Privacy Policy

SealedKeys is a trading name of Novastack Solutions Ltd, a private limited company incorporated in England and Wales (company number 16779485), with its registered office at 128 City Road, London, United Kingdom, EC1V 2NX.

Novastack Solutions Ltd is the data controller for the personal data described in this policy. We are registered with the Information Commissioner’s Office (ICO) as a data controller under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This policy explains what personal data we collect when you use SealedKeys, why we collect it, how we use it, and what rights you have over it.

This policy does not cover data you store inside your encrypted vault. Because of our zero-knowledge architecture (explained in section 3), we cannot access, read, or process the contents of your vault — that data is encrypted before it reaches us and we hold only ciphertext.

This means our obligations as a data controller are limited to the non-encrypted data described in section 4. Your encrypted vault contents are processed by us only as a data processor acting on your instructions (storing and returning ciphertext), and we cannot access them.

We collect the following categories of personal data:

Account data

Vault metadata (not vault contents)

Security and audit data

Billing data (Pro Plan)

Communications

We use your personal data to:

• —Provide, operate, and improve the Service.
• —Authenticate you when you log in.
• —Send transactional emails (account creation, password change confirmations, MFA changes).
• —Send service notifications (billing, maintenance, security alerts).
• —Investigate and resolve security incidents.
• —Comply with legal obligations.
• —Respond to support requests.
• —Detect and prevent fraud or abuse.

We do not use your personal data for advertising, profiling, or sale to third parties. We do not use the contents of your encrypted vault for any purpose.

Under UK GDPR, we process your personal data on the following legal bases:

• —Contract — processing necessary to provide the Service you have agreed to use.
• —Legitimate interest — security monitoring, fraud prevention, improving the Service, where these interests are not overridden by your rights.
• —Legal obligation — where we are required to process data by law (e.g. tax records).
• —Consent — where we explicitly ask for it (e.g. optional marketing emails, if introduced in future).

We share personal data with the following categories of third parties:

• —Infrastructure provider: Hetzner Online GmbH (server hosting, EU datacentres). Your data is stored on servers located in the European Union.
• —Payment processor: Stripe Payments Europe Ltd. Stripe processes payment information on our behalf under their own privacy policy.
• —Email provider: to be added when email delivery is implemented (Resend or SendGrid). Used only for transactional emails.
• —Professional advisers: lawyers and accountants, under obligations of confidentiality.
• —Law enforcement: if required by law, court order, or to protect the rights, property, or safety of SealedKeys, our users, or the public.

We do not sell your personal data. We do not share it with advertisers or data brokers.

All third-party processors are bound by data processing agreements and are required to process your data only in accordance with our instructions.

Your data is stored on servers in the European Union (Hetzner, EU datacentres). We do not currently transfer personal data outside the UK or EU/EEA as part of our core infrastructure.

Where third-party services process data outside the UK or EU/EEA (for example, Stripe’s global infrastructure), we ensure appropriate safeguards are in place, such as Standard Contractual Clauses or adequacy decisions.

We retain your personal data for as long as your Account is active and as needed to provide the Service.

• —Account data: retained until you delete your Account, plus up to 30 days for deletion to propagate.
• —Vault item metadata and encrypted data: deleted within 30 days of Account deletion.
• —Audit logs: retained for 12 months from the date of each event.
• —Server logs (including IP addresses): retained for up to 90 days for security purposes.
• —Billing records: retained for 7 years as required by UK tax law.
• —Support correspondence: retained for 2 years.

When you delete your Account, your encrypted vault data is permanently erased. Because of the zero-knowledge architecture, we cannot provide your vault contents in decrypted form. We strongly recommend you export your vault before deleting your Account.

Under UK GDPR, you have the following rights:

• —Right of access — to obtain a copy of the personal data we hold about you.
• —Right to rectification — to have inaccurate personal data corrected.
• —Right to erasure — to have your personal data deleted, subject to legal obligations.
• —Right to restriction — to restrict how we process your data in certain circumstances.
• —Right to data portability — to receive your data in a structured, machine-readable format.
• —Right to object — to object to processing based on legitimate interests.
• —Rights relating to automated decision-making — we do not make automated decisions with significant effects on you.

To exercise any of these rights, contact us at hello@sealedkeys.com. We will respond within 30 days. We may ask you to verify your identity before processing your request.

Note: because of the zero-knowledge architecture, we cannot provide the contents of your encrypted vault in response to a data access request — we do not have the decryption key. You can access your vault contents directly through the Service.

SealedKeys uses a small number of cookies that are strictly necessary to operate the Service:

• —Session cookie: stores your encrypted session token to keep you logged in. Set on login, cleared on logout.
• —CSRF protection cookie: used by NextAuth to prevent cross-site request forgery.

We do not use advertising cookies, tracking pixels, or third-party analytics. We do not use Google Analytics or similar services.

Because we use only strictly necessary cookies, we do not require a cookie consent banner under UK PECR. If we introduce non-essential cookies in future, we will update this policy and implement appropriate consent mechanisms.

We take the security of your personal data seriously and implement appropriate technical and organisational measures, including:

• —AES-256-GCM encryption of all vault contents client-side.
• —TLS 1.2+ in transit for all connections.
• —Bcrypt hashing (cost factor 12) for authentication passwords.
• —Two-factor authentication available for all accounts.
• —Rate limiting on authentication endpoints.
• —Audit logging of security-relevant events.
• —Regular review of access controls and dependencies.

If you discover a security vulnerability, please report it to security@sealedkeys.com in accordance with our Responsible Disclosure Policy at sealedkeys.com/disclosure.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and notify affected users without undue delay where required.

The Service is not directed at children under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at hello@sealedkeys.com and we will delete it promptly.

We may update this policy from time to time. If we make material changes, we will notify you by email or by a prominent notice in the Service at least 14 days before the changes take effect.

The effective date at the top of this page will always reflect the date of the most recent version.

For questions, requests, or complaints about this policy or our handling of your personal data:

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):

• —Website: ico.org.uk
• —Helpline: 0303 123 1113
• —Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF