🔒 Privacy Policy

SnapVault

Effective Date: April 1, 2026 · Last Updated: April 1, 2026

1. Introduction

Welcome to SnapVault, a private photo, video, and document vault developed by SAS Labs ("we", "us", or "our"). We are committed to protecting your personal data and your right to privacy.

This Privacy Policy explains what information we collect, how we use it, and what rights you have in relation to it. It applies to all users of the SnapVault iOS application ("App").

📌 Short version: Your private media never leaves your device unencrypted. We do not sell your data or use it for advertising.

2. Encryption & Security Architecture

SnapVault is built with a security-first architecture. All user content is encrypted before it is written to local storage or transmitted to cloud servers.

🔐 Encryption Specification

Algorithm: AES-256-GCM (Advanced Encryption Standard, 256-bit key, Galois/Counter Mode)
Key Size: 256 bits (32 bytes)
Mode: GCM — provides both confidentiality and authenticated integrity (tamper detection)
Key Storage: Encryption keys are stored exclusively in the Apple Keychain with kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly protection class
Encryption Library: Apple CryptoKit (AES.GCM) — Apple's on-device, FIPS-validated cryptographic framework
Thumbnail Cache: Decrypted thumbnail cache files are also AES-256-GCM encrypted at rest using the same key
Transport: All network traffic uses TLS 1.2+ (enforced via App Transport Security; no arbitrary loads are permitted)

Authentication

Google Sign-In via Firebase Authentication (OAuth 2.0, OpenID Connect)
Optional PIN (hashed with SHA-256 before storage)
Optional Face ID / Touch ID (via Apple LocalAuthentication framework, biometric data never leaves the Secure Enclave)

3. Information We Collect

3.1 Information You Provide

Data	Purpose	Linked to You
Google Account email & display name	Authentication, account creation	Yes
Photos, videos, documents, text notes	Core vault functionality (encrypted)	No — encrypted
In-app purchase history	Subscription status verification	Yes
PIN (SHA-256 hash only)	Album and app lock security	No

3.2 Information Collected Automatically

Data	Purpose	Tracking
Device model, OS version, app version	Analytics & crash diagnostics	No
Anonymous usage events (screen views, feature usage)	Product improvement analytics	No
Break-in alert photo (front camera)	Captured locally when wrong PIN is entered; stored in your vault	No — on-device only
Firebase anonymous installation ID	Analytics session association	No

🚫 We do not collect advertising identifiers (IDFA), use cross-app tracking, or share any data with advertising networks. NSPrivacyTracking is set to false.

4. How We Use Your Information

App Functionality: To encrypt, store, and decrypt your media files and documents on-device and in the cloud backup
Authentication: To identify your account and sync your encrypted vault across your devices via Google Sign-In and Firebase
Subscription Management: To verify and manage your subscription status via Apple StoreKit 2 and Firebase Firestore
Analytics: To understand how features are used and improve the app (anonymous, non-tracking events via Firebase Analytics)
Security: To detect unauthorized access attempts via break-in alert capture (stored only on your device)
Legal Compliance: To comply with applicable laws and enforce our Terms of Service

5. Third-Party Services

SnapVault uses the following third-party services. Each operates under its own privacy policy.

Service	Provider	Purpose	Privacy Policy
Firebase Authentication	Google LLC	Sign-in via Google account	firebase.google.com/support/privacy
Firebase Firestore	Google LLC	Encrypted cloud metadata storage	firebase.google.com/support/privacy
Firebase Storage	Google LLC	Encrypted media file cloud backup	firebase.google.com/support/privacy
Firebase Analytics	Google LLC	Anonymous usage analytics	firebase.google.com/support/privacy
Google Sign-In	Google LLC	OAuth 2.0 authentication	policies.google.com/privacy
Apple StoreKit 2	Apple Inc.	In-app purchase processing	apple.com/legal/privacy

All media files uploaded to Firebase Storage are encrypted with AES-256-GCM on-device before transmission. Firebase only stores ciphertext and cannot read your content.

6. Device Permissions

Permission	When Requested	Why It's Needed
Camera	When using in-app camera	Capture photos/videos directly into the encrypted vault
Photo Library (read)	When importing photos/videos	Select media to import and encrypt
Photo Library (write/delete)	When "Delete Originals" is enabled	Remove originals from Camera Roll after secure import
Microphone	When recording video	Record audio for video files
Face ID	When enabling biometric lock	Unlock the vault via Face ID / Touch ID (data stays in Secure Enclave)

You can revoke any permission at any time in Settings → Privacy & Security on your device.

7. Data Retention & Deletion

Local Data

Encrypted media files and thumbnails are stored in the app's sandboxed container. They are automatically removed when you delete the app, or you can manually delete individual items or entire albums within the app.

Cloud Data

If cloud sync is enabled, encrypted files are stored in Firebase Storage and metadata in Firebase Firestore under your user account. You can:

Disable cloud sync at any time in Settings
Delete individual files, albums, or documents from within the app (also removes from cloud)
Permanently delete your entire account and all associated cloud data via Settings → Delete Account

Account deletion permanently removes all data from our servers within 30 days.

8. Children's Privacy

SnapVault is not directed to children under the age of 13 (or 16 in the European Economic Area). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us immediately and we will delete it.

9. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal data:

Access: Request a copy of personal data we hold about you
Rectification: Request correction of inaccurate data
Erasure: Request deletion of your data ("Right to be Forgotten")
Portability: Request a machine-readable copy of your data
Restriction: Request that we limit processing of your data
Objection: Object to processing based on legitimate interests

To exercise any right, contact us at saslabs.corp@gmail.com. We will respond within 30 days.

California residents may exercise rights under CCPA. EEA/UK residents may exercise rights under GDPR/UK GDPR. We do not sell personal information.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make significant changes, we will notify you by updating the "Last Updated" date at the top of this page and, where appropriate, through an in-app notification. Your continued use of SnapVault after changes are posted constitutes your acceptance of the updated policy.

11. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

Developer: SAS Labs
Email: saslabs.corp@gmail.com
Privacy Policy URL: https://sasilabs.github.io/snapvault/privacy
Terms of Service URL: https://sasilabs.github.io/snapvault/terms