DataVault — Privacy Policy

Draft — pending lawyer review. This document is a working draft based on Termly/iubenda boilerplate adapted to DataVault’s specific architecture. It must be reviewed by a qualified attorney before public deployment, especially for: Belgian/EU consumer protection clauses, GDPR data-subject-rights wording, and BYOAI third-party data flow disclosures. Effective date is the date this draft is published verbatim or with minor edits.

Document version	Status	Last updated
0.1 (draft)	Pre-launch	2026-05-02

1. Who we are

Quillen Labs (“we”, “us”, “our”) is the studio that publishes DataVault (“the Service”), a personal knowledge management application for managing notes, notebooks, documents, CVs, cover letters, plot outlines, and personas (collectively, “Vault Content”), with optional client-side encryption and Google Drive–backed persistence.

Controller: Quillen Labs.
Address: [Belgian residential address — to be filled before publication].
Contact for privacy questions: support@datavaultapp.com (or constantin.permiakov@gmail.com until provisioning completes).
Jurisdiction: Belgium (EU member state).
Data Protection Officer: None appointed at this scale (DataVault does not currently meet the GDPR Article 37 thresholds requiring one). The controller (Quillen Labs) responds directly to data-subject requests.

This Privacy Policy explains what personal data DataVault processes, why, where it is stored, and what rights you have.

2. Summary in plain words

Your Vault Content lives in your own Google Drive, not on our servers. We never see your notes, documents, CVs, etc. We only see the metadata Google needs to authorize the connection (your name, email, profile photo) plus the technical session/key data described below.
Optional client-side encryption can be turned on. When enabled, everything on Drive is encrypted before it leaves your device. We can’t decrypt it. Lose the encryption key and the data is unrecoverable.
Bring Your Own AI (BYOAI): if you choose to use the AI Companion feature, you supply your own API key from Gemini, OpenAI, Anthropic, or OpenRouter. Your prompts (which include relevant context from the file you’re working on) go from your device directly to the AI provider you picked. We don’t see them.
No third-party analytics or trackers in the application. The marketing site at datavaultapp.com may use cookieless analytics — see the Cookie Policy.

3. What data we collect, and why

When you sign in with Google we receive:

Data	Source	Purpose	Where it’s stored
Name	Google profile	Display in the app UI	Locally on your device (IndexedDB on web/PWA, SQLite on desktop) for offline access.
Email	Google profile	Display in the app UI; identify your subscription record	Same as Name.
Profile photo URL	Google profile	Display in the app UI	Same as Name.
Google user ID (`sub`)	Google profile	Look up your session and encryption key on our backend	DataVault backend (`sessions` and `encryption_keys` tables); see §4.

We do not request any other Google profile fields.

3.2 Authentication data

When you sign in we hold:

Data	Lifetime	Where
OAuth refresh token	Until you sign out, revoke access in your Google account, or change your Google password	Encrypted at rest with AES-256-GCM in our backend’s `sessions` table. The encryption key is derived from a server-side secret that is never exposed externally.
OAuth access token	~1 hour, then automatically refreshed via the refresh token	In memory only on your device. Never stored to disk, never sent to our backend, never logged.
Opaque session ID	Until you sign out or revoke	On your device (IndexedDB / SQLite). On our backend in the `sessions` table.

The session ID lets the device ask the backend for a fresh access token without you re-signing-in every hour. It’s the only piece of authentication state we keep on your device.

3.3 Vault Content (notes, documents, etc.)

Vault Content is stored in your own Google Drive, in a folder named DataVault that the app creates inside your Drive. We never receive, process, or store the contents of your Vault.

If you enable encryption, Vault Content is encrypted with AES-256-GCM client-side (on your device, in your browser or app) before it leaves your device on its way to Drive. We can’t decrypt it.

A local cached copy lives on your device (IndexedDB on web/PWA, SQLite on desktop) so the app works offline. It’s wiped when you sign out, reset your account, or clear your browser’s site data.

