← Cryptiqo

Privacy Policy

Last updated: 2026-05-31

This Privacy Policy explains how Cryptiqo handles information in relation to the cryptiqo.eu website and the CardVault application. The short version: your data stays on your device, encrypted, and we cannot read it.

1. The website (cryptiqo.eu)

This website is a static informational site. It does not use analytics, advertising networks, tracking scripts, fingerprinting or behavioural analytics, and it sets no advertising or analytics cookies. The only browser storage used is a single strictly-necessary localStorage entry that remembers your light/dark theme preference. See the Cookie Policy for details.

If you email us using the address provided, we receive only the information you choose to include in your message, and we use it solely to respond to you.

2. The CardVault application

Who controls your data

You do. CardVault has no backend servers, no user accounts and no operator who can access your content. The developer and application provider cannot decrypt or read your cards.

What data CardVault processes

  • Card metadata you enter or that on-device OCR extracts (names, companies, emails, phone numbers, websites, addresses, notes, loyalty/membership numbers).
  • Card images you capture or import.
  • Barcode/QR values you scan or generate.

All of the above are stored only on your device, encrypted with keys derived from your passphrase.

What CardVault does not do

  • No cloud OCR or cloud AI. Text recognition and barcode decoding run entirely on your device.
  • No telemetry. No usage statistics are collected.
  • No analytics SDKs and no advertising SDKs are bundled.
  • No user tracking or profiling.
  • No selling or sharing of data. There is nothing to sell — we never receive your data.

Network usage

CardVault works fully offline. The only time it accesses the network is when you explicitly enable a cloud backup to Google Drive, OneDrive or WebDAV/Nextcloud. In that case your backup is encrypted on your device first (AES-256-GCM) and only the ciphertext is uploaded; the provider receives an opaque encrypted file it cannot read. Authentication uses the provider’s standard OAuth flow, and tokens are stored on your device. You can use CardVault indefinitely without ever enabling cloud backup.

Encryption and security

  • Card data is held in an encrypted SQLCipher database; images and backups use AES-256-GCM.
  • Encryption keys are derived from your passphrase using Argon2id (PBKDF2-HMAC-SHA256 fallback) and are never stored in plaintext. The database key is wrapped by the hardware-backed Android Keystore.
  • A one-time recovery passphrase is generated during setup so you can regain access if you forget your passphrase.

Permissions

  • Camera — only to capture card images, when you choose to scan a card.
  • Network — only used for cloud backup if you enable it.

Data retention and deletion

Your data lives on your device until you delete it. Deleting a card removes its record and associated images. Uninstalling the app removes all local CardVault data. Cloud backups you created remain in your own cloud account until you delete them there.

Children’s privacy

CardVault is a general-purpose utility and is not directed at children. It collects no personal data on any server.

3. Changes to this policy

Material changes will be reflected in this document and, for the application, in the app’s release notes.

4. Contact

For questions about this policy, contact us at info@cryptiqo.eu, or raise an issue through the project’s repository.