Privacy Policy

PRIVACY POLICY

FileVault AI — Privacy Policy

Effective Date: April 3, 2026 | Version 1.1

Contact: [email protected] | https://filevaultai.com/privacy

INTRODUCTION

FileVault AI ("we," "us," "our") is committed to protecting your privacy. This Privacy Policy explains what information we collect, how we use it, who we share it with, and what rights you have. It applies to all users of the FileVault AI web app, mobile app, desktop app, API, and MCP endpoint.

We are the data controller for personal data you provide when creating an account. For file content you authorize us to index from connected storage providers, you remain the data controller and we act as a data processor on your behalf.

This policy is designed to comply with the EU General Data Protection Regulation (GDPR), UK GDPR, California Consumer Privacy Act (CCPA/CPRA), Canada's PIPEDA, Australia's Privacy Act 1988, and other applicable privacy laws.

17. INFORMATION WE COLLECT

17.1 Information You Provide Directly

Account information: Name, email address, password hash (bcrypt, never plaintext), profile photo (optional).

Billing information: Billing name, address, VAT/tax ID. Payment card details are collected and stored by Stripe — we never see or store full card numbers.

Communications: Support tickets, emails, and feedback submissions.

API keys: AI provider API keys you enter, stored encrypted at rest using AES-256 and never logged or shared with third parties other than the designated AI provider on your behalf.

17.2 Information Collected Automatically

Log data: IP address, browser type, OS, referring URL, pages visited, timestamps, HTTP request/response codes.

Usage data: Features used, files indexed (count and type, not content), search query count (not content), sync events, error events, plan tier, subscription status.

Device identifiers: Device type, OS version, app version, push notification token (mobile apps). Push notification tokens (Expo push tokens) are stored encrypted in our database and used solely to deliver notifications you have opted into via Settings > Notifications. Tokens are deleted when you disable push notifications or delete your account.

Session data: Authentication tokens and session IDs stored in secure HttpOnly cookies or device secure storage.

17.3 Information from Third-Party Services

OAuth providers (Google, Microsoft, GitHub, Facebook): We receive your name, email address, and profile photo. We do not receive your password.

Storage connectors: We receive OAuth access tokens, file metadata, and file content for indexing purposes.

Payment processor (Stripe): We receive payment status, subscription state, last 4 digits of card, card brand, and billing address.

17.4 Information We Do NOT Collect

We do not collect your original file binaries, biometric data, precise geolocation data, or data from data brokers.

18. HOW WE USE YOUR INFORMATION

We process your personal data to provide the Service (contract performance), manage billing (contract performance), ensure security and fraud prevention (legitimate interest), improve the Service using aggregated anonymized data (legitimate interest), comply with legal obligations (legal obligation), and send marketing communications (consent only).

We do not use your file content for advertising, marketing profiling, or any purpose unrelated to providing the Service to you.

19. THIRD-PARTY SERVICES AND DATA SHARING

We do not sell your personal data. We share data only with:

Infrastructure: Supabase (database, auth, file storage), Fly.io (compute), Cloudflare (CDN), Upstash (Redis cache) — all bound by data processing agreements.

Payment: Stripe for payment processing.

AI Providers: Your text queries and image content are sent to the AI provider whose API key you have configured (Anthropic, OpenAI, Google, xAI, Mistral, Cohere, Deepseek). Each has its own data retention and training policies — review them before connecting your key.

Legal Disclosures: We may disclose data when required by valid court order or applicable law.

Business Transfers: In a merger or acquisition, we will notify you 30 days in advance and you may delete your account.

20. STORAGE CONNECTOR DATA

OAuth tokens for storage connectors are stored encrypted at rest. We access only files within the folders and drives you explicitly authorize. After indexing, the raw file binary is immediately discarded from our servers — we only retain extracted text, embeddings, and metadata.

21. FILE DATA AND AI PROCESSING

21.1 No Proactive Content Scanning. We do not scan or analyze your file content other than to provide search, RAG functionality, and thumbnail generation.

