Privacy Policy

Last updated: July 12, 2026

1. Zero-Knowledge Data Principle

CmdVault is built on a zero-knowledge architectural blueprint. We do not collect, view, transmit, or monetize your master passwords, encryption keys, environment variables, or CLI recipes. All operations occur client-side on your local operating system.

2. Optional Synchronization Relay Telemetry

If you enable synchronization (either using the default public relay or a custom relay), the payload is fully encrypted on your device via AES-256 before upload.

  • The relay server stores encrypted blobs, signatures, and workspace hashes.
  • No plain text credentials, API tokens, or secrets are ever sent to our servers.
  • Self-hosting the relay allows you to bypass public endpoints entirely.

3. OAuth Providers (Google OAuth)

When utilizing Google OAuth to authenticate with workspace collaborator portals:

  • We request read-only access to verify your email address.
  • This email is used solely to route workspace collaborations and coordinate RBAC signatures.
  • We do not store Google access tokens beyond the active session or read any drive/calendar files.

4. Bug Reports and Diagnostics

When submitting reports through the Bug Report console, you consent to upload details including description, operating system platform, severity levels, and optional terminal logs.

  • Ensure you redact any plain-text API keys or DB passwords before pasting logs.
  • Diagnostic records are securely cataloged in our MongoDB cluster and purged after resolution.

5. Your Rights (GDPR & CCPA)

Since all user recipes are saved locally, you are already in total custody of your personal data. For relay metadata or support emails, you can request full erasure at any time by mailing support@cmdvault.com.