Your data stays on your device.
Full stop.
VaultBook is architected so that your notes, files, and personal information never leave your computer. This policy explains exactly what we collect (almost nothing), what we don't (everything else), and why.
1. Scope of This Policy
This Privacy Policy applies to the VaultBook desktop application (the "Application"), the VaultBook website at reportmedic.github.io (the "Website"), and any related services, documentation, or communications provided by VaultBook Labs ("we," "us," "our").
The Application is a browser-based, offline-first workspace distributed as a single HTML file. It is designed to operate entirely on your local device without requiring an internet connection, user account, or server-side infrastructure. This architecture is central to our privacy model.
2. Architectural Overview
Understanding VaultBook's architecture is essential to understanding our privacy posture. The Application runs entirely within your web browser. It does not communicate with any remote server, API endpoint, analytics service, or third-party provider during operation.
The Application ships as a single HTML file containing all code, styles, and assets. It uses the browser's File System Access API to read and write data to a local folder that you explicitly select. No data is transmitted over any network connection. All AI features, search indexing, OCR processing, encryption, and analytics run locally in your browser's JavaScript runtime.
Because the Application has no backend, there is no server that receives, processes, stores, or has access to your content. We have no technical ability to access your notes, attachments, search queries, encryption passwords, or any other data you create or store in VaultBook.
3. Data We Do Not Collect
The following categories of data are never collected, transmitted, or accessible to VaultBook Labs at any point during your use of the Application:
| Data category | Collected? |
|---|---|
| Note content (titles, bodies, sections) | ✕ No |
| File attachments and their contents | ✕ No |
| Search queries and QA questions | ✕ No |
| Encryption passwords, keys, or salts | ✕ No |
| Labels, tags, or page structures | ✕ No |
| Vote data (upvotes / downvotes) | ✕ No |
| OCR-extracted text from images | ✕ No |
| Timetable or scheduling data | ✕ No |
| Analytics or usage metrics | ✕ No |
| IP addresses from the Application | ✕ No |
| Device identifiers or fingerprints | ✕ No |
| Browser type, OS, or screen resolution | ✕ No |
| Geolocation data | ✕ No |
| Contact lists, email addresses, or names | ✕ No |
| Behavioral, clickstream, or telemetry data | ✕ No |
This is not a selective list. We do not collect any data from the Application whatsoever. The Application makes zero network requests during its entire lifecycle — from the moment you open the HTML file to the moment you close the browser tab.
4. Data Stored Locally on Your Device
When you use VaultBook, data is created and stored exclusively in a local folder on your device that you explicitly grant access to via the browser's File System Access API. This data never leaves your device. The following files and directories are created within your chosen folder:
4.1 Repository file
repository.json — a single JSON file containing your page hierarchy, entry metadata (titles, labels, timestamps, scheduling data, favorite status), and vote data for search and related entries. Entry body content for entries exceeding a certain size is stored as separate sidecar files (see 4.2).
4.2 Entry body files
/attachments/details-<id>.md — Markdown or HTML sidecar files containing the full body content of individual entries. These are plain-text files readable by any text editor.
4.3 Attachments
/attachments/ — a directory containing all files you attach to entries or sections. An index.txt manifest (JSON) maps attachment keys to file metadata. Text is extracted from attachment contents and indexed locally for search.
4.4 Version history
/versions/ — a directory containing per-entry version snapshots. Versions are retained for 60 days by default and are automatically pruned.
4.5 License file
license.json — a file containing your license tier and activation status. This file is stored locally in your workspace folder and is not transmitted to any server.
4.6 Timetable data
Calendar and timetable entries are persisted to disk within your workspace folder and rehydrated on application load. This data is never transmitted externally.
Every file VaultBook creates is a standard file format (JSON, Markdown, or the original format of your attachments) stored in a regular folder on your file system. You can inspect, copy, back up, version-control, or delete any of these files at any time using your operating system's native file tools. There are no proprietary binary formats and no database engines.
5. Encryption & Security
5.1 Per-entry encryption
VaultBook Pro includes optional per-entry encryption using AES-256-GCM, a symmetric encryption algorithm widely regarded as industry standard for data-at-rest protection. Key derivation uses PBKDF2 with 100,000 iterations of SHA-256. Each encrypted entry receives a unique random 16-byte salt and 12-byte initialization vector (IV).
5.2 Password handling
Encryption passwords are set per entry (not globally). Passwords are never stored on disk in any form — plaintext, hashed, or otherwise. During an active session, passwords may be cached in memory to avoid re-prompting when switching between encrypted entries. This session cache is cleared when you close the browser tab or navigate away.
5.3 Decrypted content
When you unlock an encrypted entry, the decrypted plaintext is held exclusively in the browser's JavaScript runtime memory (the _plain field). It is never written to disk in unencrypted form. When you navigate away from the entry or close the application, the decrypted content is released from memory.
5.4 Lock screen
VaultBook includes a lock screen that applies a full-page blur overlay, blocks all pointer events, and prevents text selection. This prevents casual visual access to your workspace when you step away.
5.5 What we cannot do
Because encryption keys are derived from passwords you set and are never transmitted to us, we have no ability to decrypt your encrypted entries. If you forget an entry's password, we cannot recover it. We strongly recommend keeping secure backups of your encryption passwords.
6. VaultBook Website
The VaultBook marketing website (reportmedic.github.io) is a static site hosted on GitHub Pages. It contains no server-side logic, no databases, and no application code that processes personal data.
6.1 Hosting
The Website is hosted by GitHub, Inc. via GitHub Pages. GitHub may collect standard server logs (IP addresses, request timestamps, user agents) as part of its infrastructure. This data is governed by GitHub's Privacy Statement. We do not have access to GitHub's raw server logs.
6.2 Analytics
We do not use Google Analytics, Mixpanel, Hotjar, Segment, or any third-party analytics, tracking, or advertising service on the Website. We do not embed tracking pixels, social media widgets, or retargeting scripts.
6.3 Forms and user input
The Website does not contain forms that collect personal information. Contact is facilitated through Telegram (t.me/VaultBook), which is a third-party service governed by Telegram's Privacy Policy. Any information you share with us via Telegram is subject to Telegram's data handling practices in addition to our commitment to treating your communications confidentially.
6.4 Download links
Application download links point to files hosted on GitHub (raw.githubusercontent.com). Downloading a file may be logged by GitHub's infrastructure. We do not add tracking parameters, redirects, or analytics wrappers to download URLs.
7. Cookies & Local Storage
7.1 The Application
The VaultBook Application does not set cookies. It does not use the browser's localStorage, sessionStorage, or IndexedDB APIs for persistent data storage. All persistent data is stored via the File System Access API in the folder you explicitly select. In-session state is held in JavaScript runtime memory and is released when the tab closes.
7.2 The Website
The VaultBook Website does not set first-party cookies. It does not use local storage or session storage. GitHub Pages may set technical cookies as part of its hosting infrastructure; these are governed by GitHub's policies and are outside our control.
8. Third-Party Services
The following third-party services are involved in the VaultBook ecosystem. None of these services have access to the content you create or store in the Application.
| Service | Purpose | Data shared |
|---|---|---|
| GitHub Pages | Website hosting & file downloads | Standard HTTP request data (IP, user agent) per GitHub's policy |
| Telegram | Customer contact channel | Only what you voluntarily send us via Telegram |
| Google Fonts | Web font delivery for the Website | Standard HTTP request data per Google's policy |
The Application itself makes zero network requests and therefore has no third-party service dependencies during operation. All JavaScript libraries (marked.js, Tesseract for OCR, etc.) are bundled inline within the HTML file and loaded locally.
9. Children's Privacy
VaultBook is a general-purpose productivity tool not directed at children under the age of 13 (or the applicable age of digital consent in your jurisdiction). Because the Application does not collect any personal data, there is no mechanism by which children's data could be collected, stored, or processed by us.
If you are a parent or guardian and believe a child has provided personal information to us through our Telegram contact channel, please contact us and we will promptly delete any such information.
10. Data Retention & Deletion
10.1 Application data
All data created by the Application is stored on your device and is retained for as long as the files exist on your file system. We have no copy of your data and therefore cannot retain or delete it. You may delete your entire VaultBook workspace at any time by deleting the folder you selected.
10.2 Version history
Version snapshots are stored in the /versions directory within your workspace. Versions older than 60 days are automatically pruned by the Application. You may manually delete version files at any time.
10.3 Telegram communications
If you contact us via Telegram, message content is retained within the Telegram platform per Telegram's data retention policies. You may delete your messages at any time using Telegram's built-in deletion features. We do not export, archive, or store Telegram conversations in any external system.
11. Data Portability
VaultBook is designed for complete data portability. Your workspace consists entirely of standard file formats:
| File | Format | Readable by |
|---|---|---|
| repository.json | JSON | Any text editor, JSON viewer, or programming language |
| details-*.md | Markdown / HTML | Any text editor or Markdown renderer |
| index.txt | JSON | Any text editor or JSON parser |
| Attachments | Original formats | Their native applications |
| Version snapshots | JSON / Markdown | Any text editor |
There is no export step, no data request process, and no proprietary format to convert from. Your data is already in portable, open formats stored in a regular folder on your file system. You can copy it, back it up, sync it with any cloud drive, or migrate it to another tool at any time without our involvement.
12. International Users
12.1 GDPR (European Economic Area)
Because the Application does not collect, process, or transmit personal data to any server, there is no "data controller" or "data processor" relationship between VaultBook Labs and Application users in the context of GDPR. Your data remains entirely under your control on your local device. The Website's hosting on GitHub Pages may involve data processing by GitHub in accordance with their GDPR compliance commitments.
12.2 CCPA (California)
VaultBook Labs does not sell personal information. We do not collect personal information from the Application. California residents have the right to know what personal information is collected — in VaultBook's case, the answer is none.
12.3 PIPEDA (Canada)
The Application does not collect personal information from Canadian users. Interactions with the Website are limited to standard HTTP request data processed by GitHub's infrastructure.
12.4 Other jurisdictions
Because VaultBook's architecture does not involve collection or cross-border transfer of personal data, the Application is compatible with data residency and data sovereignty requirements in any jurisdiction. Your data physically resides wherever your device is located.
13. Your Rights
Regardless of your jurisdiction, you have the following rights with respect to your VaultBook data:
Right to access — All your data is stored in a folder on your device in open formats. You can access it at any time without requesting it from us.
Right to rectification — You can edit any entry, label, page, or attachment directly within VaultBook or by editing the underlying files.
Right to erasure — You can delete individual entries within VaultBook or delete the entire workspace folder from your file system. We have no copy to retain.
Right to portability — Your data is already stored in portable, open formats (JSON, Markdown, original attachment formats). No export process is needed.
Right to restrict processing — All processing occurs locally on your device. You can stop processing at any time by closing the browser tab.
Right to object — Because there is no remote processing, there is no processing to object to.
14. Breach Notification
Because VaultBook Labs does not store, transmit, or have access to user data, a traditional data breach affecting your VaultBook content through our systems is not possible. There is no server to compromise, no database to exfiltrate, and no backups under our control.
If a security vulnerability is discovered in the Application's code that could affect the integrity or confidentiality of locally stored data, we will disclose the vulnerability promptly on our Website and through our Telegram channel, along with remediation steps and an updated version of the Application.
15. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in the Application's features, our business practices, or applicable law. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify users through our Website or Telegram channel.
Because VaultBook's core architecture is offline-first with zero data collection, we do not anticipate material changes to the fundamental privacy posture described in this policy. If a future version of VaultBook were to introduce any network connectivity or data collection, that change would be prominently disclosed before implementation and would require explicit user consent.
16. Contact
If you have questions about this Privacy Policy, wish to report a security concern, or want to exercise any of your data rights, you can reach us through Telegram:
Telegram: t.me/VaultBook
Entity: VaultBook Labs, San Francisco, California, United States.
We aim to respond to all privacy-related inquiries within 72 hours.