Valtou is an early-stage encrypted password management project.

At the time of this policy, Valtou is not operated by a formally registered company. The service is being developed and operated as a private software project.

We intend to develop our privacy practices with reference to the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), where applicable and to the extent practicable for an early-stage service.

We collect only the minimum information necessary to operate the service.

Account data: email address, username, and password hash (Argon2id). Password hashes are stored server-side and are not designed to recover your vault or master password.

Cryptographic material: RSA public key, AES-256-GCM encrypted private key, and key IV. These are encrypted client-side before transmission.

Vault metadata: vault names, group memberships, permission levels, and access timestamps. Vault contents (passwords, notes, URLs) are encrypted client-side and stored as ciphertext.

Audit logs: limited operational events (e.g. "vault created", "login attempt"), excluding sensitive or vault content.

We do not intentionally collect master passwords, plaintext vault data, browsing history, behavioural tracking data, or advertising identifiers as part of the current service design.

Information is used to operate authentication and account access; maintain encrypted vault storage; support sharing and team functionality; provide security notifications; maintain service stability; and prevent abuse.

We do not currently sell data or use it for advertising or profiling.

Valtou is designed so that encryption occurs in the user's browser before data is transmitted.

The service is designed not to receive or store master passwords, decryption keys for vault data, or plaintext vault contents in normal operation.

In normal operation, this means we are technically unable to read vault contents even if requested.

However, because this is an early-stage system, users should understand that: security depends on correct client-side implementation; no system can guarantee absolute security under all conditions.

Encrypted data may be stored on cloud infrastructure. If we establish overseas storage or processing arrangements, we will update this policy to describe the likely countries or regions before relying on those arrangements for production use.

Security measures may include: Argon2id password hashing; AES-256-GCM encryption; TLS encryption in transit; access controls and rate limiting.

These measures are implemented on a best-effort basis appropriate for an early-stage system and may evolve over time.

You may request deletion of your account at any time.

Upon deletion request: authentication tokens are revoked; account access is disabled; user records are removed or anonymised where feasible.

Encrypted vault data may remain temporarily in backups until backup retention windows expire.

Audit logs may be retained for security and operational purposes but do not contain vault content.

At this early stage, hosting and processing locations may change as the project develops.

Before using overseas infrastructure for production personal information, we intend to update this policy with the likely countries or regions involved. Because vault data is designed to be encrypted client-side, vault contents should remain encrypted during storage or transfer.

We currently use only essential cookies for authentication and session management.

We do not currently use advertising cookies, tracking cookies, or third-party analytics cookies. If that changes, this policy should be updated before those tools are used.

Where applicable, users may request access to personal data, correction of inaccurate data, deletion of account data, or withdrawal of consent where consent is the relevant basis.

We aim to respond within a reasonable timeframe, typically within 30 days, unless the request is unusually complex or we are not legally required to provide the requested action.

Users may export vault data through the application interface.

Exports are performed client-side to avoid transmitting unencrypted vault data to servers.

If you have concerns about privacy practices, please contact us.

Please use the Contact us page and include enough detail for us to understand and respond to the issue.

We will attempt to respond and resolve issues in good faith within a reasonable timeframe.

If unresolved and applicable, you may contact relevant privacy regulators in your jurisdiction (e.g. OAIC in Australia).

We welcome responsible disclosure of security issues.

If you identify a vulnerability, please use the Contact us page.

We aim to acknowledge reports promptly and address issues where possible.

This policy may be updated as the project evolves.

Because this is an early-stage service, changes may be more frequent than in mature commercial products.

Where reasonable, users will be notified of material changes via the application.

For privacy questions, access/correction/deletion requests, complaints, or security reports, please use the Contact us page.

If we identify an eligible data breach under an applicable notifiable data breach scheme, we intend to assess and notify affected individuals and relevant regulators as required by law.

Valtou is currently an early-stage project and not a formally incorporated company. Features, security architecture, hosting arrangements, contact details, and policies may change as the system develops.