Privacy Policy
1. Overview
SafeKey is a local-first encrypted vault application. Your master secret and vault contents are encrypted on your device before leaving it. AlfaNest Labs never receives your passphrase or the contents of your vault in plaintext.
2. Data we collect
2.1 Account data (web app and sync)
When you create an account on sfk.alfanestlabs.com we collect:
- Email address — used for authentication and transactional emails.
- Hashed password — stored using a strong one-way hash (Argon2id). We never store your plaintext password.
- Account metadata — account creation date, last login timestamp, subscription status.
2.2 Encrypted vault blobs (Pro sync)
When you enable encrypted sync (SafeKey Pro), your device uploads an opaque encrypted blob. This blob is encrypted with your key before it leaves your device. We store the ciphertext only — we have no ability to read your vault contents.
2.3 Android app (local-only use)
When you use the Android app without an account or sync, no personal data is transmitted to our servers. All vault data remains on your device.
2.4 Payment data
Payments are processed by Stripe, Inc. We do not store card numbers or full payment details. Stripe provides us with a transaction ID, amount, and subscription status. Stripe's privacy policy: stripe.com/privacy.
2.5 Usage and technical data
Our servers automatically log standard HTTP request data: IP address, browser user agent, requested URL, and response status. Logs are retained for up to 30 days for security and debugging purposes.
3. How we use your data
- To authenticate you and manage your account.
- To store and return your encrypted vault blob (Pro sync only).
- To process payments via Stripe.
- To send transactional emails (password reset, subscription receipts).
- To detect and prevent abuse.
We do not sell your data. We do not use your data for advertising.
4. Data sharing
We share data only with the following processors:
- Stripe — payment processing.
- Resend — transactional email delivery.
- Ionos / Hostinger — server infrastructure (EU and US regions).
All processors are bound by data processing agreements. We do not share data with third parties for marketing or analytics.
5. Data retention
- Account data is retained until you delete your account.
- Encrypted vault blobs are deleted when you delete your account or disable sync.
- HTTP logs are retained for up to 30 days.
- Payment records are retained for 7 years as required by French accounting law.
6. Your rights (GDPR)
If you are in the European Economic Area, you have the right to:
- Access the personal data we hold about you.
- Correct inaccurate data.
- Request deletion of your account and associated data.
- Object to or restrict processing.
- Data portability.
- Lodge a complaint with a supervisory authority.
To exercise any of these rights, email privacy@alfanestlabs.com.
7. Security
We use HTTPS for all data in transit. Vault blobs are encrypted end-to-end. Passwords are hashed with Argon2id. We apply principle of least privilege across our infrastructure.
8. Children
SafeKey is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe we have inadvertently done so, contact us and we will delete it promptly.
9. Changes to this policy
We may update this policy. Material changes will be communicated by email or via a notice on the app. Continued use after changes constitutes acceptance.
10. Contact
AlfaNest Labs — EI, France
SIREN: 103 036 695
Email: privacy@alfanestlabs.com