P.S. Vault P.S. Vault

Privacy Policy

Last updated: May 2026

Overview

This policy covers two things: this website (psvault.dev), and the P.S. Vault application you self-host. They are separate.

This website (psvault.dev)

psvault.dev is a static informational website. We do not run analytics, collect personal data, or use cookies.

This site is served via Cloudflare's global network. Cloudflare may log standard access data (IP address, browser type, pages visited) for network security and performance purposes, subject to Cloudflare's privacy policy. We do not receive or store this data.

The P.S. Vault application

P.S. Vault is self-hosted software. When you run P.S. Vault, you are the data controller. You operate your own server, and you are responsible for your instance and the data within it.

The P.S. Vault project (this GitHub repository) has no visibility into any self-hosted instance. We receive no telemetry, no usage data, and no personal information from any running instance.

What any given instance does with user data is governed by the operator of that instance, not by this project.

Zero-knowledge encryption

P.S. Vault is designed on a zero-knowledge model. Vault contents are encrypted on the user's device before transmission. The server stores only ciphertext — encrypted data that cannot be read without the user's key, which the server never has.

Even an operator with direct database access cannot read vault contents. This is enforced by design, not policy.

Data stored by the application

The application stores the following on the server:

  • Email address and display name
  • A hashed and peppered password (Argon2id — never the plaintext)
  • Encrypted vault contents (ciphertext only)
  • Encrypted file attachments (client-side encrypted blobs)
  • Encrypted key envelopes (never plaintext keys)
  • Beneficiary names and email addresses (added by the vault owner)
  • Audit log entries (login events, vault modifications — no content)
  • Session tokens (httpOnly cookies, short-lived)

The application never stores:

  • Your Master Encryption Key
  • Content Encryption Keys in plaintext
  • Vault entry content in plaintext
  • File contents in plaintext

Third-party services

P.S. Vault does not embed any third-party analytics, advertising, or tracking services. It has no built-in connections to any external service except those you explicitly configure (SMTP for email, S3-compatible storage if configured).

The application does not make any outbound connections on its own except for sending email via your configured SMTP provider.

Contact

Questions or security disclosures: open an issue or private security advisory on GitHub.