Privacy Policy

Last updated: February 13, 2026

Secure Storage ("we", "us", "our") is developed and operated by Souvik Biswas, an independent developer based in Kolkata, India. This Privacy Policy explains how we handle information in connection with the Secure Storage mobile application ("the app") and our website at securestorage.app ("the website").

1. Data Controller

The data controller for information collected through our website is:

Souvik Biswas
Kolkata, West Bengal, India
support@securestorage.app

For data you store within the app, you are the sole data controller. We never access, process, or store your app data.

2. Information We Collect

Within the App: None

Secure Storage does not collect, transmit, or store any personal data on external servers. All data you enter — credit card details, passwords, and documents — is encrypted and stored exclusively on your device. We have zero access to your data.

We do not use analytics, crash reporting, telemetry, advertising SDKs, or any third-party services that collect user data. The app does not use any Apple required-reason APIs for tracking or fingerprinting purposes.

This is consistent with our App Store Privacy Nutrition Label declaration of "Data Not Collected."

On the Website: Email Address Only

If you voluntarily submit your email address through our website's waitlist form, we collect your email address for the sole purpose of notifying you when the app launches. This collection is processed by Formspree, Inc. (our data processor, based in the United States).

3. Legal Basis for Processing (GDPR)

For users in the European Union, European Economic Area, or the United Kingdom, we process your email address based on your consent (Article 6(1)(a) of the GDPR), which you provide by voluntarily submitting the waitlist form. You may withdraw your consent at any time by contacting us at support@securestorage.app.

4. How Your App Data Is Stored

All sensitive data within the app is encrypted on-device using:

  • AES-256 encryption — for all stored fields including card numbers, cardholder names, passwords, credentials, and document files
  • Argon2id key derivation — using 64 MB of memory and 3 iterations to derive your encryption key from your master password, resistant to GPU and ASIC brute-force attacks
  • iOS Keychain — for secure storage of your derived encryption key within the device's Secure Enclave

Your data never leaves your device. There are no cloud backups, no server sync, no remote access, and no telemetry of any kind.

5. Biometric Authentication

Secure Storage offers optional Face ID and Touch ID authentication as a convenience feature. This functionality is powered entirely by Apple's iOS operating system through the LocalAuthentication framework and Secure Enclave hardware.

Secure Storage does NOT:

  • Access, collect, capture, or enroll your biometric identifiers
  • Store or process facial geometry, fingerprint data, or any biometric template
  • Transmit biometric data to any server, third party, or external system
  • Use biometric data for any commercial purpose

The app receives only a binary authentication result (success or failure) from iOS. Your biometric data is processed and stored exclusively by Apple within the device's Secure Enclave and is never accessible to Secure Storage.

You may enable or disable biometric authentication at any time within the app's settings. For details on how Apple handles Face ID and Touch ID data, see Apple's privacy documentation.

6. Third-Party Services

The app uses no third-party services whatsoever.

Our website uses Formspree, Inc. to process waitlist email submissions. Formspree acts as a data processor on our behalf. Formspree's privacy policy is available at formspree.io/legal/privacy-policy.

If you are located in the EU/EEA/UK, please note that email data submitted through the waitlist form is transferred to Formspree's servers in the United States. Formspree relies on Standard Contractual Clauses (SCCs) as the legal mechanism for this international data transfer.

7. Data Retention

App data: Stored locally on your device for as long as you choose to keep it. We have no access to it and cannot delete it remotely.

Website email addresses: Retained until the app launches and notification emails are sent, or until you request deletion, whichever comes first. After the launch notification is sent, email addresses will be deleted within 30 days.

8. Your Rights

All Users

You have full control over your app data at all times. You can:

  • Delete individual items (cards, passwords, documents) within the app
  • Use the "Reset All Data" option in Settings to erase all app data
  • Uninstall the app to remove all associated data from your device

EU/EEA/UK Users (GDPR Rights)

If you submitted your email through our website waitlist and are located in the EU, EEA, or UK, you have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — request correction of inaccurate data
  • Erasure — request deletion of your personal data ("right to be forgotten")
  • Restriction — request restricted processing of your data
  • Data portability — receive your data in a structured, commonly used format
  • Objection — object to processing of your data
  • Withdraw consent — withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal

To exercise any of these rights, contact us at support@securestorage.app. We will respond within 30 days.

You also have the right to lodge a complaint with your local data protection supervisory authority.

California Users (CCPA/CPRA)

We do not sell or share your personal information as defined under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). Since the app operates entirely offline and we have no access to your app data, there is no personal information to sell or share.

9. Data Security

We implement industry-standard encryption (AES-256 with Argon2id key derivation) to protect data stored within the app. However, no security system is absolute. You are responsible for maintaining the security of your device and master password.

In the unlikely event that we discover a security vulnerability in the app, we will promptly disclose it through our website and app update notes, along with remediation steps.

10. Children's Privacy

Secure Storage is not directed at children under 17. We do not knowingly collect any information from children. The app's content is rated 17+ on the App Store due to the nature of sensitive financial and credential data it handles.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated revision date. Material changes will also be communicated through the app (via update notes) where feasible. Continued use of the app or website after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data rights, please contact us at:

Souvik Biswas
Email: support@securestorage.app