Privacy Policy

Last updated: March 2026

This Privacy Policy describes how Uconomix Technologies LLP ("We", "Us", "Our"), the owner of HexaVault, collects, uses, stores and protects your personal data. This policy is published in compliance with the Digital Personal Data Protection Act, 2023 (India) ("DPDP Act") and other applicable laws.

HexaVault is a zero-knowledge encrypted password manager. Our architecture is designed so that We are technically unable to access the contents of Your vault. Please read this policy carefully to understand our practices.

1. What Information Do We Collect?

We collect the following categories of personal data:

Account Data: When you register, we collect your name and email address.

Vault Data (Zero-Knowledge): The passwords, credentials, notes, financial information, identity documents and other personal information you store within your HexaVault vault. This data is encrypted on your device before being transmitted to our servers using AES-256 encryption. Your master password is never stored on our servers. A one-way cryptographic hash is stored solely for the purpose of authentication. Encryption keys are derived on your device and are never transmitted to our servers in an unencrypted form. While encrypted vault data resides on our servers, we are unable to decipher or read its contents without your master password, which we do not hold.

Device and Technical Data: We may collect your device model number and operating system details solely for the purposes of device authorisation and account security. We also collect standard server logs including IP addresses and access timestamps for security monitoring and service operation.

Payment Data: If you purchase a subscription, payment is processed by a third-party payment processor. We do not store your credit card numbers, banking details, or other financial instrument information on our servers.

We do not collect your geographic location. The Application does not access, collect, or transmit your approximate or precise location at any time.

2. How Do We Use Your Information?

We use the personal data we collect only for the following purposes, each of which constitutes a lawful basis under the DPDP Act:

To provide the Service: To authenticate your account, store and sync your encrypted vault data across your devices, and deliver the core functionality of HexaVault.

To communicate with you: To send transactional and service-related emails, such as account confirmations, security alerts, password reset emails, and important updates about the Service.

To improve the Service: To analyse usage patterns (in aggregated, anonymised form only) to improve our website and application features.

To process payments: To facilitate your subscription purchase through our third-party payment processor.

To comply with legal obligations: To respond to lawful requests from regulatory authorities or law enforcement where required by applicable law.

We expressly do not use your data for advertising, marketing profiling, or any commercial purpose beyond delivering the Service to you. We do not sell your data. We do not analyse the contents of your encrypted vault for any purpose whatsoever.

3. Zero-Knowledge Encryption

HexaVault is built on a zero-knowledge security model. This means:

Your master password is never stored on our servers. A one-way cryptographic hash is stored solely for the purpose of authentication. Encryption keys are derived on your device and are never transmitted to our servers in an unencrypted form.

Your vault data is encrypted locally on your device using AES-256 encryption before it is uploaded to our servers.

Our servers store only your encrypted vault. Without your master password and encryption key, the stored data is indecipherable - even to us.

As a consequence of this model, if you forget your master password, we are unable to recover or reset your vault contents. Please store your master password securely.

4. How Do We Protect Your Information?

We implement a variety of technical and organisational security measures to maintain the safety of your personal information, including:

AES-256 end-to-end encryption for all vault data, as described above.

Encrypted transmission of all data between your device and our servers using TLS (Transport Layer Security).

Access controls limiting our personnel's access to only the minimum data necessary for service operations (none of our staff can access your vault contents).

Regular security reviews and vulnerability assessments of our infrastructure.

Payment transaction data is not stored on our servers after a transaction is complete.

5. Data Retention

We retain your account data (email address, profile information) and encrypted vault data for as long as your account remains active or as needed to provide the Service.

Upon deletion of your account, all your personal data - including your encrypted vault contents and account information - will be permanently deleted from our primary servers and all backup systems within thirty (30) days.

We may retain anonymised, aggregated data that cannot identify you for analytical purposes indefinitely.

6. Do We Use Cookies?

Yes. Cookies are small files that a site or service provider transfers to your computer or mobile device through your web browser (if you allow) that enable the site or service provider's systems to recognise your browser and remember certain information.

