Om Vault — Privacy Policy

Last Updated: April 14, 2026

About Om Vault

Om Vault is a private, encrypted file sanctuary and photo gallery designed for securely storing personal documents, photos, and sensitive files. Om also lives in your WhatsApp and Telegram chats — you can store and retrieve files by messaging the Om Bot directly, without opening a browser. Your privacy is at the core of everything we build.

Data Encryption

All files stored in Om Vault are protected with industry-standard encryption:

• At rest: Every file is encrypted using AES-256-GCM with Argon2id key derivation (3 iterations, 64 MB memory, 4-way parallelism) before being written to disk or uploaded to cloud storage (AWS S3, ap-south-1 Mumbai region).
• In transit: All data transmitted between your browser and our servers is protected using HTTPS (TLS) via nginx with Let's Encrypt certificates.
• Key management: Each user has a unique encryption password stored encrypted with a server-side AES-256-GCM key. For Google Sign-In users, this password is auto-generated and stored once — you never need to enter it. Encryption keys are derived per-file using unique random salts.

AI Processing

Om Vault offers optional AI-powered features to help organise your files:

• AI tagging, descriptions, and document intelligence are powered by Gemini 2.0 Flash (model: google/gemini-2.0-flash-001) via the OpenRouter API (openrouter.ai).
• When AI processing is enabled, file data (images and document content) is sent as base64-encoded data to Google's Gemini API for analysis. The API generates tags, descriptions, folder suggestions, and structured document data (e.g., medication names from prescriptions, merchant totals from receipts).
• AI processing is optional — you can decline it during sign-up or revoke consent at any time from Account Settings.
• When you revoke AI consent, all previously generated AI metadata (tags, descriptions, folder assignments, document intelligence) is permanently deleted from all databases. Files with AI-generated names are renamed to a generic format.
• The AI tagger checks your consent status before every API call. If consent is revoked, no data is sent to any external AI service.

Data We Collect

Om Vault collects and processes the following categories of personal data:

• Account identifiers: Google email address, display name, and profile picture (from Google Sign-In); WhatsApp phone number (if linked via Om Bot); Telegram user ID (if linked via Om Bot)
• Uploaded files: Documents, photos, and other files you choose to store — via the web interface, the Om Bot on WhatsApp/Telegram, or S3 bulk import
• AI-generated metadata: Tags, descriptions, folder assignments, document type classification, and structured document intelligence data (only when AI consent is granted)
• Photo metadata: EXIF data extracted from photos including date taken, GPS coordinates, camera model, and image dimensions
• Session data: IP address, user agent, and session tokens for authentication (sessions expire after 30 days)
• Consent records: Timestamps and IP addresses of consent grants and revocations for DPDPA compliance
• Audit log entries: Security events such as logins, file uploads, file access, consent changes, and account deletions

Data Storage

Your data is stored in the following locations:

• Encrypted files: Local EBS storage on our EC2 server (ap-south-1, Mumbai) and AWS S3 (One Zone-IA storage class, ap-south-1)
• Thumbnails: Unencrypted JPEG previews (~400px) stored on local disk, served only to authenticated users
• Metadata: Per-user SQLite databases on local disk containing file metadata, AI tags, album memberships, and search indexes
• Account data: Shared SQLite database containing user accounts, sessions, identity links, consent records, and gallery shares

Data Retention

Your data is retained for as long as your account is active. When you delete your account, all data is permanently and irreversibly erased from all storage systems — local files, S3 cloud backups, thumbnails, all per-user databases, sessions, identity links, shares, consent records, and the user account itself. There is no recovery mechanism after account deletion.

Trashed files are automatically purged after 30 days. Temporary files (decrypted for viewing or export) are deleted immediately after use or within 60 seconds.

Your Rights Under DPDPA

Om Vault complies with India's Digital Personal Data Protection Act (DPDPA) 2023. As a user, you have the following rights:

• Right to Access: Download all your data at any time from Account Settings using the "Download My Data" feature.
• Right to Correction: Update your files and metadata through the application interface.
• Right to Erasure: Permanently delete your account and all associated data from Account Settings.
• Right to Consent Withdrawal: Revoke AI processing consent at any time. Revocation immediately stops AI processing and permanently removes all AI-generated metadata.

Grievance Redressal

If you have any concerns about how your data is handled, or wish to exercise your data protection rights, please contact us: