OpaqueVault is operated by OpaqueVault, Inc., a company incorporated in the State of Arizona, United States. References to "OpaqueVault," "we," "us," or "our" in this policy refer to OpaqueVault, Inc.
Contact: [email protected]
When you create an account, we collect your email address. We use it to authenticate you, send transactional emails (account confirmation, password reset), and communicate service updates. We do not sell your email address or use it for advertising.
We store a randomly generated 16-byte salt associated with your account. This salt is used by your device to derive your Key Encryption Key (KEK) from your master password via Argon2id. The salt is not secret — it is returned when you authenticate — but it is unique per user and necessary for key derivation. We cannot derive your KEK from it.
We store the encrypted output of your secrets: ciphertext_b64,
nonce_b64, dek_encrypted_b64, and dek_nonce_b64.
These are the only forms in which your secrets exist on our servers.
We cannot decrypt them. We do not have your master password, your KEK,
or any Data Encryption Key in plaintext. A subpoena to OpaqueVault cannot produce your
plaintext secret values because we do not have them.
We also store secret names in plaintext for MVP. We plan to encrypt secret names in a future release.
We store a BLAKE3 hash of each API key you create, a display prefix (the first 8 characters), a name, scope, and creation/revocation timestamps. The plaintext API key is shown to you exactly once at creation and is never stored by us.
We log every secret operation (read, write, delete, list) and MCP interceptor event. Log entries include: operation type, HMAC-SHA256 hash of the secret ID (not the name or value), the API key ID used, IP address, user agent, and timestamp. Secret names and values never appear in log entries.
We collect standard server logs including:
We use this data to operate, secure, and improve the service. We retain server logs for 90 days.
Payment processing is handled by Stripe. We do not store credit card numbers or payment card data on our servers. We store your Stripe customer ID and subscription status. Stripe's privacy policy governs how Stripe handles your payment data.
We use the data we collect to:
We do not use your data for behavioral advertising. We do not sell your data to third parties. We do not use your data to train machine learning models.
We share data only in the following circumstances:
We retain your account data for as long as your account is active. When you delete your account:
To delete your account, go to app.opaquevault.com → Settings → Delete Account,
or email [email protected].
We use industry-standard security practices including encryption in transit (TLS 1.3 with ML-KEM-768 + X25519 hybrid KEM), encryption at rest (AES-256-GCM), access controls, and audit logging. Our zero-knowledge architecture means the most sensitive data — your secret values — is never accessible to us or our infrastructure.
To report a security vulnerability, email [email protected]. See our Security page for our full disclosure policy.
If you are a California resident, you have the right to:
To exercise these rights, email [email protected]. We will respond within 45 days.
OpaqueVault is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, contact us at [email protected].
We may update this policy from time to time. We will notify you of material changes by email and by posting a notice on the site at least 30 days before the change takes effect. Continued use of the service after the effective date constitutes acceptance of the updated policy.
Questions about this policy:
[email protected]
OpaqueVault, Inc. · Arizona, United States