TESSERA VAULT Privacy Policy
Effective Date: December 3, 2025
1. Our Core Privacy Commitment: Zero Knowledge
TESSERA VAULT is designed on a **Zero-Knowledge** architecture. This means we, the developers, cannot access or decrypt your personal passwords, security notes, or any other content stored within the app. All sensitive data remains encrypted exclusively on your devices.
We do not collect personal data for marketing purposes, nor do we sell your data to any third parties.
2. Data Storage and Encryption (End-to-End)
2.1 Local Storage and Encryption
- **Data:** All your passwords and confidential entries are stored locally on your device in an encrypted format.
- **Encryption Standard:** We use the **AES-256 GCM (Galois/Counter Mode)** algorithm, which is the industry standard for strong data encryption.
- **Encryption Key:** The symmetric key required for AES-256 decryption is stored and protected by the **Apple iCloud Keychain** (Secure Enclave). This ensures the key never leaves the Apple secure environment and is never transmitted to us.
2.2 Cloud Synchronization (CloudKit)
If you enable iCloud Synchronization:
- **Service:** Data synchronization is performed using Apple's **CloudKit Private Database** (or NSUbiquitousKeyValueStore for smaller data sets).
- **Data Stored:** Only the **AES-256 Encrypted Ciphertext** of your passwords is uploaded to CloudKit.
- **Our Access:** We have **Zero Access** to the content of your CloudKit database, as the data remains encrypted with your unique Keychain key throughout the synchronization process.
3. Third-Party Services (OneSignal)
To provide you with instant security alerts (e.g., weak password warnings, intrusion attempts), TESSERA VAULT utilizes the third-party service **OneSignal** for push notifications.
Data Shared with OneSignal:
- **Push Token:** Your device's unique identifier (APNs token) required to send notifications.
- **Device Metadata:** Device model, OS version, app version, and language preference.
- **Non-Sensitive Tags:** We send specific, non-personal **Tags** (e.g., `password_strength: weak`, `intrusion_alert: true`, `weak_password_item_id: [UUID]`). **These tags do not contain any actual passwords or identifying account data.** They are used solely to trigger the necessary security alerts and deep linking to the correct item in your vault.
Please refer to the OneSignal Privacy Policy for details on how they handle this data.
4. Information Automatically Collected
We do not use analytics tools like Google Analytics or Firebase Analytics. The only data collected automatically pertains to app functionality:
- **In-App Usage (Aggregated/Anonymous):** Basic usage data collected by Apple (e.g., app launches, crashes). This is anonymous.
- **Failed Attempts:** We locally track failed authentication attempts on your device for the Intruder Alert feature. This data is reset upon successful login and is **never shared or uploaded**.
- **App Settings:** Language preference and Dark Mode setting.
5. Contact Information
If you have any questions about this Privacy Policy or your data, please contact us at:
Email: erik.geiger1998@gmail.com