21.2 Human Access. FileVault AI employees do not access your file content in the ordinary course of business. Access is restricted to automated systems, engineers responding to a documented support issue you have raised (with your consent), security personnel investigating a confirmed incident, and as required by law. All access to production user data is logged and requires multi-factor authentication.

21.3 No AI Training on Your Data. We do not use your file content, queries, chat messages, AI responses, embeddings, or any user-specific data to train, fine-tune, evaluate, or improve any machine learning model.

21.4 Embeddings. Vector embeddings are mathematical representations stored in our database for semantic search. They are generated server-side using a local open-source model (MiniLM) — your file content is never sent to any third-party service for embedding generation. Embeddings are not human-readable, cannot reconstruct original text with any fidelity, and are deleted when you delete the corresponding file or your account.

21.5 MCP Endpoint Access. If you generate an MCP (Model Context Protocol) token, external AI agents (such as Claude Desktop or Cursor) can search and retrieve your indexed vault content using that token. MCP tokens grant read-only access. You control which tokens exist and can revoke them at any time via Settings > MCP Tokens. Revoked tokens are immediately invalidated.

22. DATA RETENTION AND DELETION

Account information: Duration of account + 30 days.

File metadata and extracted text: Duration of account or until you delete.

Vector embeddings: Duration of account or until you delete.

AI conversation history: Retained while your account is active, unless you disable chat history retention in Settings > Privacy. When disabled, chat sessions are deleted at the end of each session.

Usage events: 24 months (aggregated after 12 months).

Payment records: 7 years (required by financial record-keeping law).

Security logs: 12 months.

Account Deletion: When you delete your account, all personal data and file index data is scheduled for permanent deletion within 30 days. Payment records are retained for the required statutory period.

23. SECURITY

Encryption in transit: All data uses TLS 1.3 minimum. HSTS is enforced.

Encryption at rest: Database content is encrypted at rest by Supabase (AES-256). API keys are additionally encrypted with AES-256 before database storage.

Authentication: Passwords are hashed using bcrypt. We support two-factor authentication (2FA) via TOTP.

Access control: Row Level Security (RLS) policies ensure users can only access their own data at the database level.

Security incidents: In the event of a breach, we will notify you and applicable supervisory authorities within 72 hours.

Report security vulnerabilities to: [email protected].

24. INTERNATIONAL DATA TRANSFERS

FileVault AI is operated from the United States. We transfer data internationally under the EU-US Data Privacy Framework, Standard Contractual Clauses (SCCs), and the UK International Data Transfer Addendum (IDTA). Paid plan users may select their preferred data residency region.

25. YOUR RIGHTS

GDPR (EU/UK): Access, Rectification, Erasure, Restriction, Portability, Objection, and Withdraw Consent.

CCPA/CPRA (California): Know, Delete, Correct, Opt-Out of Sale (we do not sell personal information), Non-Discrimination.

Canada (PIPEDA): Access and correction rights.

Australia (Privacy Act): Access, correction, and complaint rights.

Brazil (LGPD): Rights analogous to GDPR.

To exercise your rights: Settings > Privacy > Export My Data (downloads a complete JSON export of all your data, limited to one export per 24 hours), or email [email protected]. We will respond within 30 days. Data exports include your profile, settings, file metadata, chat history, AI connection metadata (API keys are excluded for security), usage logs, and subscription history.

26. COOKIES AND TRACKING

We use strictly necessary cookies (authentication, required for Service to function), functional cookies (user preferences), and privacy-first analytics cookies (anonymized, no cross-site tracking).

We do not use advertising cookies, Meta Pixel, Google Ads tracking, or session replay tools (no FullStory, Hotjar, etc.).

27. CHILDREN'S PRIVACY

The Service is not directed at children under 16 years of age. We do not knowingly collect personal information from children. Contact [email protected] if you believe a child has provided us with personal information.

28. CHANGES TO THIS POLICY

For material changes, we will provide at least 30 days notice via email and in-app notification. Continued use after the effective date constitutes acceptance.

29. CONTACT

General Privacy Inquiries: [email protected]

Data Subject Rights Requests: https://filevaultai.com/privacy-request or [email protected]

Data Protection Officer (DPO): [email protected]

Security Incidents: [email protected]

Legal Notices: [email protected]