Section 01
Who We Are
NestVault ("NestVault," "we," "us," or "our") is operated by Sutherlin Ventures LLC dba NestVault, a California limited liability company. We operate the website MyNestVault.com and all related products and services (collectively, the "Service").
Contact: [email protected] · MyNestVault.com · Anaheim, California
Section 02
What This Policy Covers
This Privacy Policy describes how we collect, use, store, and protect information when you use NestVault. It also describes your rights regarding that information. By using the Service, you agree to the practices described in this policy.
Section 03
Zero-Knowledge Encryption. What It Means
NestVault uses zero-knowledge encryption architecture for vault contents. This means:
- Your vault data is encrypted on your device before it is transmitted to our servers.
- The encryption key is derived from your credentials, which we never store in plaintext.
- We store only encrypted ciphertext. We cannot read your vault contents.
- Even if our servers were compromised, your vault contents would remain unreadable without your key.
The encryption standard used is AES-256. We do not have the ability to decrypt your vault contents and cannot provide them to third parties, government agencies, or any other entity in readable form.
Important: At vault setup we issue you a one-time recovery code, which you alone hold. You may use that recovery code to regain access if you forget your vault password. NestVault does not retain a copy of your vault password or your recovery code and cannot reset, recover, or reconstruct either on your behalf. If you lose both your vault password and your recovery code, your encrypted data will be permanently inaccessible. We are not liable for data loss resulting from lost credentials.
Section 04
Information We Collect
4.1. Information you provide directly
- Account registration: name, email address, billing information
- Vault contents: financial, legal, medical, and personal information you enter (stored encrypted, see Section 3)
- Family Access information: names and email addresses of family members you invite to access your vault through the Family Access feature
- Communications: messages you send to us via email or support channels
4.2. Information collected automatically
- Log data: IP address, browser type, pages visited, timestamps
- Device information: operating system, browser version
- Cookies: session cookies required for authentication; no advertising or tracking cookies
- Usage analytics: aggregate, anonymized data about feature usage (not personally identifiable)
4.3. Information we do NOT collect
- We do not collect your encryption key or master password
- We do not read the contents of your vault
- We do not collect behavioral data for advertising purposes
- We do not use third-party advertising networks
Section 05
How We Use Your Information
We use the information we collect to:
- Provide, maintain, and improve the Service
- Process payments and manage your subscription
- Send transactional emails (account confirmation, payment receipts, annual review reminders)
- Respond to support requests
- Support the beneficiary release system when it becomes available (see Section 8)
- Comply with legal obligations
We do not use your information for advertising, and we do not sell your information to third parties. Ever.
Section 06
How We Share Your Information
We share information only in the following limited circumstances:
Service providers
We use third-party vendors to operate the Service, including:
- Stripe, Inc. for payment processing (subject to Stripe's privacy policy)
- Supabase, Inc. for encrypted database and file storage (vault contents and uploaded documents are encrypted in your browser before being transmitted to Supabase; Supabase stores only ciphertext)
- Cloudflare, Inc. for website hosting and edge compute
- Beehiiv for email communications
These vendors are contractually prohibited from using your information for any purpose other than providing services to us.
Legal requirements
We may disclose information if required by law, court order, or governmental authority. Because we cannot decrypt vault contents, we cannot provide them in readable form regardless of legal demand.
Business transfers
In the event of a merger, acquisition, or sale of assets, user data would be transferred to the successor entity. We will notify users before this occurs.
We do not sell, rent, or share your personal information with third parties for their own marketing or commercial purposes.
Section 07
Data Retention
- Active accounts: We retain your data for as long as your account remains active.
- After cancellation: Your encrypted vault data is permanently deleted within 90 days of account cancellation or non-renewal. We will send a reminder before deletion occurs.
- Billing records: Payment records are retained for 7 years as required by law.
- Logs: Server logs are retained for 90 days and then automatically purged.
Section 08
Household Access & Vault Sharing
NestVault lets a vault holder share access with household members during their lifetime, through the Family Access feature. Each household member has their own NestVault account and their own encrypted copy of the vault key, created by the vault holder at the time the member is added. A household member can access the shared vault at any time using their own credentials, and the vault holder can revoke a member's future access at any time.
Because NestVault uses zero-knowledge encryption, we do not hold the key that decrypts vault contents and cannot read them ourselves. We cannot unlock a vault for anyone — including a household member, or a family member of a deceased vault holder. Access is available only to household members the vault holder added in advance, or to a person the vault holder has separately entrusted with the vault password or recovery code.
NestVault does not operate an automated or posthumous vault-release process. We do not collect death certificates, government identification, or similar documentation, and we do not decrypt or hand over vault contents on any trigger. Any access to a vault after the holder's death depends entirely on the arrangements the holder made while alive.
Section 09
Your Rights (All Users)
You have the right to:
- Access: Request a copy of the personal information we hold about you (excluding encrypted vault contents, which we cannot read).
- Correction: Request that we correct inaccurate personal information.
- Deletion: Request deletion of your account and all associated data within 30 days of a verified deletion request. Billing records may be retained as required by law.
- Portability: Request an export of your personal data in a machine-readable format.
- Opt-out of communications: Unsubscribe from marketing emails at any time using the link in any email.
To exercise these rights, contact: [email protected]
Section 10
California Residents. CCPA Rights
If you are a California resident, you have the following additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):
- Right to Know: You have the right to know what personal information we collect, use, disclose, and sell (we do not sell personal information).
- Right to Delete: You have the right to request deletion of personal information we have collected about you, subject to certain exceptions.
- Right to Correct: You have the right to request correction of inaccurate personal information.
- Right to Opt-Out of Sale: We do not sell personal information. There is nothing to opt out of.
- Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
- Right to Limit Use of Sensitive Personal Information: The contents of your vault constitute sensitive personal information under CCPA. This information is encrypted and we do not use it for any purpose other than providing the Service to you.
To submit a CCPA rights request: [email protected]. We will respond within 45 days.
Section 11
Security
We implement industry-standard security measures including:
- AES-256 zero-knowledge encryption for vault contents
- TLS/HTTPS encryption for all data in transit
- Access controls limiting staff access to vault data (we cannot access vault contents)
- Annual security reviews
- Incident response procedures
No system is 100% secure. If we become aware of a security breach affecting your personal information, we will notify you as required by applicable law.
Section 12
Children's Privacy
NestVault is not directed to children under 18. We do not knowingly collect personal information from anyone under 18. If you believe a minor has provided us with personal information, contact [email protected] and we will delete it promptly.
Section 13
Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email at least 30 days before the changes take effect. Continued use of the Service after changes take effect constitutes acceptance of the revised policy.
Section 14
Contact
Questions about this Privacy Policy?