We use cookies to maintain your session and authentication state, to understand and save your preferences for future visits, and to compile aggregated, anonymised data about site traffic so that we can offer better experiences in the future.

You may disable cookies through your browser settings; however, disabling certain cookies may affect the functionality of the Application.

7. Do We Disclose Information to Outside Parties?

We do not sell, trade, or otherwise transfer your personally identifiable information to outside parties. We may share your data only in the following limited circumstances:

Service Providers: We engage trusted third-party service providers who assist us in operating our infrastructure and delivering the Service, including cloud hosting providers and payment processors. These parties are contractually bound to keep your information confidential, to use it only for the purpose of providing services to us, and to maintain appropriate security standards. They are not permitted to use your personal data for their own purposes.

Legal Compliance: We may disclose your information when required to do so by law, court order, or a lawful request from a government or regulatory authority, or where we believe in good faith that disclosure is necessary to protect the rights, property, or safety of the Company, our users, or the public.

Business Transfers: In the event of a merger, acquisition, or sale of all or a portion of our assets, user data may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on the Application prior to your data being transferred and becoming subject to a different privacy policy.

Non-personally identifiable, aggregated data may be shared with analytics partners solely in anonymised form that cannot be linked back to any individual user.

8. Your Rights Under the Digital Personal Data Protection Act, 2023

As a Data Principal under the DPDP Act, 2023, you have the following rights with respect to your personal data:

Right to Access: You have the right to obtain a summary of the personal data we hold about you and the purposes for which it is being processed.

Right to Correction and Erasure: You have the right to correct inaccurate or incomplete personal data we hold about you, and the right to request erasure of your personal data where it is no longer necessary for the purposes for which it was collected.

Right to Grievance Redressal: You have the right to readily available means to register a grievance regarding our processing of your personal data. Please refer to the contact details below.

Right to Nominate: You have the right to nominate another individual to exercise your rights in the event of your death or incapacity.

To exercise any of these rights, please contact us at info@hexavault.com. We shall endeavour to respond to all verified requests within thirty (30) days.

9. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, We shall notify you without undue delay, and in any case within seventy-two (72) hours of becoming aware of the breach, to the extent reasonably practicable. We shall also report the breach to the Data Protection Board of India as required under the DPDP Act, 2023.

10. Children's Privacy

We do not knowingly collect personal data from children under the age of 18 without verifiable parental or guardian consent, in compliance with the DPDP Act, 2023 and the Children's Online Privacy Protection Act (COPPA). Our services are directed to individuals who are at least 18 years of age (or minors using the service under the supervision and consent of their legal guardian). If we become aware that we have collected personal data from a child without appropriate consent, we will take steps to delete that information promptly.

11. Your Consent

By registering for and using our site or mobile apps, you provide your free, specific, informed, unconditional and unambiguous consent to the collection and use of your personal data as described in this Privacy Policy. You may withdraw your consent at any time by deleting your account, subject to any legal obligations that require us to retain certain data. Withdrawal of consent will not affect the lawfulness of any processing carried out prior to such withdrawal.

12. Changes to Our Privacy Policy

If we make material changes to this Privacy Policy, we will notify you via email at least fifteen (15) days before the changes take effect, and will post the updated policy on this page with a revised "Last Updated" date. We encourage you to review this Policy periodically.

13. Grievance Officer

In accordance with the DPDP Act, 2023, and the Information Technology Act, 2000, We have appointed a Grievance Officer to address any concerns or complaints regarding this Privacy Policy or the processing of your personal data:

Grievance Officer, Uconomix Technologies LLP
Registered Office: Mumbai, Maharashtra, India
Email: info@hexavault.com

The Grievance Officer shall acknowledge receipt of your complaint within forty-eight (48) hours and endeavour to resolve it within thirty (30) days.

Contacting Us

If there are any questions regarding this privacy policy, please contact us.