Privacy Policy

Information We DO NOT Collect

TimeVault is designed for maximum privacy. We explicitly do not collect:

• Personal Information: No names, email addresses, phone numbers, or contact details
• Account Data: No user accounts, profiles, or login credentials
• Content Data: We never see your unencrypted content (it's encrypted in your browser)
• Analytics: No tracking cookies, analytics scripts, or usage monitoring
• IP Addresses: Not logged or stored beyond standard Cloudflare edge caching
• Access Logs: No records of who views vaults or when
• Payment Information: TimeVault is completely free—no payment processing

Information We DO Collect

TimeVault only stores the minimum data required to operate the service:

Vault Metadata

• Vault ID: A random 32-character identifier
• Content Type: Whether the vault contains text, an image, or a video
• Unlock Time: The scheduled time when the vault becomes accessible
• File Size: Size of the encrypted content (for storage management)
• Encryption Parameters: Salt, IV, and other non-secret encryption metadata
• Settings Flags: Whether key-based sharing or delete-after-access is enabled
• Creation Timestamp: When the vault was created (for auto-deletion)

Encrypted Content

• Encrypted Files: Your content, encrypted with AES-256-GCM
• Password Hashes: If password-protected, a SHA-256 hash (not the password itself)

How We Use Information

The limited data we collect is used solely to:

• Store and deliver your encrypted content at the scheduled unlock time
• Enforce time locks and access controls
• Automatically delete expired vaults (30 days after unlock time)
• Prevent abuse and manage storage capacity

We do not:

• Sell, rent, or share any data with third parties
• Use data for advertising or marketing
• Profile users or track behavior
• Analyze content or metadata for any purpose beyond service operation

Zero-Knowledge Encryption

TimeVault implements true zero-knowledge encryption:

How It Works

1. When you upload content, it's encrypted in your browser using AES-256-GCM
2. The encryption key is derived from random vault credentials (and password, if set)
3. Only encrypted data is transmitted to our servers
4. We store the encrypted content but have no way to decrypt it
5. When unlocked, recipients' browsers download and decrypt the content locally

Data Retention & Deletion

Automatic Deletion

All vaults are automatically and permanently deleted under these conditions:

• 30 Days After Unlock: Every vault is deleted 30 days after its unlock time
• One-Time View: If enabled, vaults are deleted immediately after first access
• Daily Cleanup: A scheduled job runs at 2 AM UTC daily to remove expired vaults

No Manual Deletion

For security reasons, vaults cannot be manually deleted before their scheduled unlock time. This prevents tampering and ensures time-lock integrity.

What Gets Deleted

When a vault is deleted, all associated data is permanently removed:

• Encrypted content files (from R2 storage)
• Metadata records (from D1 database)
• Password hashes and encryption parameters
• All traces of the vault

Cookies & Local Storage

TimeVault does not use cookies for tracking or analytics.

The service may use browser local storage for:

• Temporary storage of content during upload
• Caching vault metadata during viewing

All local storage is session-based and cleared when you close the browser tab.

Security Measures

We implement multiple security layers to protect your data:

• AES-256-GCM Encryption: Military-grade encryption for all content
• HTTPS/TLS: All connections are encrypted in transit
• PBKDF2 Key Derivation: 100,000 iterations for password-based encryption
• Server-Side Time Locks: Unlock times enforced at the API level
• Random IVs: Unique initialization vectors for each vault
• SHA-256 Password Hashing: Passwords are hashed, never stored plainly

Your Rights & Control

Data Access

Since TimeVault doesn't collect personal information or create user accounts, there's no user profile to access or download. Your vault data is accessible only via the vault link and credentials.

Data Deletion

All vaults are automatically deleted 30 days after unlock time. You can also enable "delete after first access" for immediate deletion upon viewing.

No Consent Required

Because we don't collect personal data, there's no need for GDPR-style consent forms. Simply using TimeVault does not create any personal data profile.

Children's Privacy

TimeVault does not knowingly collect any information from children under 13. The service is designed to be used without providing personal information, making it suitable for all ages. However, we recommend parental supervision for minors.

International Data Transfers

TimeVault operates on Cloudflare's global edge network, which means your encrypted data may be stored in data centers around the world. However, because all content is encrypted before upload, geographic location of storage does not affect privacy or security.

Changes to This Policy

We may update this privacy policy occasionally to reflect changes in our practices or legal requirements. The "Last Updated" date at the top will always reflect the most recent changes.

Material changes will be communicated by updating this page. Continued use of TimeVault after changes constitutes acceptance of the updated policy.

Legal Requests & Law Enforcement

If legally compelled, we may provide:

• Encrypted vault content (which we cannot decrypt)
• Vault metadata (content type, unlock time, creation date)
• Technical data required by law

We cannot provide:

• Unencrypted content (we don't have access to it)
• Passwords or vault keys (we don't store them)
• User identity information (we don't collect it)

Contact Us

If you have questions about this privacy policy or TimeVault's privacy practices, please contact us via our Contact Page.

Please note: We cannot help with lost passwords, vault key recovery, or content access issues due to the zero-knowledge encryption design.