Privacy Policy

Data Controller

Token Vault is operated by Conor Grant.
Contact: contact@tokenvault.uk

What Data We Collect

Account Data

When you create a Token Vault account, we collect:

• Email address (via Firebase Authentication)
• Authentication tokens and session identifiers

Credential Data

Token Vault offers two operating modes that handle credential data differently:

Webhook Mode (self-hosted storage): Your credentials are stored on your own infrastructure. We only store metadata required for the service to function, including vault item names, service identifiers, agent grant scopes and expiry timestamps, webhook configuration, and timestamps. We do not store, access, or have the ability to read your actual credentials in this mode.

Platform Mode (Token Vault-hosted storage): Your credentials are encrypted using AES-256-GCM and stored in our infrastructure on Google Cloud Firestore. While we store the encrypted credential data, we operate a zero-knowledge architecture and cannot decrypt or access your stored secrets. No credentials are ever stored in plain text. Only you and your authorised agent grants can retrieve decrypted credentials.

In both modes, we store operational metadata such as vault item names and labels, service identifiers and template types, agent grant scopes and expiry timestamps, and timestamps (created, modified, last accessed).

Technical Data

When you visit our website, the following data may be collected automatically:

• IP address (processed by Cloudflare)
• Browser type and version
• Pages visited and referral source
• Device type and screen resolution

Usage Analytics

We do not currently collect detailed usage analytics beyond what is described above. We may in future introduce anonymised, non-identifiable usage logging (such as feature usage frequency and aggregate request counts) to help us plan product development and capacity. This data will never include credentials, secrets, or personally identifiable information. If we make this change, we will update this policy and the “Last updated” date accordingly.

How We Use Your Data

We process your data for the following purposes:

• Service provision: To authenticate you, manage your vaults, and process agent grants and webhook requests.
• Security: To detect and prevent unauthorised access, abuse, or security incidents.
• Infrastructure operation: To maintain uptime, diagnose errors, and manage capacity.

We do not use your data for advertising, profiling, or marketing purposes.

Legal Basis for Processing

We process your data under UK GDPR Article 6(1)(b) (contract, to provide the service), Article 6(1)(f) (legitimate interest, for security and infrastructure), and Article 6(1)(a) (consent, for optional analytics cookies).

Third-Party Services

Token Vault uses the following third-party services that may process your data:

Each third-party service processes data in accordance with their own privacy policies. Google services operate under the Google Cloud Data Processing Addendum. Cloudflare operates under their Data Processing Addendum.

Data Storage and Security

• In Platform Mode, credentials are encrypted using AES-256-GCM and stored on Google Cloud Firestore. No credentials are stored in plain text.
• In Webhook Mode, credentials remain on your infrastructure. We store only operational metadata.
• All data in transit is protected by TLS 1.3.
• We operate a zero-knowledge architecture in both modes: we cannot access or decrypt your stored secrets.

For full details of our security practices, see our Security page.

Data Retention

• Account data: Retained for the lifetime of your account. Deleted within 30 days of account deletion.
• Credential metadata: Deleted when you delete individual vault items or your account.
• Technical/analytics data: Retained for up to 26 months (Google Analytics default retention period).
• Server logs: Retained for up to 30 days for debugging and security purposes.

Your Rights Under GDPR

Under UK GDPR, you have the right to:

• Access the personal data we hold about you
• Rectify inaccurate personal data
• Erase your personal data (“right to be forgotten”)
• Restrict processing of your personal data
• Data portability to receive your data in a structured, machine-readable format
• Object to processing based on legitimate interest

To exercise any of these rights, email contact@tokenvault.uk. We will respond within 30 days.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe your data protection rights have been violated.

Cookies

Token Vault uses the following cookies:

• Essential cookies: Firebase authentication session cookies, required for the service to function. These cannot be disabled.
• Analytics cookies: Google Analytics cookies for understanding website usage. These are optional and can be declined.
• Cloudflare cookies: Security cookies used for bot detection and DDoS protection.

International Transfers

Your data may be processed outside the UK by our third-party service providers (Google, Cloudflare). These transfers are protected by appropriate safeguards including Standard Contractual Clauses and the UK International Data Transfer Agreement where applicable.

Changes to This Policy

We may update this privacy policy from time to time. We will notify you of any material changes by posting the updated policy on this page and updating the “Last updated” date at the top. For significant changes affecting how we process your data, we will make reasonable efforts to notify you via email.

Contact Information

If you have questions about this privacy policy or your personal data, contact us at contact@tokenvault.uk.