Skip to content
AppVault

FILE P1 / LEGAL · PRIVACY

What AppVault collects, what it sends, what it never has.

This policy applies to the AppVault iOS application (Apple App Store, bundle com.vastflow.appvault) and the website at appvau.lt. It supersedes all earlier versions. Effective date: 2026-05-20.

1. Who we are

AppVault is published by Vastflow ("we", "us"). You can reach the team at [email protected]; privacy-specific questions go to [email protected]. We do not run user accounts and have no login system.

2. Scope and summary

AppVault is an on-device encrypted vault for photos, videos and documents. The files you place in the vault are encrypted on your iPhone or iPad with a key derived from your pattern and never leave the device. They are not uploaded to our servers, because we do not run servers that hold user content. The app does send a small amount of anonymous, content-free product telemetry and crash diagnostics so we can improve stability and the purchase funnel. This page describes exactly what those signals contain, what permissions the app requests, and what data we never have.

3. Vault contents (your files)

The photos, videos and documents you import into AppVault are encrypted with AES-256-GCM using a key derived from your pattern via PBKDF2 and stored inside the app's sandboxed container. The vault directory is marked with the iOS attribute NSURLIsExcludedFromBackupKey = YES, which keeps it out of iCloud Backup and out of iTunes/Finder local backups by design. The pattern itself is never persisted in cleartext; the master keys are wrapped in the iOS Keychain with the access flag kSecAttrAccessibleWhenUnlockedThisDeviceOnly, which prevents the keys from syncing to iCloud Keychain or restoring onto a different device. We never see vault contents, vault filenames, vault counts, vault sizes, your pattern, your recovery phrase, or any cryptographic material.

4. Product analytics (Firebase Analytics)

AppVault uses Google Firebase Analytics to record anonymous, content-free funnel events — onboarding step reached, paywall view, subscription tap, feature toggle. These signals let us see where users get stuck and which features get used, so we can improve the app. The events never contain your files, file names, file sizes, file counts, your pattern, your recovery phrase, or any text you typed into the app. Counters that touch sensitive behaviour (for example, consecutive wrong-pattern attempts) are bucketised before they leave the device, so the remote view never sees a precise per-user value.

Firebase Analytics also automatically collects an Identifier for Vendors (IDFV) and basic device context (iOS version, device model, app version, country derived from IP, language). Because AppVault has no account system, these identifiers are not linked to a name, email, phone number, or any other personal information. We do not enable Firebase Audiences, Firebase Remote Config personalisation, or any Firebase advertising feature. Data is processed by Google under Firebase's privacy terms.

5. Crash and stability diagnostics (Firebase Crashlytics)

When the app crashes or throws a fatal Flutter error, Firebase Crashlytics records a stack trace, the iOS version, the device model, the app version, an anonymous installation UUID, and the breadcrumb log of recent UI events. Crash reports are used to find and fix bugs. They do not contain vault contents, filenames, the pattern, the recovery phrase, or any field a user has typed into the app. Crashlytics is governed by the same Firebase privacy terms as Analytics.

6. Subscriptions and purchases (RevenueCat + Apple)

AppVault sells two auto-renewing subscriptions — Weekly Premium (from USD 3.99 / week) and Yearly Premium (from USD 29.99 / year, with a 7-day free trial for new subscribers) — through Apple In-App Purchase. We do not offer a monthly plan, a lifetime plan, or any non-subscription purchase. Prices vary by App Store region. Apple, not us, processes payment; Apple's privacy policy governs the billing transaction and the payment data you give them. We use RevenueCat as a thin wrapper around StoreKit to manage entitlements (which user has access to Premium), validate App Store receipts, and surface offerings. RevenueCat sees an anonymous AppVault-generated user ID, the receipt Apple returned, the country code of the App Store account, and basic device context. RevenueCat does not see your Apple ID, your email, your card details, your name, or any vault content. Data is processed by RevenueCat in the United States under their privacy terms.

7. Tracking across other apps and websites

AppVault does not engage in cross-app or cross-website tracking. We do not integrate Meta SDK, TikTok SDK, ad mediation networks, attribution SDKs, or marketing automation pixels. The AppTrackingTransparency framework is linked into the binary (Apple's standard utility) but the v1 build does not call requestTrackingAuthorization, so iOS will not present the App Tracking Transparency prompt and no IDFA is read. If a future version of the app needs the IDFA for any reason, we will show the system ATT prompt and respect your choice.

8. iOS permissions and what they are used for

The app requests the following iOS permissions only when the matching feature is used, and only for the purpose described in the system prompt:

9. The website (appvau.lt)

The marketing website at appvau.lt uses Microsoft Clarity to record anonymous session activity — clicks, scrolls, rage clicks, and a coarse heat map of the viewport — so we can improve the page. Clarity automatically masks input fields and does not record passwords or form contents. The site respects the Do Not Track header. We do not run third-party advertising trackers, retargeting pixels, affiliate cookies, Meta pixels, Google remarketing tags, LinkedIn Insight tags or TikTok pixels on the site.

10. What we never have

Because AppVault has no account system, we never have your name, your email address (unless you write to us), your phone number, your postal address, your payment details, your Apple ID, or any login credential. We never have your pattern, your recovery phrase, your vault contents, or any per-user file metadata.

11. Categories of data, in App Store Connect terms

For the App Store Privacy nutrition label, our declared categories are:

"Not linked to you" reflects the truth that we have no identity to link the records to: there is no account, no email, no name on file.

12. Children

AppVault is rated 17+ on the App Store and is not directed to children. We do not knowingly collect data from anyone under 13, and we do not knowingly collect data from anyone under 16 in jurisdictions where 16 is the applicable age of digital consent. If you believe a child has used AppVault in a way that resulted in data being sent to our processors, contact [email protected] and we will work with Firebase and RevenueCat to purge the relevant installation identifiers.

13. Your rights (GDPR, UK GDPR, CCPA, and similar)

You may request a copy of any personal data we hold about you, ask us to correct it, ask us to delete it, restrict our processing of it, object to our processing, or ask us to transmit it to another controller. Because we run no account system, in practice we have no records linked to you as a named individual. Where we do have an anonymous installation identifier (Firebase IDFV, RevenueCat anonymous user ID), we can purge it on request.

To exercise these rights, write to [email protected] with the subject "Data request". We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority. We do not sell personal information and we do not share personal information with third parties for cross-context behavioural advertising, as those terms are defined under the CCPA/CPRA.

14. Account and data deletion

To delete the data on your device, delete the AppVault app from your iPhone or iPad. This removes the encrypted vault directory, the Keychain entries (because they are marked ThisDeviceOnly) and the local catalog. To request deletion of the anonymous identifiers stored by Firebase and RevenueCat, write to [email protected] with the subject "Delete my data" and include your AppVault installation ID, visible in Settings → About → Installation ID inside the app. We will purge the matching record from our processors and confirm in writing.

15. International transfers

Our processors store and process data in the United States and the European Union. Where required by GDPR, we rely on the Standard Contractual Clauses approved by the European Commission as the lawful basis for transfer.

16. Security

Vault encryption uses AES-256-GCM with a key derived from your pattern via PBKDF2 (high iteration count). Master keys are protected by the iOS Keychain with the WhenUnlockedThisDeviceOnly attribute, which means they cannot be extracted from the device and cannot follow you to a new device. The vault directory is excluded from iOS backups. Encryption is performed locally, on your device, by code that ships inside the app — there is no server-side decryption path that an attacker could compromise to access user data.

17. Third-party services, summarised

18. Changes to this policy

If we change this policy in a way that affects how data is collected or shared, we will publish the updated version at appvau.lt/privacy with a new effective date and announce the change inside the app on next launch. Continued use of AppVault after the new effective date means you accept the revised policy.

19. Contact

For any question about this policy or about how AppVault handles data, write to [email protected]. For data access or deletion requests, use the same address with the appropriate subject line. We respond within five business days, and always within the 30-day window required by GDPR.