Privacy Policy

Last updated: March 2, 2026

Vault Approver ("the App") is a companion mobile application for self-hosted Vaultwarden/Bitwarden servers. This policy describes how the App handles your data.

1. Data We Collect

The App stores the following data locally on your device only:

• Vaultwarden server URL
• Account email address
• Encrypted authentication tokens (access token, refresh token)
• Encrypted user key (protected by device biometrics)
• Unique device identifier (randomly generated UUID)
• User preferences (theme, language, lock timeout, refresh interval)
• Request approval/denial history

2. Data We Do NOT Collect

• Master password — entered once during setup, used to derive encryption keys, and immediately discarded. It is never stored.
• Vault contents — the App cannot access, read, or display any passwords, notes, or other vault items.
• Analytics or telemetry — no usage data, crash reports, or behavioral analytics are collected.
• Location data
• Contacts, photos, or any other personal data

3. How Data Is Stored

All sensitive data is stored in the device's secure storage:

• iOS: Apple Keychain with biometric access control
• Android: Android Keystore with encrypted shared preferences

Encryption keys are protected by your device's biometric authentication (Face ID, Touch ID, or Fingerprint). Without biometric verification, the keys cannot be accessed.

4. Network Communication

The App communicates exclusively with the Vaultwarden server URL you provide during setup. All communication uses HTTPS encryption. The App connects to:

• /identity/accounts/prelogin — to retrieve key derivation parameters
• /identity/connect/token — to authenticate and refresh tokens
• /api/auth-requests — to fetch and respond to login requests
• /notifications/hub — WebSocket for real-time notifications

No data is sent to any third-party service, advertising network, or analytics provider.

5. Third-Party Services

The App does not integrate any third-party SDKs, analytics tools, advertising frameworks, or tracking services. There are no external dependencies that transmit data outside your device and your Vaultwarden server.

6. Data Sharing

We do not sell, share, or transfer your data to any third party. Your data stays between your device and your self-hosted server.

7. Data Retention and Deletion

All data is stored locally on your device. You can delete all stored data at any time by:

• Using the Logout button in Settings — this erases all encryption keys, tokens, and session data
• Uninstalling the App — this removes all App data from the device

Request history older than 30 days is automatically cleaned up.

8. Children's Privacy

The App is not directed at children under 13. We do not knowingly collect any personal information from children.

9. Security

The App implements the following security measures:

• End-to-end encryption using RSA-2048-OAEP for key exchange
• AES-256-CBC with HMAC-SHA256 for symmetric encryption
• Argon2id or PBKDF2-SHA256 for key derivation
• Biometric authentication required for every unlock
• All cryptographic operations performed locally on device

10. Changes to This Policy

We may update this Privacy Policy from time to time. Any changes will be reflected on this page with an updated date.

11. Contact

If you have questions about this Privacy Policy, please contact us at:

gravatar.com/ilia