OpsTools SecretVault
Back

Privacy Policy

OpsTools SecretVault · Effective: March 22, 2026 · Last Updated: March 22, 2026

1. Introduction

OpsTools ("we," "us," "our") operates SecretVault, a free, zero-knowledge secrets manager web application. This Privacy Policy explains how we collect, use, store, and protect your information.

We are committed to protecting your privacy. SecretVault is built on a zero-knowledge architecture, which means we technically cannot access the contents of your encrypted vault, your master password, or your decrypted secrets at any time.

2. Zero-Knowledge Architecture

What we CANNOT see or access:
  • Your master password
  • Your decrypted master encryption key
  • The contents of your vault entries (passwords, notes, credentials, etc.)
  • Any plaintext secret data stored in your vault
How it works:
  • Your master password derives an encryption key locally using PBKDF2-SHA256 with 600,000 iterations
  • Vault data is encrypted locally using AES-256-GCM before transmission
  • Our servers store only encrypted ciphertext
  • If you lose your master password, we cannot recover your data

3. Information We Collect

Account Information:
  • Email address — stored in plaintext for account identification
  • Password verifier — bcrypt hash (not reversible)
  • Encrypted master key — AES-256-GCM ciphertext
Audit Logs (retained 90 days, then purged):
  • IP address, user agent, action performed, timestamp
We do NOT collect:
  • Tracking cookies
  • Third-party analytics
  • Advertising trackers
  • Plaintext secrets

4. How We Use Your Information

  • Account creation and authentication (contract performance)
  • Providing vault storage service (contract performance)
  • Security monitoring and abuse prevention (legitimate interest)
  • Audit logging for your security (legitimate interest)
  • Service improvement — aggregated, anonymized (legitimate interest)
  • Complying with legal obligations

5. Data Storage & Security

SecretVault is deployed on Amazon Web Services (AWS):
  • Compute: AWS ECS
  • Database: AWS RDS PostgreSQL, encrypted at rest
  • In Transit: TLS 1.2+
  • At Rest: AWS-managed encryption keys
  • Application-Level: AES-256-GCM client-side encryption

6. Data Retention

  • Account data: Until you delete your account
  • Encrypted vault entries: Until you delete the entry or account
  • Audit logs: 90 days, then purged
  • Session tokens: In-memory only (15-min access, 72-hour refresh)
  • Database backups: 30 days, encrypted at rest

7. Data Sharing

We do not sell, rent, trade, or share your personal information with third parties for marketing or advertising.

Even if compelled by legal process, we cannot provide plaintext vault contents due to our zero-knowledge architecture. We can only provide encrypted ciphertext, your email address, and audit log metadata.

8. Your Rights

All users: Access, export, and delete your data at any time.

GDPR (EEA residents): Right of access, rectification, erasure, restriction, data portability, objection, and withdrawal of consent. We respond within 30 days.

CCPA (California residents): Right to know, delete, opt-out (we do not sell data), and non-discrimination. We respond within 45 days.

9. Children's Privacy

SecretVault is not intended for children under 13. We do not knowingly collect personal information from children under 13 (COPPA compliance).

10. Contact

For privacy inquiries: privacy@opstools.dev

For GDPR requests, include "GDPR Request" in the subject line.
For CCPA requests, include "CCPA Request" in the subject line.
For questions, contact us at privacy@opstools.dev