Vaulthaus

Privacy Policy

Effective January 1, 2026

Overview

Vaulthaus is a zero-knowledge password manager that runs entirely in your browser. We do not operate a server, we do not have a database, and we have no ability to read, recover, or transmit your passwords or any other vault contents. This Privacy Policy describes the limited ways the application interacts with your device and any third-party services you choose to enable.

For the purposes of this policy, "Vaulthaus", "the app", or "we" refers to the Vaulthaus open-source web application. "You" refers to the individual using the app in their own browser.

Information We Collect

None on a server. Vaulthaus does not transmit credentials, vault contents, master passwords, usage analytics, telemetry, error reports, or any personally identifying information to any server controlled by us. We do not have a backend.

Stored locally on your device:

  • Encrypted vault data— every credential, note, and TOTP secret you save is encrypted with AES-256-GCM using a key derived from your master password (PBKDF2-SHA256, 600,000 iterations). The ciphertext is stored in your browser's IndexedDB. The plaintext is never written to disk.
  • Vault metadata — KDF parameters (iteration count, random salt) and a small encrypted verification blob used to detect an incorrect master password.
  • User preferences — your theme choice (dark or light), auto-lock timeout, clipboard auto-clear duration, and default password generator settings.
  • Optional cached lookups — anonymized SHA-1 prefix responses from the breach-check service (see below), retained for up to 24 hours to avoid repeat network calls.
  • Optional Google access token — if you enable Cloud Sync, the OAuth access token Google issues is cached in localStorage for the lifetime of the token (typically one hour). The token grants access only to the Vaulthaus app folder in your Google Drive — see "Google Drive sync" below.

All locally stored data can be wiped at any time from the Settings page or by clearing your browser's site data for the Vaulthaus origin.

Your Master Password

Your master password never leaves your browser. It is used only to derive the encryption key for your vault. We do not transmit it, store it in plaintext, or have any mechanism to recover it. If you forget your master password, your vault cannot be decrypted by anyone — including us.

Third-Party Services

Vaulthaus optionally communicates with the following third-party services. Each one is opt-in or scoped to specific actions you take.

Have I Been Pwned (haveibeenpwned.com)

When you run a breach scan from the Health page, Vaulthaus computes the SHA-1 hash of each of your stored passwords locally, and sends only the first five hexadecimal characters of each hash to api.pwnedpasswords.com. The full hash and the password itself never leave your device. This technique is known as k-anonymity. The HIBP service receives no information that lets it identify you or learn your passwords. See haveibeenpwned.com/Privacy.

Google Drive (sync — opt-in only)

If you choose to enable Cloud Sync, Vaulthaus uses Google Identity Services to request the drive.appdata OAuth scope. This scope grants Vaulthaus access to a hidden, per-application folder in your Google Drive — and nothing else. We cannot read, list, modify, or delete any other file in your Drive.

When you press Upload, Vaulthaus uploads only the already-encrypted ciphertext of your vault, plus the KDF metadata (salt, iteration count, verification blob). Google receives encrypted data that it has no key to decrypt. When you press Restore, Vaulthaus downloads that same encrypted blob and replaces your local vault.

You can revoke Vaulthaus's Google Drive access at any time at myaccount.google.com/permissions. Revoking access does not delete the encrypted backup file in your Drive — to delete it, use the Drive Files API or empty your trash. Information you provide to Google is governed by Google's Privacy Policy.

DuckDuckGo Favicons

When you save a credential with a URL, Vaulthaus may request a favicon from icons.duckduckgo.com for visual identification. The request transmits the hostname of the URL you saved (e.g. github.com). It does not transmit the full URL, your username, password, or any other vault data.

Google Fonts

The application loads typefaces from fonts.googleapis.com and fonts.gstatic.com. These requests are made by your browser as part of normal stylesheet loading and contain no vault data.

Cookies

Vaulthaus does not set cookies. The app uses browser localStorage and IndexedDB for local storage of your vault, preferences, and (if enabled) Google access token. None of this data is transmitted to us.

Children's Privacy

Vaulthaus is not directed at children under the age of 13 and we do not knowingly collect personal information from children. Because Vaulthaus does not collect any personal information at all on a server, this restriction is structural rather than policy-based.

Data Retention

All vault data is retained on your device until you delete it. You can wipe the local vault from the Settings page ("Wipe vault on this device"), or by clearing site data in your browser. If you have enabled Cloud Sync, the encrypted backup file in your Google Drive is retained until you delete it from your Drive or revoke Vaulthaus's access.

Your Rights

Because we do not collect or process your personal data, traditional data subject rights (access, rectification, erasure, restriction, portability, objection) apply directly to the local copy of your vault on your device:

  • Access & portability — export your vault at any time from the Settings page (encrypted backup or plaintext JSON).
  • Erasure — wipe your vault at any time from the Settings page.
  • Rectification — edit any credential at any time from the vault.
  • Withdrawal of consent for sync — disconnect Google Drive from the Sync page, and revoke the OAuth grant in your Google Account.

Security

Vaulthaus uses cryptographic primitives provided by your browser's Web Crypto API: PBKDF2-SHA256 (600,000 iterations, OWASP 2023 guidance) for key derivation, AES-256-GCM for encryption with unique 96-bit IVs per encryption, and SHA-1 / SHA-256 for hashing as appropriate. Source code is available for inspection; the app does not ship third-party cryptography libraries.

Vaulthaus cannot defend against compromise of the device on which it runs. Malicious browser extensions, keyloggers, or operating system compromise can reveal your master password as you type it. Use Vaulthaus on devices you trust.

International Data Transfers

Because Vaulthaus does not transmit your vault to any server controlled by us, no international transfer of personal data occurs through our use. If you enable Cloud Sync, your encrypted backup is transferred to Google's infrastructure under Google's terms.

Changes to This Policy

We may update this Privacy Policy from time to time. The "Effective" date at the top of this page reflects the most recent version. Material changes will be highlighted in the application's release notes.

Contact

For questions about this policy, please open an issue on the project's GitHub repository or contact the maintainer of the deployment you are using.