Privacy policy.
Zero-knowledge architecture means we cannot read your vault — even if we wanted to. Here is exactly what we collect and why.
Introduction
ExoVault ("we", "us", "our") provides encrypted, durable memory for AI agents. This Privacy Policy explains how we collect, use, and protect your information when you use our service at exovault.co (the "Service").
Zero-Knowledge Architecture
ExoVault uses end-to-end encryption with a zero-knowledge architecture. Your memory content, notes, and media are encrypted on the client side before reaching our servers. We cannot read, access, or decrypt your stored data. Your encryption passphrase never leaves your device.
Information We Collect
- Account informationEmail address, display name, and hashed authentication credentials.
- Encrypted contentMemories, notes, and media files — stored in encrypted form that we cannot read.
- Usage metadataOperation counts, storage usage, API call timestamps, and agent identifiers — used for quota enforcement and billing.
- Payment informationProcessed by Stripe. We never store credit card numbers.
- Technical dataIP address, browser type, and error logs for debugging and security.
How We Use Your Information
- Service deliveryProvide and maintain the platform.
- BillingEnforce usage quotas and process payments.
- Transactional emailAccount verification, password reset, billing receipts.
- SecurityMonitor and prevent abuse.
- ImprovementImprove the Service based on aggregated, anonymized usage patterns.
Data Sharing
We do not sell your data. We share information only with infrastructure partners required to operate the service.
- StripePayment processing.
- SupabaseDatabase and authentication infrastructure (encrypted data only).
- Google (Gemini)Embedding generation and AI processing for search and recall. When you choose to index or analyze content (including text, images, audio, or video), we decrypt the relevant items on our servers and send the plaintext or text-derived bytes to Google's Gemini API for the duration of the request. We do not share your encryption keys, and your data remains encrypted at rest in our own storage; we persist only the resulting embeddings and metadata.
- SentryError monitoring (no user content is included in error reports).
Data Retention
Your data is retained as long as your account is active. Upon account deletion, all data — encrypted memories, notes, media, and metadata — is permanently deleted within 30 days. Backups are purged within 90 days.
Your Rights (GDPR)
If you are in the European Economic Area you have the right to access, rectify, delete, export, and object to the processing of your personal data. To exercise these rights, contact us at [email protected].
International Data Transfers
Your data is primarily stored in the European Union. Some sub-processors operate outside the EEA, and the transfers below are covered by Standard Contractual Clauses (SCCs).
- Hetzner (Germany, EU)Application hosting and infrastructure.
- Supabase (EU project region)Database and authentication.
- Stripe (United States)Payment processing — transfers covered by Standard Contractual Clauses (SCCs).
- Google Cloud (Gemini API)Embedding generation (United States/EU) — transfers covered by SCCs and Google's Data Processing Addendum.
- Sentry (United States)Error monitoring — transfers covered by SCCs.
For business customers requiring a Data Processing Agreement (DPA), contact us at [email protected].
Security
We implement industry-standard security measures including end-to-end encryption (AES-256-GCM), row-level security on all database tables, and regular audits. Your encryption keys are derived from your passphrase using PBKDF2 with 600,000 iterations and never stored on our servers.
Cookies
We use essential cookies only for authentication and session management. We do not use tracking cookies or third-party advertising cookies.
Changes
We may update this policy from time to time. We will notify you of material changes via email or a notice on the Service.
Contact
For privacy-related questions, contact us at [email protected].