Legal

Privacy Policy

Last updated: April 15, 2026 · Effective: April 15, 2026
[email protected] · MyNestVault.com

Contents

Who We Are
What This Policy Covers
Zero-Knowledge Encryption
Information We Collect
How We Use Your Information
How We Share Your Information
Data Retention
Vault Release & Beneficiary Data
Your Rights
California Residents (CCPA)
Security
Children's Privacy
Changes to This Policy
Contact

Section 01

Who We Are

NestVault ("NestVault," "we," "us," or "our") is operated by Sutherlin Ventures LLC dba NestVault, a California limited liability company. We operate the website MyNestVault.com and all related products and services (collectively, the "Service").

Contact: [email protected] · MyNestVault.com · Anaheim, California

Section 02

What This Policy Covers

This Privacy Policy describes how we collect, use, store, and protect information when you use NestVault. It also describes your rights regarding that information. By using the Service, you agree to the practices described in this policy.

Section 03

Zero-Knowledge Encryption. What It Means

NestVault uses zero-knowledge encryption architecture for vault contents. This means:

Your vault data is encrypted on your device before it is transmitted to our servers.
The encryption key is derived from your credentials, which we never store in plaintext.
We store only encrypted ciphertext. We cannot read your vault contents.
Even if our servers were compromised, your vault contents would remain unreadable without your key.

The encryption standard used is AES-256. We do not have the ability to decrypt your vault contents and cannot provide them to third parties, government agencies, or any other entity in readable form.

Important: At vault setup we issue you a one-time recovery code, which you alone hold. You may use that recovery code to regain access if you forget your vault password. NestVault does not retain a copy of your vault password or your recovery code and cannot reset, recover, or reconstruct either on your behalf. If you lose both your vault password and your recovery code, your encrypted data will be permanently inaccessible. We are not liable for data loss resulting from lost credentials.

Section 04

Information We Collect

4.1. Information you provide directly

Account registration: name, email address, billing information
Vault contents: financial, legal, medical, and personal information you enter (stored encrypted, see Section 3)
Family Access information: names and email addresses of family members you invite to access your vault through the Family Access feature
Communications: messages you send to us via email or support channels

4.2. Information collected automatically

Log data: IP address, browser type, pages visited, timestamps
Device information: operating system, browser version
Cookies: session cookies required for authentication; no advertising or tracking cookies
Usage analytics: aggregate, anonymized data about feature usage (not personally identifiable)

4.3. Information we do NOT collect

We do not collect your encryption key or master password
We do not read the contents of your vault
We do not collect behavioral data for advertising purposes
We do not use third-party advertising networks

Section 05

How We Use Your Information

We use the information we collect to:

Provide, maintain, and improve the Service
Process payments and manage your subscription
Send transactional emails (account confirmation, payment receipts, annual review reminders)
Respond to support requests
Support the beneficiary release system when it becomes available (see Section 8)
Comply with legal obligations

We do not use your information for advertising, and we do not sell your information to third parties. Ever.

Section 06

How We Share Your Information

We share information only in the following limited circumstances:

Service providers

We use third-party vendors to operate the Service, including:

Stripe, Inc. for payment processing (subject to Stripe's privacy policy)
Supabase, Inc. for encrypted database and file storage (vault contents and uploaded documents are encrypted in your browser before being transmitted to Supabase; Supabase stores only ciphertext)
Cloudflare, Inc. for website hosting and edge compute
Beehiiv for email communications

These vendors are contractually prohibited from using your information for any purpose other than providing services to us.

Legal requirements

We may disclose information if required by law, court order, or governmental authority. Because we cannot decrypt vault contents, we cannot provide them in readable form regardless of legal demand.

Business transfers

In the event of a merger, acquisition, or sale of assets, user data would be transferred to the successor entity. We will notify users before this occurs.

We do not sell, rent, or share your personal information with third parties for their own marketing or commercial purposes.

Section 07

Data Retention

Active accounts: We retain your data for as long as your account remains active.
After cancellation: Your encrypted vault data is permanently deleted within 90 days of account cancellation or non-renewal. We will send a reminder before deletion occurs.
Billing records: Payment records are retained for 7 years as required by law.
Logs: Server logs are retained for 90 days and then automatically purged.

Section 08

Beneficiary Release & Vault Access

A verified beneficiary release system is in development and is not yet available. We are designing a process by which a designated beneficiary would be able to request vault access upon verified death. This section will be updated to describe the full data handling process, including what information beneficiaries must provide, how it is verified, how long it is retained, and how it is deleted, once the system launches.

Current vault access is a living-access feature only. The Family Access feature allows the primary vault holder to invite designated family members to view specific vault categories during the holder's lifetime, under the holder's control. This is not a posthumous release mechanism.

Because NestVault uses zero-knowledge encryption, we do not hold the key that decrypts vault contents. We cannot grant vault access on behalf of a beneficiary or anyone else, regardless of documentation presented, until a purpose-built system exists that addresses this architectural constraint.

We will notify all current subscribers by email before the beneficiary release system launches, along with the updated privacy terms that will govern it. Until then, subscribers are responsible for sharing vault access instructions directly with anyone they wish to inherit access, through an attorney, estate plan, or other arrangement of their choosing.

Section 09

Your Rights (All Users)

You have the right to:

Access: Request a copy of the personal information we hold about you (excluding encrypted vault contents, which we cannot read).
Correction: Request that we correct inaccurate personal information.
Deletion: Request deletion of your account and all associated data within 30 days of a verified deletion request. Billing records may be retained as required by law.
Portability: Request an export of your personal data in a machine-readable format.
Opt-out of communications: Unsubscribe from marketing emails at any time using the link in any email.

To exercise these rights, contact: [email protected]

Section 10

California Residents. CCPA Rights

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

Right to Know: You have the right to know what personal information we collect, use, disclose, and sell (we do not sell personal information).
Right to Delete: You have the right to request deletion of personal information we have collected about you, subject to certain exceptions.
Right to Correct: You have the right to request correction of inaccurate personal information.
Right to Opt-Out of Sale: We do not sell personal information. There is nothing to opt out of.
Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
Right to Limit Use of Sensitive Personal Information: The contents of your vault constitute sensitive personal information under CCPA. This information is encrypted and we do not use it for any purpose other than providing the Service to you.

To submit a CCPA rights request: [email protected]. We will respond within 45 days.

Section 11

Security

We implement industry-standard security measures including:

AES-256 zero-knowledge encryption for vault contents
TLS/HTTPS encryption for all data in transit
Access controls limiting staff access to vault data (we cannot access vault contents)
Annual security reviews
Incident response procedures

No system is 100% secure. If we become aware of a security breach affecting your personal information, we will notify you as required by applicable law.

Section 12

Children's Privacy

NestVault is not directed to children under 18. We do not knowingly collect personal information from anyone under 18. If you believe a minor has provided us with personal information, contact [email protected] and we will delete it promptly.

Section 13

Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email at least 30 days before the changes take effect. Continued use of the Service after changes take effect constitutes acceptance of the revised policy.

Section 14

Contact

Questions about this Privacy Policy?

Sutherlin Ventures LLC dba NestVault

[email protected]

MyNestVault.com

Anaheim, California