Section 01
Who We Are
NestVault ("NestVault," "we," "us," or "our") is operated by NestVault LLC, a California limited liability company. We operate the website MyNestVault.com and all related products and services (collectively, the "Service").
Contact: [email protected] · MyNestVault.com · Anaheim, California
Section 02
What This Policy Covers
This Privacy Policy describes how we collect, use, store, and protect information when you use NestVault. It also describes your rights regarding that information. By using the Service, you agree to the practices described in this policy.
Section 03
Zero-Knowledge Encryption — What It Means
NestVault uses zero-knowledge encryption architecture for vault contents. This means:
- Your vault data is encrypted on your device before it is transmitted to our servers.
- The encryption key is derived from your credentials, which we never store in plaintext.
- We store only encrypted ciphertext. We cannot read your vault contents.
- Even if our servers were compromised, your vault contents would remain unreadable without your key.
The encryption standard used is AES-256. We do not have the ability to decrypt your vault contents and cannot provide them to third parties, government agencies, or any other entity in readable form.
Important: If you lose your master credentials and we do not have a recovery mechanism configured, your data may be permanently inaccessible. We are not liable for data loss resulting from lost credentials.
Section 04
Information We Collect
4.1 — Information you provide directly
- Account registration: name, email address, billing information
- Vault contents: financial, legal, medical, and personal information you enter (stored encrypted — see Section 3)
- Beneficiary information: names, email addresses, and phone numbers of designated beneficiaries
- Communications: messages you send to us via email or support channels
4.2 — Information collected automatically
- Log data: IP address, browser type, pages visited, timestamps
- Device information: operating system, browser version
- Cookies: session cookies required for authentication; no advertising or tracking cookies
- Usage analytics: aggregate, anonymized data about feature usage (not personally identifiable)
4.3 — Information we do NOT collect
- We do not collect your encryption key or master password
- We do not read the contents of your vault
- We do not collect behavioral data for advertising purposes
- We do not use third-party advertising networks
Section 05
How We Use Your Information
We use the information we collect to:
- Provide, maintain, and improve the Service
- Process payments and manage your subscription
- Send transactional emails (account confirmation, payment receipts, annual review reminders)
- Respond to support requests
- Verify beneficiary identity and process vault release requests (see Section 8)
- Comply with legal obligations
We do not use your information for advertising, and we do not sell your information to third parties. Ever.
Section 06
How We Share Your Information
We share information only in the following limited circumstances:
Service providers
We use third-party vendors to operate the Service, including:
- Stripe, Inc. for payment processing (subject to Stripe's privacy policy)
- Tresorit for encrypted file storage
- Beehiiv for email communications
These vendors are contractually prohibited from using your information for any purpose other than providing services to us.
Legal requirements
We may disclose information if required by law, court order, or governmental authority. Because we cannot decrypt vault contents, we cannot provide them in readable form regardless of legal demand.
Business transfers
In the event of a merger, acquisition, or sale of assets, user data would be transferred to the successor entity. We will notify users before this occurs.
We do not sell, rent, or share your personal information with third parties for their own marketing or commercial purposes.
Section 07
Data Retention
- Active accounts: We retain your data for as long as your account remains active.
- After cancellation: Your encrypted vault data is permanently deleted within 90 days of account cancellation or non-renewal. We will send a reminder before deletion occurs.
- Billing records: Payment records are retained for 7 years as required by law.
- Logs: Server logs are retained for 90 days and then automatically purged.
Section 08
Vault Release Procedure & Beneficiary Data
When a beneficiary submits a release request, they must provide a government-issued death certificate and their own government-issued photo ID.
Upon successful verification, we generate a secure, read-only link to the vault contents. This link:
- Expires after 30 days
- Is read-only (cannot be modified)
- Is transmitted via encrypted email to the verified beneficiary
Beneficiary identity documents submitted for verification are reviewed by NestVault staff manually, retained for 90 days after the release process is complete, then permanently deleted. We do not share beneficiary identity documents with any third party except as required by law.
Section 09
Your Rights (All Users)
You have the right to:
- Access: Request a copy of the personal information we hold about you (excluding encrypted vault contents, which we cannot read).
- Correction: Request that we correct inaccurate personal information.
- Deletion: Request deletion of your account and all associated data within 30 days of a verified deletion request. Billing records may be retained as required by law.
- Portability: Request an export of your personal data in a machine-readable format.
- Opt-out of communications: Unsubscribe from marketing emails at any time using the link in any email.
To exercise these rights, contact: [email protected]
Section 10
California Residents — CCPA Rights
If you are a California resident, you have the following additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):
- Right to Know: You have the right to know what personal information we collect, use, disclose, and sell (we do not sell personal information).
- Right to Delete: You have the right to request deletion of personal information we have collected about you, subject to certain exceptions.
- Right to Correct: You have the right to request correction of inaccurate personal information.
- Right to Opt-Out of Sale: We do not sell personal information. There is nothing to opt out of.
- Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
- Right to Limit Use of Sensitive Personal Information: The contents of your vault constitute sensitive personal information under CCPA. This information is encrypted and we do not use it for any purpose other than providing the Service to you.
To submit a CCPA rights request: [email protected] — We will respond within 45 days.
Section 11
Security
We implement industry-standard security measures including:
- AES-256 zero-knowledge encryption for vault contents
- TLS/HTTPS encryption for all data in transit
- Access controls limiting staff access to vault data (we cannot access vault contents)
- Annual security reviews
- Incident response procedures
No system is 100% secure. If we become aware of a security breach affecting your personal information, we will notify you as required by applicable law.
Section 12
Children's Privacy
NestVault is not directed to children under 18. We do not knowingly collect personal information from anyone under 18. If you believe a minor has provided us with personal information, contact [email protected] and we will delete it promptly.
Section 13
Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email at least 30 days before the changes take effect. Continued use of the Service after changes take effect constitutes acceptance of the revised policy.
Section 14
Contact
Questions about this Privacy Policy?