundervault is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with their data, please contact us so we can delete it.

Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be posted with a new effective date. Continued use of the service after changes take effect constitutes acceptance.

Contact

Privacy questions or data requests: Send us a message or email [email protected].

Terms of Use  ·  Back to app