Privacy Policy

RakulAgn is the data controller responsible for OneVault. If you have any questions about this policy or your data, contact rakul0agn@gmail.com.

Everything you save is stored locally on your device in an encrypted database using AES-256. This includes:

• Passwords, usernames, URLs, notes, and category labels
• Credit card details
• Secure notes and TOTP (two-factor) secrets
• Emergency-access contacts
• Your PIN or password, stored only as a salted hash — never in plain text
• App settings and preferences

The encryption key is generated on your device the first time you launch the app and is stored in your operating system's secure keystore (Keychain / Keystore).

OneVault has no accounts and no servers of its own. We do not collect:

• Account registration data — there is no sign-up
• Analytics or telemetry
• Crash reporting
• Advertising identifiers
• Location data
• Your contacts
• Device fingerprinting data
• Any server-side copy of your vault

Cloud backup is off by default. When you turn it on, OneVault encrypts your vault locally before anything is uploaded, and wraps the encryption key using key material derived from your Recovery Key with PBKDF2-HMAC-SHA256.

The encrypted backup is stored in the private appDataFolder of your own Google Drive. OneVault requests only the drive.appdata OAuth scope, which limits it to its own hidden folder — it cannot see or touch the rest of your Drive. We never receive a copy, and without your Recovery Key no one — including us — can decrypt the backup.

The breach check is optional and runs only when you start it. When you do, your password is hashed with SHA-1 on your device and only the first 5 characters of that hash are sent to the HaveIBeenPwned range API (a technique called k-anonymity). Your actual password never leaves your device.

Premium features are sold through Google Play Billing. Google processes all payments. We never see your payment method, card number, or billing address.

OneVault asks only for permissions that power a feature you use:

• Biometric authentication — to unlock your vault with your fingerprint or face
• Camera — to scan QR codes when adding two-factor codes
• Notifications — for password-expiry reminders
• Autofill — to fill logins into other apps and the browser
• Internet — used only for Google Sign-In, Drive backup, HIBP breach checks, and Play Store billing

OneVault is not directed at children under 13, and we do not knowingly collect any data from them.

You have the right to access, correct, delete, and object to the processing of your data, and to withdraw consent. Because OneVault holds no server-side data about you, these rights are simple to exercise:

• Delete all of your data by uninstalling the app
• Revoke Google Drive access at any time at myaccount.google.com/permissions

For any request, contact rakul0agn@gmail.com.

Because we do not collect or store any user data, there are no cross-border data transfers to disclose.

We retain no user data. Uninstalling the app wipes the local vault from your device. If you enabled cloud backup, you can delete the encrypted backup from your own Google Drive at any time.

Only Google (Sign-In, Drive, Play Billing) and HaveIBeenPwned (optional breach checks) receive the limited data described above, and only for those specific features. Your use of those services is also subject to their own terms.

We may update this policy from time to time. Material changes will be announced in the Play Store release notes. Continued use of the app after an update constitutes acceptance of the revised policy.

Questions about this policy or your privacy: rakul0agn@gmail.com.