Privacy Policy

Last updated: March 14, 2026

1. Data Controller and Identity

This Privacy Policy is issued by VNATCO LLC ("Company," "we," "our," or "us"), which operates the KeyHive password manager Service accessible at keyhive.app and associated applications. VNATCO LLC is the data controller for personal data processed in connection with your use of the Service.

For all privacy-related inquiries, contact us at privacy@keyhive.app.

2. Our Zero-Knowledge Commitment

KeyHive is built on a zero-knowledge architecture. We cannot see, access, decrypt, or recover your passwords, notes, TOTP codes, file attachments, or any other vault data. Your master password is never transmitted to our servers. All encryption and decryption occurs exclusively on your device using keys derived locally from your master password. This is a fundamental architectural property of the Service, not merely a policy commitment.

As a direct consequence of this architecture, in the event of a legal order compelling disclosure of your vault contents, we have no technical means to comply. We can only produce encrypted ciphertext that is computationally infeasible to decrypt without your master password.

What this means for you: If you lose your master password, your vault data is permanently and irrecoverably gone. No one at VNATCO LLC - not engineers, not support staff, not the founder - has any ability to help you recover it. This is by design. Additionally, because your vault likely contains passwords to your other accounts (email, banking, etc.), vault loss may result in loss of access to those accounts as well. You must back up your vault by exporting it regularly through the application, and you must store your master password securely outside of KeyHive itself. VNATCO LLC assumes no liability for vault loss, master password loss, or any downstream consequences thereof.

3. Information We Collect

3.1 Account Information

When you register for a cloud account, we collect:

• Email address - for account authentication, email verification, password reset, and critical security notifications
• Display name - associated with your profile; you may use a pseudonym
• Account password credential - your login password is hashed using bcrypt before storage; this is distinct from and unrelated to your master encryption password
• Account creation date and timestamps - for fraud prevention and account management

3.2 Encrypted Vault Data

Your vault contents - including passwords, usernames, notes, TOTP secrets, file attachments, folder structures, and all associated metadata - are encrypted on your device using AES-256-GCM before transmission. We store only the resulting encrypted ciphertext. We cannot read, interpret, or access this data in any meaningful way.

3.3 Technical and Operational Data

We collect limited technical data necessary to operate the Service securely:

• IP addresses - used for rate limiting, abuse prevention, and authentication security; not retained long-term
• Device tokens - hashed identifiers used to enable trusted device recognition for authentication; no plaintext device identifiers are stored
• Sync timestamps - used for vault conflict resolution across devices
• Session data - encrypted session tokens to maintain authenticated sessions
• Error and diagnostic logs - technical error reports that do not contain vault contents; retained for a limited period for debugging and service improvement

3.4 Payment Information

If you subscribe to a paid plan, payment processing is handled entirely by Stripe, Inc. We do not collect, transmit, or store your credit card numbers, bank account details, or other sensitive payment credentials. We receive only non-sensitive billing metadata from Stripe (such as the last four digits of your card and billing address) for invoice and account management purposes. Stripe's processing of your payment data is governed by Stripe's Privacy Policy.

3.5 Information We Do NOT Collect

• Your master password or any derivative thereof
• Decrypted vault contents of any kind
• Browsing history, website usage patterns, or autofill activity
• Behavioral analytics or usage tracking data
• Third-party advertising identifiers or tracking cookies
• Biometric data (biometric authentication occurs locally on your device)

4. How We Use Your Information

We use the information we collect for the following purposes:

• Service provision - to operate, maintain, and improve the Service
• Authentication and security - to verify your identity, manage sessions, and detect and prevent unauthorized access
• Cloud synchronization - to store and deliver your encrypted vault across your devices
• Communication - to send verification emails, password reset codes, critical security alerts, and material service notices
• Billing and account management - to manage subscriptions, process payments, and send billing records
• Abuse prevention and legal compliance - to enforce rate limits, investigate fraud, and comply with applicable legal obligations

We do not use your information for advertising, do not sell your information to third parties, and do not engage in behavioral profiling.

5. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, the following legal bases apply to our processing of your personal data under the General Data Protection Regulation (GDPR) and applicable national data protection laws:

• Performance of a contract (Article 6(1)(b) GDPR) - processing your account information, encrypted vault data, and session data is necessary to provide the Service you have requested
• Legitimate interests (Article 6(1)(f) GDPR) - processing technical and operational data for security monitoring, abuse prevention, and service improvement, where such interests are not overridden by your rights and interests
• Legal obligation (Article 6(1)(c) GDPR) - processing necessary to comply with applicable law
• Consent (Article 6(1)(a) GDPR) - where we seek your consent for any processing not covered by the above bases, which you may withdraw at any time

6. Data Storage and Security

Your encrypted data is stored on servers with the following protections in place:

• All vault data is AES-256-GCM encrypted by your device before transmission and storage
• All connections to the Service use TLS 1.2 or higher for encryption in transit
• Server and database access is restricted, access-controlled, and monitored
• Account login passwords are hashed using bcrypt with an appropriate cost factor
• Database backups contain only encrypted ciphertext
• Device tokens are stored in hashed form only

Even in the event of a complete server or database compromise, an attacker would obtain only encrypted ciphertext that is computationally infeasible to decrypt without your master password. Our zero-knowledge architecture means that a breach of our servers would expose only encrypted ciphertext, not your readable vault contents.

No method of transmission over the Internet and no method of electronic storage is 100% secure. We cannot guarantee absolute security of the Service or your data. Despite our zero-knowledge design and security measures, we cannot warrant that unauthorized third parties will never be able to defeat our security measures or that your data will never be accessed, disclosed, altered, or destroyed as a result of a security breach, hardware failure, software defect, human error, or any other cause. You use the Service at your own risk. In the event of a security incident, our liability is limited as set forth in the Terms of Service. If you become aware of any security vulnerability or incident related to the Service, please notify us promptly at privacy@keyhive.app.

Because KeyHive decrypts your vault data locally on your device, the security of your device and browser environment is your sole responsibility. We are not responsible for and bear no liability for any loss, disclosure, or theft of your master password, decrypted vault data, or session credentials resulting from: a compromised, infected, or malware-affected device or operating system; a compromised web browser or malicious browser extension; keyloggers, screen capture software, spyware, ransomware, trojans, viruses, or any other malicious software present on your device; unauthorized physical or remote access to your device; or any other threat originating within your local environment. VNATCO LLC has no visibility into, or control over, your device or browser environment, and has no ability to protect you from threats that exist on your own hardware or software. Maintaining a secure, malware-free device is entirely your responsibility.

7. Data Sharing and Disclosure

We do not sell, rent, trade, or share your personal data with third parties for commercial purposes. We may disclose information only in the following limited circumstances:

• Payment processor - Stripe, Inc. receives billing information to process subscription payments. Stripe never receives vault data.
• Infrastructure providers - we may use cloud hosting or infrastructure services to operate our servers. Such providers process data only under our direction and are bound by appropriate data processing agreements.
• Legal requirements - if compelled by a valid legal order, subpoena, court order, or governmental authority, we will disclose only what we are legally required to disclose. Due to our zero-knowledge architecture, any vault data we can provide will be encrypted and undecryptable without your master password. We will notify you of such requests to the extent permitted by law.
• Protection of rights - we may disclose information where necessary to protect the rights, property, or safety of VNATCO LLC, our users, or the public, or to detect and prevent fraud or security threats.
• Business transfers - in connection with a merger, acquisition, reorganization, or sale of all or substantially all of our assets, your information may be transferred as part of that transaction. We will notify you of any such transfer and any material changes to applicable privacy terms.

8. International Data Transfers

Our servers are located in the United States. If you access the Service from the EEA, the United Kingdom, Switzerland, or other regions with data protection laws, your information may be transferred to and processed in the United States, which may have different data protection standards than your country of residence.

Where required by applicable law, we implement appropriate safeguards for international data transfers, including Standard Contractual Clauses (SCCs) approved by the European Commission, or other lawful transfer mechanisms. You may request information about our transfer mechanisms by contacting us at privacy@keyhive.app.

Importantly, because all vault data is encrypted on your device before transmission, the practical privacy risk of international transfer of vault data is minimal regardless of the legal framework, as transferred data is encrypted ciphertext we cannot decrypt.

9. Local-Only Mode

KeyHive offers a local-only mode where your encrypted vault is stored entirely on your device. In local-only mode, no vault data or account information is transmitted to or stored on our servers. No account registration is required. We collect no personal data from users operating in local-only mode, other than the technical minimum required by any app store platforms through which you downloaded the application (which is governed by those platforms' respective privacy policies).

10. Cookies and Local Storage

The KeyHive web application uses only the following essential cookies and local storage, with no advertising or analytics tracking of any kind:

• Session cookies - HttpOnly, Secure, SameSite=Strict flags set; used solely for authentication session management
• CSRF tokens - for request validation and protection against cross-site request forgery
• Local storage / IndexedDB - used to cache your encrypted vault on your device for offline access; all cached data is encrypted

We do not use analytics cookies, advertising cookies, pixel trackers, or any third-party tracking technologies. We do not use Google Analytics or any similar analytics platform.

