Welcome to EnclavePass ("we," "our," or "us"). We provide a secure, zero-knowledge password and data vault service accessible via EnclavePass.com (the "Service").
We are committed to protecting your personal data. This Privacy Policy explains how we handle your information in compliance with the General Data Protection Regulation (GDPR) and other relevant privacy laws.
The Core Principle
We operate on a Zero-Knowledge Architecture. This means that while we store your encrypted data, we do not have the technical keys required to decrypt, view, or access the contents of your vault.
Under the GDPR, distinct roles apply to different types of data:
For your Account Information
(e.g., your email address, subscription status): We are the Data Controller. We decide why and how this data is processed (to manage your account and billing).
For your Vault Data
(e.g., the passwords and notes you store): You are the Data Controller. You decide what is stored. We are the Data Processor. We provide the storage infrastructure but cannot access the content.
Legal Entity
EnclavePass
Contact Email: privacy@enclavepass.com
To provide our Service, we utilize client-side encryption.
Encryption
Your data is encrypted on your device using a key derived from your Master Password before it is transmitted to our servers.
No Knowledge
We never receive your Master Password or your Encryption Key. We receive only encrypted binary blobs (ciphertext).
Consequence
It is mathematically impossible for EnclavePass employees, contractors, or potential attackers to decrypt your vault data.
Recovery
Because we do not possess your keys, we cannot reset your password or recover your data if you lose your credentials and your Emergency Kit.
We collect only the data strictly necessary to operate the Service.
We process your data based on the following legal grounds (GDPR Article 6):
Contractual Necessity
We need your email and encrypted blobs to provide the Service you signed up for.
Legal Obligation
We must retain certain billing records to comply with tax and accounting laws.
Legitimate Interests
We process technical logs (IP addresses) to ensure the security and integrity of our infrastructure.
We do not sell your data. We share data only with trusted third-party service providers ("Sub-processors") required to operate our infrastructure.
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database, Authentication, and Real-time services | EU (Ireland) |
| Vercel | Web Hosting and Serverless Functions | Global (Edge Network) |
| Stripe | Payment Processing and Billing | USA / Global |
All sub-processors are vetted for GDPR compliance and are bound by Data Processing Agreements (DPAs). Transfers to the USA are protected under mechanisms such as the EU-US Data Privacy Framework or Standard Contractual Clauses (SCCs).
Vault Data
Retained as long as your account is active. Deleted immediately upon account closure.
Account Information
Retained as long as your account is active.
Billing Records
Retained for 10 years as required by tax laws.
Backups
Encrypted database backups are retained for 30 days for disaster recovery purposes.
You have the following rights regarding your personal data:
Right to Access
You can access your account information via the Dashboard.
Right to Rectification
You can update your email or payment details in Settings.
Right to Erasure
You can permanently delete your account and all associated encrypted data instantly via the "Danger Zone" in your Settings dashboard. This action is irreversible.
Right to Portability
You can export your decrypted vault data into a portable JSON format via the Settings dashboard.
Right to Restriction/Objection
You may object to the processing of your data for specific purposes, though this may prevent us from providing the Service.
To exercise any rights not available directly in the dashboard, please contact us at privacy@enclavepass.com.
In accordance with GDPR Article 32, we implement state-of-the-art security measures:
Pseudonymization
All vault data is fully encrypted client-side.
Encryption in Transit
All data is transmitted over HTTPS/TLS 1.3.
Encryption at Rest
Database volumes are encrypted on disk.
Access Control
Strict Role-Based Access Control (RBAC) and Row Level Security (RLS) policies enforce that users can only access their own data.
We may update this Privacy Policy from time to time. We will notify you of significant changes via email or a prominent notice on our Service. Continued use of the Service after changes constitutes acceptance of the new policy.
If you have questions about this policy or your privacy rights, please contact our Data Protection Officer (DPO) or privacy team:
EnclavePass Privacy Team
privacy@enclavepass.com