Privacy Policy

1. Introduction

Nedati Technologies Private Limited (“we,” “our,” or “us”) operates the Extreme Vault service (“the Service”), a zero-knowledge secrets management platform. This Privacy Policy explains how we collect, use, and safeguard your information.

Extreme Vault is designed with a zero-knowledge architecture. This means your secrets are encrypted on your device before they are transmitted to our servers. We never have access to your plaintext secrets, encryption keys, or passkey-derived material.

2. Zero-Knowledge Commitment

The core promise of Extreme Vault is that we cannot access your secrets. Specifically:

• All secrets are encrypted client-side using keys derived from your passkey or device credentials before leaving your browser or CLI.
• Our servers store only encrypted ciphertext. We do not hold decryption keys.
• We cannot decrypt, read, or reconstruct your secrets under any circumstances, including in response to legal requests. We can only provide the encrypted data we store.
• Audit log metadata (timestamps, user identifiers, operation types) is stored in plaintext to enable tamper-evident verification, but the content of secrets is never included.

3. Information We Collect

Account Information

When you create an account, we collect:

• Email address
• Organization name
• Billing information (processed by our payment provider)
• Passkey credential identifiers (public key material only, never private keys)

Usage Information

We collect minimal usage data to operate and improve the Service:

• IP address (for rate limiting and abuse prevention)
• Timestamps of API requests
• Aggregate feature usage counts (e.g., number of vaults created, not their contents)

4. How We Use Your Information

We use collected information solely to:

• Provide, maintain, and improve the Service
• Process billing and payments
• Send essential service communications (security alerts, billing notices)
• Prevent abuse and enforce our terms
• Comply with legal obligations

5. Data We Never Collect

Due to our zero-knowledge architecture, we never collect or have access to:

• Your plaintext secrets or environment variables
• Your encryption keys or passkey private material
• The names or labels of your secrets (these are encrypted)
• The contents of your vaults

6. Data Sharing

We do not sell, rent, or trade your personal information. We may share limited information with:

• Payment processors: Billing information necessary to process your subscription.
• Legal authorities: When required by law. Note that due to our zero-knowledge design, we can only provide encrypted data and account metadata, never plaintext secrets.

7. Data Security

Beyond our zero-knowledge encryption, we implement industry-standard security measures including encryption in transit (TLS), access controls, regular security audits, and incident response procedures. Our infrastructure is designed so that a server breach would not expose your plaintext secrets.

8. Data Retention

We retain your account information for the duration of your subscription. Upon account deletion, we delete your encrypted vault data and account information within 30 days. Audit log entries may be retained for up to 90 days after account deletion for integrity verification purposes.

9. Your Rights

You have the right to:

• Access your account information
• Correct inaccurate account data
• Delete your account and all associated data
• Export your encrypted vault data
• Object to processing of your personal information

To exercise these rights, contact us at contact@nedati.com.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service. Your continued use of the Service after changes become effective constitutes acceptance of the revised policy.

11. Contact

For questions about this Privacy Policy or our data practices, contact: