AutomateX

← Privacy at AutomateX AI

Privacy Policy — Vault by AutomateX

Effective date: 2026-05-26 · Last updated: 2026-06-01
App: Vault by AutomateX (Android) · Package: com.automatexai.vaultapp
Contact: [email protected]

This privacy policy describes how the Vault by AutomateX Android app ("the app", "we") handles the information you put into it.

Summary

Vault by AutomateX is a local-only encrypted file manager. The app never connects to a network to send or receive your data. Everything you import — photos, videos, documents, notes — stays on your device, encrypted with keys only your device holds. We do not collect, transmit, store, sell, share, or process any of your personal data on any server, ours or anyone else's.

What the app stores on your device

  • The encrypted file blobs you import (under the app's private storage directory).
  • Encrypted thumbnails generated for the in-app grid view.
  • The passcode hash that unlocks the app (one-way SHA-256 of your PIN, never the PIN itself).
  • The per-asset AES-256-CTR encryption keys stored in Android's hardware-backed Keystore (expo-secure-store), not on disk in readable form.
  • The recovery phrase hash (50,000-round SHA-256 iterated chain of your 12-word phrase + per-wallet salt) so the app can verify a phrase you enter without storing the phrase itself.
  • Local settings (biometric toggle, auto-lock delay, save folder preference, disguised launcher choice, etc.) in the app's private SQLite database.

All of the above lives only on this device in /data/data/com.automatexai.vaultapp/ (app-private storage that other apps cannot read), with the file blobs and thumbnails additionally AES-encrypted on disk.

What the app does NOT do

  • We do not create user accounts.
  • We do not require sign-in to use the app.
  • We do not send analytics, telemetry, crash reports, or usage statistics to any server.
  • We do not use any third-party advertising SDK.
  • We do not scan, index, upload, or read files outside the ones you explicitly import.
  • The app has no backend server. There is nowhere for your data to be sent.

Permissions the app uses, and why

PermissionUsed for
CAMERA Two optional, on-device-only uses: (1) capture photos straight into the encrypted vault when you tap "Take photo" inside the vault; and (2) intruder capture — when this is enabled in Settings (it can be turned off at any time), after 3 failed unlock attempts the app silently takes a front-camera photo and saves it encrypted on your device so you can later see who tried to open your vault. Intruder photos are never uploaded, shared, or sent anywhere.
USE_BIOMETRIC / USE_FINGERPRINT Optional: unlock the vault with fingerprint / face instead of your passcode. Authentication is done by the Android system, not by us; we never receive your fingerprint data.
MANAGE_EXTERNAL_STORAGE Optional: when you choose "Delete original after import" or "Save to device folder", the app needs to read/write/delete the user-selected files in shared storage. We never read any file you didn't explicitly pick. You grant this once in system Settings during onboarding and can revoke it any time.
VIBRATE Short haptic feedback when you capture a photo or get a confirmation.
INTERNET Declared for compatibility with bundled libraries; the app itself opens no network sockets and contacts no server of ours or anyone else's. You can verify this by running the app fully offline (Wi-Fi and mobile data off) — it works identically.

The following permissions are explicitly stripped from the merged manifest to avoid unnecessary access: READ_MEDIA_IMAGES, READ_MEDIA_VIDEO, READ_MEDIA_VISUAL_USER_SELECTED, ACCESS_MEDIA_LOCATION, RECORD_AUDIO, SYSTEM_ALERT_WINDOW.

How we protect your data

  • All file blobs encrypted with AES-256-CTR before being written to disk. The per-asset encryption keys live in expo-secure-store (Android Keystore, hardware-backed where available).
  • Passcode hashed with SHA-256 (one-way) before being stored. The recovery phrase is hashed with a 50,000-round iterated SHA-256 chain plus a per-wallet random salt — a stolen device cannot brute-force the phrase in any practical time.
  • Decrypted plaintext only lives in a transient cache directory while you are actively viewing a file; the cache is wiped on lock and on backgrounding.
  • The app sets FLAG_SECURE on every screen that shows vault contents, so screenshots taken inside the unlocked vault are blocked.
  • android:allowBackup is set to false so Android's built-in Auto Backup to Google Drive cannot exfiltrate the vault.

Third-party services

The app uses the following open-source libraries during normal operation; none of them connect to a network or transmit user data:

  • React Native (UI runtime)
  • Expo SDK 55 modules (expo-secure-store, expo-sqlite, expo-camera, expo-image-picker, expo-document-picker, expo-image-manipulator, expo-crypto, expo-file-system, expo-screen-capture, expo-clipboard, expo-sharing, expo-splash-screen, expo-local-authentication)
  • React Navigation
  • aes-js (fallback; runtime path uses native javax.crypto.Cipher)

We do not include any analytics SDK (no Firebase Analytics, no Sentry, no Crashlytics, no AppsFlyer, no Facebook SDK).

Children's privacy

The app is rated for general audiences. It collects no data, so it collects nothing about children either. Adult supervision is recommended for users under 13 because the vault can store arbitrary user files.

Your rights

Because the app stores your data only on your device and does not transmit it anywhere, the following GDPR / CCPA rights all reduce to actions you can take inside the app:

  • Access: open the app and view any vault file.
  • Deletion: long-press a file → Move to Deleted, or uninstall the app to remove everything Vault by AutomateX wrote.
  • Portability: use Settings → Export current folder to download an encrypted backup bundle. Use Save to device on individual files to extract them outside the vault.
  • Correction: edit any file inside the vault (notes), or re-import a corrected version.

Data retention

Data persists on your device until you delete it from the app or uninstall the app. Uninstalling the app deletes all vault data permanently — there is no copy anywhere else.

Changes to this policy

If we change this policy we will increase the version date at the top. The policy applies to the version of the app current as of its effective date.

Contact

Questions or concerns about this policy: [email protected]

© 2026 AutomateX AI SMC Private Limited. Privacy policy v1.0 (effective 2026-05-26). Mirror of play-submission/PRIVACY_POLICY.md in the app's source repository.