3.4 Encryption keys (only if you opt in)

If you turn on the encryption feature in Account → Security & Encryption, DataVault generates a 256-bit AES key. Where the key lives depends on your tier:

Tier	Where the key lives	Notes
Pro (default during beta)	DataVault backend (`encryption_keys` table), encrypted at rest with AES-256-GCM using a server-side secret	Allows you to sign in on a new device and decrypt your vault without manually moving the key. We can’t read your data — we only hold the key.
Free (post-beta)	Your Google Drive (`DataVaultKey.json` file) with an automatic encrypted backup on the DataVault backend	Same as Pro, but the primary copy lives on your Drive so you control it directly.

You can export your encryption key as a passphrase-protected .dvkey file at any time from Security & Encryption → “Export key.” Keep it somewhere safe — it’s the only way to recover your vault if both Drive and our backend become unavailable.

3.5 Subscription metadata

We keep one row per signed-in user in a subscriptions table on our backend, recording your tier (free or pro), status, and any expiration date. During the closed beta, all users are treated as Pro with the row auto-created on first request. No payment data lives on our backend at any point — payments (Phase 2 onwards) are handled by Lemon Squeezy as the merchant of record.

3.6 AI prompts (only if you use the AI Companion)

The AI Companion is a Bring-Your-Own-AI feature. You supply your own API key from your chosen provider (Gemini, OpenAI, Anthropic, OpenRouter), stored encrypted in IndexedDB on your device. When you send a prompt:

The app builds a context payload from the file you’re currently working on (or the page you’re on) — file content, structure, type-specific metadata. The exact shape is defined in src/ai/context/builders/.
The payload + your prompt is sent directly from your device to the AI provider you chose. It does not pass through our servers.
The provider’s response is returned to your device.
We don’t log, store, or otherwise see your prompts or the AI responses.

The provider may log your request per their own privacy policy. Your AI provider’s privacy policy applies to anything you send through the AI Companion. We recommend reading it.

3.7 Diagnostic / error data

In Phase 2 of the launch, DataVault will optionally send anonymized error reports to Sentry (a third-party error monitoring service) if you leave the opt-in toggle in Account → Privacy enabled. Vault Content is stripped from error payloads. You can opt out at any time. Until Phase 2 ships, DataVault does not send any error data anywhere.

3.8 Logs

The DataVault backend logs request method, URL, status code, and a timestamp for every API call, retained for up to 30 days for debugging and abuse prevention. These logs do not include request bodies, so they do not include refresh tokens, encryption keys, or any vault content.

4. Where your data is stored

Category	Primary location	Backup
Vault Content (notes, documents, CVs, …)	Your Google Drive	A local cached copy on your device for offline use. No copy on our backend.
Identity data (name, email, photo)	Locally on your device (IndexedDB / SQLite)	Re-fetched from Google on next sign-in.
Refresh tokens	DataVault backend, EU jurisdiction (Railway PostgreSQL, hosted in the EU region), encrypted at rest	None outside our backend. Backups of the database are stored in the EU.
Encryption keys (Pro / backup)	DataVault backend, EU jurisdiction, encrypted at rest	Daily off-platform backup to Cloudflare R2 (EU jurisdiction) — encrypted at rest.
Subscription metadata	DataVault backend, EU jurisdiction	Same as backend backups.

5. Third parties / sub-processors

Third party	Purpose	Data they see	Their privacy policy
Google LLC (Drive + OAuth)	Authentication and storage of Vault Content in your own Drive	Your Vault Content (encrypted if you opted in); the access tokens needed to call their APIs	https://policies.google.com/privacy
Railway Corp.	Hosting the DataVault backend	Operational metadata only; the data on the host is encrypted at rest. They do not access application data in the normal course of business.	https://railway.com/legal/privacy
Cloudflare, Inc.	DNS, CDN for the marketing site, R2 storage for backend backups	Network-level metadata + the encrypted backup files for the `encryption_keys` table	https://www.cloudflare.com/privacypolicy/
Lemon Squeezy, LLC (Phase 2 onwards)	Merchant of record for paid subscriptions	Your billing details when you subscribe (we never see your card number)	https://www.lemonsqueezy.com/privacy
Sentry / Functional Software, Inc. (Phase 2 onwards, opt-in)	Error monitoring	Anonymized error metadata, with vault content stripped	https://sentry.io/privacy/
Your chosen AI provider (only if you use AI Companion)	Process AI prompts	Your prompts and the file context you sent	Provider-specific.

We do not sell your data to anyone. We do not share your data with advertisers, data brokers, or any party not listed above.

You have the right to:

Access — Ask us what personal data we hold about you. We’ll respond within 30 days. The bulk of “your data” is on your own Drive — you can inspect it directly there. The backend rows we hold are listed in §3.
Rectification — Ask us to correct inaccurate data. (Identity data comes from Google; correct it in your Google account.)
Erasure (“right to be forgotten”) — Ask us to delete your data. See §7 for what’s automatic and what requires a request.
Restriction — Ask us to stop processing your data while you contest accuracy or legitimacy.
Portability — Export your vault as a .dvault archive at any time from Account → Export Vault. The format is documented in the project’s supplemental architecture doc. The archive contains your vault JSON plus all binary assets in a portable ZIP.
Object — Object to processing based on legitimate interest. (We process the minimum data necessary to operate the service and don’t process for marketing without explicit consent.)
Withdraw consent — For any processing we ever ask consent for (e.g., the optional Sentry error reporting in Phase 2), you can withdraw consent at any time from Account → Privacy.
Lodge a complaint with your local supervisory authority — for EU residents, the Belgian DPA (gegevensbeschermingsautoriteit.be) or the authority of your country of residence.

To exercise any of these rights, email support@datavaultapp.com (or constantin.permiakov@gmail.com) with the subject “GDPR request: ”. We respond within 30 days.

7. Account deletion and data retention

What happens automatically

Sign out: session ID is removed from the device. The backend session row remains until naturally expired (no automatic delete on sign-out; this is a known limitation we plan to tighten in Phase 3).
Disable encryption (Account → Security & Encryption → Off): the encryption key is removed from the DataVault backend (server-managed mode) or from your Drive (drive-stored mode); your vault is re-saved unencrypted.
Reset Account (Account → Reset Account): the entire DataVault folder on your Google Drive is deleted, the local cached vault is wiped, and you are signed out. Note (current limitation, planned fix in Phase 3 PR 3C): the backend session row and any server-managed encryption key are not yet deleted by Reset Account — they expire naturally or require an explicit deletion request from you. Until this is fixed automatically, please email us with subject “Delete my account” if you want a full backend wipe.

Retention

Refresh tokens persist until you sign out, change your Google password, or revoke access in your Google account.
Encryption keys persist until you disable encryption or request deletion.
Subscription metadata persists for the lifetime of your account.
Backend logs are kept for up to 30 days.
Encryption-keys backup (Cloudflare R2): retained for 90 days (rolling). Backups are deleted automatically when older than 90 days.

8. Security

We protect your data with:

TLS 1.2+ for every connection between your device and our backend.
AES-256-GCM encryption at rest for refresh tokens and encryption keys in the backend database.
AES-256-GCM client-side encryption (optional, but available to all users) for Vault Content on Drive.
Limited access to the production backend (only operators with multi-factor authentication on their accounts).

No system is unbreakable. If we ever suffer a security incident affecting your data, we will notify you without undue delay (GDPR Article 34) and notify the Belgian DPA within 72 hours (GDPR Article 33).

9. Children

DataVault is not directed at children under 16. We do not knowingly collect data from children under 16. If you believe a child has provided personal data to us, contact us and we will delete it.

10. International data transfers

Your data is stored in the EU (Railway and Cloudflare R2 EU jurisdiction zones). The optional AI Companion sends your prompts to whichever AI provider you chose; some of those providers (e.g., OpenAI, Anthropic) are US-based and may process data outside the EU. We don’t control that flow — it goes directly from your device to the provider, governed by their privacy policy and your contract with them.

If we ever change the location of any data we hold on your behalf, we will update this Privacy Policy and (for material changes) notify existing users.

11. Changes to this policy

We will post material changes here, bump the version in the table at the top, and update the “Last updated” date. For substantive changes (e.g. adding a new sub-processor, expanding what we collect), we will also notify signed-in users in-app or by email.

12. Contact

General privacy: support@datavaultapp.com (forwarder; in interim, reach us at constantin.permiakov@gmail.com).
GDPR data-subject requests: same address, subject "GDPR request: <type>".
Belgian DPA: https://www.gegevensbeschermingsautoriteit.be.