Privacy Policy — ZeroKVault Mobile App
This policy describes what the ZeroKVault mobile app collects, how it is used, and the choices you have. It applies to the Android (and, when released, iOS) mobile app published by ZeroKVault. The website at zerokvault.com is covered by a separate policy at https://www.zerokvault.com/legal/privacy.
We treat data minimization as a feature, not a slogan. The mobile app is intentionally narrow: it lets you check in to your account and shows you your heartbeat timer. That is all it does, and the data it collects reflects that.
What we collect
The app collects only the data needed to authenticate you and deliver push notifications.
Stored on your device only (never sent to us)
| Data | Storage | Purpose |
|---|---|---|
| Refresh token | Android Keystore (via expo-secure-store) | Keeps you signed in across app launches without re-entering your password. |
| Device identifier | Android Keystore (via expo-secure-store) | A random UUID generated locally on first launch. Lets the server distinguish your device from your other devices when issuing access tokens. |
| Access token | In-memory only — never written to disk | Sent with each request to authenticate to the API. Cleared when the app closes. |
Sent to our server
| Data | When | Purpose | Retained |
|---|---|---|---|
| Email + password | At sign-in only | Authenticate you against your existing ZeroKVault account. The password is never stored on the device. | Per server policy (see web privacy policy). |
| Device identifier (UUID) | At sign-in and on every API request | Pair the access token with this device. | Until you sign out or the device is removed. |
| Push notification token | After you grant notification permission | Wake your device when a check-in deadline is near. | Until you revoke permission, sign out, or remove the device. |
| Check-in events | When you tap “Check in now” | Reset your delivery timer on the server. | Per server policy. |
What we do not collect
- Location (the app does not request location permission)
- Contacts, calendar, photos, files, or any other device content
- Crash logs, analytics, telemetry, or product usage events
- Advertising identifiers
- Anything for marketing or profiling purposes
The app contains no third-party SDKs for analytics, advertising, attribution, A/B testing, or session replay.
Permissions we request
| Permission | Required? | What we use it for |
|---|---|---|
POST_NOTIFICATIONS | Optional | Send push reminders as you approach a check-in deadline. You can deny this permission and the app continues to work — you just won’t receive push reminders. |
| Internet | Required | Communicate with the ZeroKVault server. The app does not function offline. |
How long we keep data
- On your device: Refresh token and device identifier persist until you sign out (which deletes them) or uninstall the app (which removes them with the rest of the app’s data).
- On our server: Server-side retention follows the policy at https://www.zerokvault.com/legal/privacy. Deleting your account on the website removes all server-side data, including any device records and push tokens associated with the mobile app.
Sharing
We do not sell, rent, or share your data with third parties for marketing or analytics. The only third parties involved in operating the app are infrastructure providers strictly necessary to deliver the service:
- Expo Push Notification service (operated by Expo / 650 Industries, Inc.) — receives push tokens to deliver notifications to your device. Expo does not use these for any other purpose. https://docs.expo.dev/push-notifications/sending-notifications/
- Google Firebase Cloud Messaging (operated by Google LLC) — the underlying transport layer for Android push delivery. https://firebase.google.com/support/privacy
- Our hosting provider (server side, covered by the web privacy policy at https://www.zerokvault.com/legal/privacy).
We do not share data with anyone else.
Your choices
- Stop using push notifications: Revoke notification permission in Android settings. The app detects this on the next launch or foreground and tells the server to forget your push token.
- Sign out: Use the “Sign out” button in the settings screen. This deletes the refresh token and device identifier from your device, and revokes the device record on the server.
- Delete your account entirely: Account deletion is performed on the website at https://www.zerokvault.com/app/settings. See the dedicated account deletion policy for the full process, what gets removed, and the 30-day grace period. Deleting your account removes all server-side data, including all mobile device records.
Children
ZeroKVault is intended for adults (18+). We do not knowingly collect data from children under 13. If you believe a child has signed up, contact us at support@zerokvault.com and we will remove the account.
International transfers
Our servers are operated in the United States. If you use the app from outside the US, your data is transferred to and processed in the US.
Changes to this policy
If we make a material change to this policy, we will update the “Last updated” date at the top and, where required by law, notify you by email or in-app message. Continued use after a change constitutes acceptance of the updated policy.
Contact
Questions, requests, or complaints about this policy:
- ZeroKVault
- Email: support@zerokvault.com
- Web: https://www.zerokvault.com