Privacy policy
Effective date: July 12, 2026
VaultPad is a local-first notes app. This policy is short because the honest answer to most privacy questions about VaultPad is: your data stays on your phone, and we never see it.
The summary
- Your notes are plain-text files stored on your device. VaultPad has no servers, no accounts, and no sign-up. We — the developer — never receive, store, or have any way to access your notes or anything else about you.
- Nothing leaves your device unless you turn on a feature that sends it somewhere you chose: an AI provider using your own API key, a cloud sync provider using your own account, or Android's own device backup.
- VaultPad contains no analytics, no advertising, and no trackers. This version also contains no crash reporting.
The rest of this document spells that out.
What VaultPad stores on your device
- Your notes and their metadata — plain .md files plus small metadata files, in the app's private storage.
- Your settings — preferences like theme, category colors, and which features you've enabled.
- API keys and sign-in tokens — if you connect an AI provider or a sync provider, your API key or sign-in token is stored on your device in Android's encrypted secure storage. Keys and tokens never leave your device except to authenticate with the provider they belong to.
None of this is transmitted to us. There is no "us" to transmit it to — VaultPad runs entirely on your phone.
What leaves your device — only when you choose
AI providers (optional — requires your own API key)
If you add an API key for an AI provider, AI chats send your messages, the note you have open, and anything the AI reads with its tools (other notes you let it reach, and — if you granted calendar access — calendar events) to that provider, using your key. Nothing is sent outside AI features, and the app shows you this notice the first time you use each provider.
You choose the provider: Anthropic, OpenAI, Google (Gemini), or Deepseek. Your relationship with that provider is direct — governed by their terms and privacy policy, not ours, and we receive nothing from those conversations. Two provider-specific caveats the app also discloses:
- Google Gemini free-tier keys: Google may use your AI content to improve its products, including human review. Paid keys are exempt (as is the EU/UK/Switzerland, even on free keys).
- Deepseek: data is processed on servers in China.
Provider privacy policies: Anthropic · OpenAI · Google · Deepseek
You can mark any note "hide from AI" in its details panel: a hidden note is never sent to an AI provider — it is not injected into chats, and the AI cannot read, list, or edit it, in any chat mode. And you can remove your API key — and with it all AI features — at any time in Settings.
"Hide from AI" is not encryption. Your notes are plain text files by design — that's what makes them portable and permanently yours — and hiding a note from AI does not change that: the file still syncs to any provider you connected and rides your device backup like any other note. Please don't keep passwords, API keys, or similar secrets in notes; a notes app is not a password manager.
Sync providers (optional)
- Google Drive or Dropbox: if you connect one, your note files are uploaded to your own Drive or Dropbox account. VaultPad talks to their APIs directly from your phone using the access you granted; we run no sync servers and cannot see your synced files. Disconnecting stops all uploads; you can revoke VaultPad's access in your Google or Dropbox account settings at any time.
- Local Folder: mirrors your notes to a folder you pick on the same device. Nothing leaves your phone.
Android device backup
Like most Android apps, VaultPad participates in Android's Auto Backup, which backs your notes up to your Google account according to your device's backup settings — so your vault survives reinstalling the app or moving to a new phone. API keys and sign-in tokens are explicitly excluded from backups. This is Android's own backup system, controlled entirely in your device settings (Settings → Google → Backup), not by us.
Permissions VaultPad asks for
- Internet — used only to talk to the AI and sync providers you connect. With no provider connected, VaultPad works fully offline.
- Calendar (read-only) — requested only if you use a calendar-based feature (like the Daily Agenda template). VaultPad can only read events, never change them. Events it reads are used to write notes on your device and, as part of an AI chat, are sent to the AI provider you connected — nowhere else.
- Folder access — requested only if you set up the Local Folder mirror, via Android's folder picker. VaultPad can only access the folder you picked.
What we collect
Nothing. VaultPad sends no analytics, telemetry, usage statistics, or crash reports to us or to anyone else. We do not know how many notes you have, what's in them, which features you use, or that you use VaultPad at all.
If a future version ever adds any form of telemetry (for example, crash reporting), this policy will be updated first, the change will be called out in the app, and it will follow the same principle as everything above: your note content and keys are never included.
Data retention and deletion
We hold no data about you, so there is nothing for us to retain or delete. Your data lives in exactly three kinds of places, all yours:
- On your device — delete notes in the app, or uninstall the app, to remove it.
- In your own cloud accounts (Drive, Dropbox, Android backup) — managed and deletable through those accounts.
- With your AI provider — handled under their privacy policy and deletable through your account with them.
Children
VaultPad is not directed at children under 13.
Changes to this policy
If this policy changes, the new version will be posted at this address with an updated effective date.
Contact
VaultPad is developed by an independent developer. Questions about this policy: feedback@vaultpadnotes.com.