Privacy Policy.
We adhere to a strict Zero-Knowledge architecture. Your data never leaves your device.
Privacy Manifesto
At WaVault, privacy isn't a feature. It's our foundation. We don't store your contacts, we don't see your messages, and we don't track your identity. Everything stays in your browser.
1. Introduction and Scope
WaVault ("The Extension") is a professional browser utility designed to help users structure and organize their locally available communication data. This policy defines the mathematical and technical boundaries that protect your information.
1.1 The "Processing" Disclaimer (GDPR Applicability)
WaVault operates entirely client-side. We possess no technical means, cryptographic keys, or backend infrastructure to access, decrypt, or transmit your local vault. Therefore, WaVault is strictly a software provider and is neither a Data Controller nor a Data Processor of your extracted contacts under the EU General Data Protection Regulation (GDPR).
2. Zero-Knowledge Architecture
Unlike traditional cloud-based software that uploads "blobs" of user data to a central server, WaVault operates entirely within your browser's Local Runtime Environment.
- Memory-Only Extraction: Data derived from the WhatsApp Web interface is processed in high-speed runtime memory (RAM) using a compiled Rust WebAssembly worker.
- Persistent Local Memory: Our features, such as "Ghost Member Tracking" and contact history retention, are performed by writing encrypted states directly to your device's hard drive. Your contacts and message data stay in the locally encrypted
chrome.storage.localarea. We have no backend API that periodically "phones home" with your contact lists. - WASM Sandbox: All logic is executed in a WebAssembly sandbox, heavily restricted from making unauthorized network requests.
3. Data Collection Summary
We believe in radical transparency. Here is exactly what we collect, why we collect it, and where it lives.
| Data Point | Purpose | Storage |
|---|---|---|
| WhatsApp Number | To bind your license key to your specific user identity and prevent piracy. | Internal Server (Supabase) & Creem |
| Email Address | To send purchase receipts, license keys, and essential service updates. | Internal Server (Supabase) & Creem |
| Transaction ID | To verify payment status and handle refund requests. | Internal Server (Supabase) & Creem |
| Usage & Telemetry | Anonymous usage statistics, technical telemetry (e.g., country, timestamp), and crash logs to ensure product stability and prevent fraud. Mandatory for all users. | Google Analytics 4 / Supabase |
| Purchase History | We aggregate purchase history with application usage data to analyze feature performance and improve our services. | Internal Server (Supabase) & Creem |
3.1 What We DO NOT Collect
We never upload your leads. They stay on your disk.
We cannot see what you send or receive.
4. Chrome API Permissions
storageSaves leads to your local disk securely.sidePanelRenders the UI next to WA Web.offscreenRuns the Rust WebAssembly extraction engine.host_permissionsAccess to web.whatsapp.com only.5. Trusted Subprocessors
We use a minimal stack to deliver the service. We do not sell data.
| Partner | Role | Jurisdiction |
|---|---|---|
| Creem (creem.io) | Payments & Merchant of Record | Global (PCI Compliant) |
| Supabase | Internal Licensing & User Activation Database | USA (AWS) |
| Google Analytics | Anonymous Usage Data | USA |
6. Global Compliance (GDPR/CCPA) & Lawful Basis
WaVault is designed with "Privacy by Design" from day zero. Because the software operates entirely on your local machine, the extension itself acts solely as a utility.
6.1 User as Primary Data Controller & Liability Holder
Under any applicable global privacy framework or "Law of the Land" (e.g., GDPR, CCPA, DPDP), you (the User) act as the sole Data Controller and/or equivalent responsible entity for the contacts and personal data you extract, track, or retain utilizing WaVault. WaVault provides processing capabilities simply as a neutral tool. You must ensure you possess a lawful basis, explicit consent, or a legitimate business interest to extract and communicate with individuals from third-party platforms according to the laws governing your specific jurisdiction.
For your own local data, you have absolute control:
- Right to Erasure: Because the tracking data is strictly local, you can exercise this right at any time by simply uninstalling the extension or clearing your browser cache. This permanently purges your vault.
- Data Portability: You can export your data to CSV format at any time using the built-in "Export" functions.
6.2 Lawful Basis for Telemetry (GDPR Art. 6(1)(f))
We process personal data (specifically technical telemetry and license verification signals) based on our Legitimate Interest in:
- Fraud Prevention: Verifying license validity and preventing unauthorized account sharing.
- Product Stability: Collecting anonymous usage statistics to identify bugs and improve application performance.
- Security: Ensuring the integrity of our services and protecting users from malicious activity.
We have conducted a balancing test to ensure these interests do not override your fundamental rights and freedoms.
7. Technical Security Standard
We protect your local vault using the same standards used by top-tier financial institutions. All data stored in the browser's local storage is protected by AES-256 encryption at rest, utilizing the operating system's native secure keychain provided by the browser.
If you have any questions regarding these technical safeguards, please reach out to our engineering team.
Security Protocol & Assistance
For technical inquiries or data protection concerns, our security team is available at support@houseof2.studio.