Privacy Policy
Effective: 4 May 2026. We may update this policy; material changes will be reflected here with a new effective date.
SafeKey is built as a local-first, zero-knowledge vault. This policy explains what personal data AlfaNest Labs receives when you create an account, use the web dashboard, sync ciphertext, or purchase add-ons. It does not replace professional legal advice.
Who controls your data
SafeKey is offered by AlfaNest Labs. For privacy requests relating to SafeKey write to contact@alfanestlabs.com. Please use the subject line SafeKey Privacy so requests can be routed quickly.
Categories of personal data
Account identifiers: email address stored in a hashed or protected form for authentication workflows, salted password hashes, timing and correlation data for tokens and sessions. Authenticator data: secrets and verification material required so your RFC 6238 TOTP authenticator continues to protect sign-in. Sync metadata: ciphertext blobs uploaded from your devices, versioning and size metadata, checksums where used, paired device descriptions you register, activity timestamps strictly needed to operate backup and sync quotas. Dead Man’s Switch data: reminder and recipient email addresses plus message content or vault unlock fragments you knowingly configure in the feature. Billing data: plan tier, Stripe customer and payment artefact identifiers, and transactional records needed for accounting derived from Stripe webhooks.
Vault ciphertext and zero-knowledge
Your vault payloads are encrypted on your devices before they reach our servers. We process opaque ciphertext blocks only; we cannot read your plaintext secrets, passwords, seed phrases, or documents. Vault PINs or passphrases you use purely on-device stay out of AlfaNest backups. If you lose local keys or backups we cannot magically recover decrypted content.
Purposes and legal bases
We use the categories above strictly to authenticate you, transmit and store ciphertext you choose to sync, fulfil paid features, deter abuse, troubleshoot incidents, invoice you correctly, honour legal retention duties, improve reliability and security monitors, and answer support mail. Within the EU/EEA legal framework we mainly rely on performance of contract, legitimate interests balanced against rights (for fraud prevention or infrastructure telemetry), consent where Stripe or email providers require explicit agreement, or legal obligation when regulators compel narrowly scoped disclosures.
Stripe payments
Card or wallet payments route through Stripe, Inc. and its affiliates. AlfaNest Labs never stores full PAN data. Stripe retains payment information under its contracts and jurisdictions. AlfaNest Labs only keeps references needed to correlate your entitlement with Stripe events.
Email delivery partners
Password reset invites and lifecycle mail may traverse providers such as Resend. Messages travel over TLS and retain only routing metadata mandated by SMTP providers unless you escalate a support conversation by email.
Retention
We keep identifiable personal data while your account stays active plus a limited cool-down window for lawful backup and fraud review. Deleted accounts trigger erasure workflows for server-side artefacts we no longer need. Statutory bookkeeping or dispute records may persist longer strictly where compelled by statute.
Security measures
Administrative access is logged, transport is HTTPS to public endpoints, and infrastructure follows least-privilege patterns. Encryption at rest relies on hardened hosting defaults. Nonetheless you must protect passwords, OTP codes, workstation malware risk, and physical devices because final responsibility for secrecy sits with credential holders.
Cookies, storage, telemetry
The SPA uses browser storage minimally for session JWT hand-off, routing locale selections, or CSRF safeguards. AlfaNest Labs does not embed behavioural ad exchanges in SafeKey surfaces. Operational logs omit vault plaintext by design.
Your rights
Depending on GDPR, UK GDPR or equivalent laws you may invoke access, rectification, erasure (with caveats tied to cryptography), portability of account metadata, objection to certain processing, instruction on automated profiling (we do none for advertising), withdrawal of consent, and escalation to supervisory authorities. Email contact@alfanestlabs.com with detail so we comply within mandated periods.
International transfers and updates
Processors may reside outside your country or the EEA. Where required we implement Standard Contractual Clauses approved by regulators or supplementary measures such as layered encryption controls. AlfaNest Labs will amend this Privacy Policy whenever product scope or statutes demand it; substantive revisions move the Effective date so you always know version history.
Specific privacy requests can be routed to contact@alfanestlabs.com. You may additionally contact your supervisory authority.