Elmiva Vault
Sign in

Privacy Policy

Effective date: 05/12/2026

This Privacy Policy explains how Vault processes personal data when you use the Vault secret management and operational documentation platform.

1. Controller

The data controller is:

SMARTSOURCE Dawid Senko ul. Elżbiety Zawackiej 3 66-400 Gorzów Wielkopolski Lubuskie, Poland Email: contact@elmiva.com

2. Data We Process

We process the data needed to provide Vault, including:

  • account data, such as email address, authentication identifiers, and profile settings;
  • workspace data, such as workspace membership, roles, permissions, invitations, and seat usage;
  • user content, such as articles, runbooks, documentation, rich-text content, secret metadata, and secret descriptions;
  • encrypted secret values and related secret metadata stored by users in the service;
  • security and audit data, such as access events, secret read events, permission changes, login events, IP address, user agent, session identifiers, and request metadata;
  • billing data, such as Stripe customer IDs, subscription IDs, subscription status, seat quantities, and billing portal or checkout events;
  • limited analytics and product telemetry, where enabled after user consent.

Vault does not display third-party advertisements.

3. Authentication, Sessions, and Local Storage

Vault uses Supabase Auth for account authentication, including email/password login and Google OAuth. Cloudflare Turnstile is used during registration to reduce automated abuse.

Vault may use cookies and browser local storage for authentication/session state, device session identifiers, workspace preferences, theme preferences, UI locks, and similar service settings. These items are used to operate the application and are not used to display third-party ads.

Additional details about cookies and browser storage may be described in the Cookie Policy.

4. Security Model

Vault uses a server-side collaboration and permission model. Access is scoped to workspaces and controlled through workspace roles and per-resource permissions.

Secret values are encrypted on the server using AES-256-GCM. Each secret uses a separate data encryption key, and those keys are wrapped with Google Cloud KMS. Security-sensitive activity may be recorded in audit and access history systems.

Vault does not use client-side encryption, end-to-end encryption, or a zero-knowledge architecture. The master password feature is a UI lock and is not a backend authorization or encryption boundary.

No system can be guaranteed perfectly secure. You are responsible for managing the data you choose to store in Vault and for keeping your account credentials secure.

5. Purposes of Processing

We process data to:

  • provide, maintain, and secure Vault;
  • authenticate users and manage sessions;
  • create and manage workspaces, permissions, secrets, pages, runbooks, and documentation;
  • maintain audit history around access, rotation, permissions, and collaboration workflows;
  • process subscriptions, seat management, and billing through Stripe;
  • detect abuse, troubleshoot errors, and protect service availability;
  • communicate service, billing, security, and legal updates;
  • comply with applicable legal obligations.

6. Legal Bases

Where GDPR applies, we process personal data based on:

  • contract performance, to provide Vault and related account features;
  • legitimate interests, including service security, abuse prevention, diagnostics, auditability, and product improvement;
  • legal obligations, where retention or disclosure is required by law;
  • consent, where required for optional analytics or similar non-essential processing.

7. Third-Party Services

Vault uses or may link to third-party services needed to operate the platform:

  • Supabase, for authentication;
  • Google OAuth, for optional sign-in;
  • Google Cloud KMS, for wrapping per-secret encryption keys;
  • Stripe, for payments, subscriptions, and billing portal access;
  • Cloudflare Turnstile, for bot protection during registration;
  • GitHub, external documentation, and support resources, where linked from the product.

These services process data under their own terms and privacy policies when you interact with them directly.

8. Payments

Payments are processed by Stripe. Vault does not process full card numbers. Supported payment methods are Visa, Mastercard, and American Express, subject to Stripe availability.

You can manage or cancel subscriptions through the billing section of your Vault account, which redirects to Stripe Customer Portal where available.

9. Data Retention

We retain personal data for as long as needed to provide the service, maintain security records, resolve disputes, comply with legal obligations, and support billing or audit history.

Some records, such as audit logs and access history, are maintained for security and operational accountability. Deleted workspaces or resources may leave retained records where needed for audit, billing, security, or legal reasons.

10. Your Rights

Where applicable, you may request access to, correction of, deletion of, restriction of, portability of, or objection to processing of your personal data.

To exercise your rights, contact us at contact@elmiva.com. We may need to verify your identity before acting on a request.

11. International Transfers

Some service providers may process data outside your country or the European Economic Area. Where required, we rely on appropriate safeguards such as contractual protections or transfer mechanisms made available by those providers.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Users will receive email notice before material changes become effective, with at least 7 days' advance notice.

Updates may take effect immediately when required for security updates, bug fixes, legal compliance, or court orders.

13. Contact

Questions about this Privacy Policy can be sent to:

contact@elmiva.com