Supervault is built on a simple principle: we cannot see your data. Everything stored in your vault is end-to-end encrypted on your device before it ever reaches our servers. We have zero knowledge of your content.
Supervault is operated by Cygar Labs. When we say "we", "us", or "our" in this policy, we mean Cygar Labs. When we say "you" or "your", we mean you as a user of Supervault.
We designed Supervault to minimize data collection. Here is what we handle:
Encrypted vault data — All items you store (text, passphrases, OTP secrets) are encrypted client-side using your master key before being transmitted to our servers. We cannot decrypt, read, or access this content. We store only the encrypted ciphertext.
Account identifiers — When you create a vault, a random anonymous identifier is generated. We do not require an email address, name, phone number, or any personal information to create an account.
Session metadata — When you sign in, we store basic session information (such as an IP-derived approximate location, browser type, and session creation time) to allow you to review and manage active sessions. This data is associated with your anonymous vault identifier.
Server logs — Our servers may temporarily log IP addresses and request metadata for security and abuse prevention. These logs are automatically purged on a regular basis.
Supervault uses strong client-side encryption. Your master key never leaves your device. All encryption and decryption happens locally in your browser or app. Our servers only ever receive and store encrypted data that we cannot interpret.
This means that even if our servers were compromised, your vault contents would remain unreadable without your master key.
The limited data we hold is used exclusively to:
Your encrypted vault data is stored for as long as your vault exists. If you delete your vault, all associated data (encrypted content, session records) is permanently removed from our servers.
Temporary server logs are retained for a limited period and then automatically deleted.
We do not share your data with any third party for advertising, analytics, or marketing purposes. We may use third-party infrastructure providers (such as hosting and DNS services) to operate Supervault. These providers do not have access to your encrypted data.
Because Supervault does not collect personal information, most traditional data subject rights (access, correction, portability) do not apply in a meaningful way. However:
We take security seriously. Supervault employs end-to-end encryption, secure transport (TLS), strict content security policies, and regular security reviews to protect the service and your data.
If you discover a security vulnerability, please contact us responsibly.
Supervault is not directed at children under 16. We do not knowingly collect data from children.
We may update this privacy policy from time to time. Changes will be reflected on this page with an updated date. Continued use of Supervault after changes constitutes acceptance of the revised policy.
If you have questions about this privacy policy, you can reach us at contact_cygarlabs.com.