11. Data Retention

• Active accounts - account and vault data is retained as long as your account remains active
• Deleted accounts - upon account deletion, all vault data, account information, and associated metadata are permanently and irreversibly deleted from our systems within a commercially reasonable time
• Expired free trials - encrypted vault data for expired trial accounts is retained for a reasonable period to facilitate reactivation, after which it is permanently deleted
• Rate limit and security logs - automatically purged upon expiration of the applicable rate limit or security monitoring window
• Billing records - retained as required by applicable tax and financial record-keeping law

12. Your Rights (All Users)

Regardless of your location, you have the following rights with respect to your data:

• Access and export - you may export your vault data at any time through the application in a portable format
• Correction - you may update your account information (email, display name) through account settings
• Deletion - you may permanently delete your account and all associated data at any time through the application settings
• Portability - you may export your vault in a standard format for use with other services

13. Additional Rights for EEA, UK, and Swiss Residents (GDPR)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have additional rights under the GDPR and applicable national law:

• Right of access (Article 15) - the right to obtain confirmation of whether we process your personal data and, if so, to receive a copy
• Right to rectification (Article 16) - the right to have inaccurate personal data corrected and incomplete data completed
• Right to erasure (Article 17) - the right to have your personal data deleted in certain circumstances
• Right to restriction of processing (Article 18) - the right to restrict how we process your data in certain circumstances
• Right to data portability (Article 20) - the right to receive your data in a structured, machine-readable format
• Right to object (Article 21) - the right to object to processing based on legitimate interests, including for direct marketing
• Right to withdraw consent - where processing is based on consent, the right to withdraw consent at any time without affecting the lawfulness of prior processing
• Right to lodge a complaint - the right to lodge a complaint with your national data protection supervisory authority. In the UK, this is the Information Commissioner's Office (ICO). A list of EU supervisory authorities is available at edpb.europa.eu.

To exercise any of these rights, contact us at privacy@keyhive.app. We will respond within the timeframes required by applicable law (generally within 30 days). Please note that due to our zero-knowledge architecture, we cannot provide the contents of your encrypted vault, as we do not have access to it.

14. Rights for California Residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) grant you additional rights:

• Right to know - the right to know what categories and specific pieces of personal information we collect, use, disclose, and sell about you
• Right to delete - the right to request deletion of personal information we have collected from you, subject to certain exceptions
• Right to correct - the right to request correction of inaccurate personal information
• Right to opt out of sale or sharing - we do not sell or share your personal information for cross-context behavioral advertising, and have not done so in the preceding 12 months
• Right to limit use of sensitive personal information - where applicable, the right to limit the use of sensitive personal information to necessary purposes
• Right to non-discrimination - we will not discriminate against you for exercising any of your CCPA rights

To submit a CCPA request, contact us at privacy@keyhive.app with the subject line "CCPA Request." We will verify your identity before processing your request. We do not require you to create an account to exercise your rights, and we will not charge a fee for reasonable requests.

Categories of personal information collected in the preceding 12 months: identifiers (email address, account name, IP address); commercial information (subscription and billing records); internet or network information (session data, device tokens). We do not collect sensitive personal information as defined under the CPRA beyond what is necessary to operate the Service.

15. Children's Privacy

The Service is intended exclusively for users who are 18 years of age or older. We do not knowingly collect, solicit, or process personal information from any person under the age of 18. If we become aware that we have inadvertently collected personal information from a person under 18 years of age, we will take immediate steps to delete that information from our systems. If you believe we may have collected information from or about a minor, please contact us immediately at privacy@keyhive.app.

16. Do Not Track

Some browsers transmit "Do Not Track" signals to websites. We do not currently respond to such signals in a differentiated manner because we do not engage in cross-site tracking of any kind regardless of whether a Do Not Track signal is received.

17. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. We will post updated versions on this page with a revised "Last updated" date. For material changes, we will provide additional notice via email or in-app notification prior to the change taking effect. Your continued use of the Service after the effective date of any updated Privacy Policy constitutes your acceptance of the changes. If you do not accept the updated policy, you must stop using the Service and may delete your account.

18. Contact and Complaints

For any privacy-related questions, requests, or concerns, please contact VNATCO LLC at:

privacy@keyhive.app
VNATCO LLC

EEA, UK, and Swiss residents have the right to lodge a complaint with their applicable supervisory authority if they believe their data protection rights have not been adequately addressed by us. We encourage you to contact us first so we can attempt to resolve your concern directly.