Last updated: February 2026
This privacy policy applies to the hosted Vault1984 service at vault1984.com. If you self-host Vault1984, your data never touches our servers and this policy doesn't apply to you — your privacy is entirely in your own hands.
When you use hosted Vault1984, we store:
Fields marked as L2 are encrypted in your browser using a key derived from your WebAuthn authenticator (Touch ID, Windows Hello, or a hardware security key) via the PRF extension. The encryption key never leaves your device. Our servers store only the resulting ciphertext. We cannot decrypt L2 fields, and no future policy change, acquisition, or legal order can change this — the mathematical reality is that we don't have the key.
When you create a hosted vault, you choose a region. All infrastructure is Hostkey TIER III.
EU data stays on EU servers. US data stays on US servers. We don't replicate across regions unless you explicitly request it.
We use infrastructure providers (cloud hosting, DNS) to run the service. These providers process encrypted data in transit but do not have access to your vault contents. We do not use any analytics services, advertising networks, or data brokers.
If compelled by valid legal process, we can only provide: your email address, account creation date, and encrypted vault data. L1 data is encrypted with your vault key (which we do not store). L2 data is encrypted client-side. In practice, we have very little useful information to provide.
You can delete your account and all associated data at any time from the web interface. Deletion is immediate and irreversible. Backups containing your data are rotated out within 30 days.
We'll notify registered users by email before making material changes to this policy. The current version is always available at this URL.
Questions about this policy? Email privacy@vault1984.com.