Legal

Privacy Policy

Last updated: March 16, 2026

Our Zero-Knowledge Commitment

✓We never have access to your Master Password

✓All encryption and decryption happens in your browser

✓We store only encrypted ciphertext we cannot read

✓Your seed phrase words never enter our systems

1. Who We Are

Mindlockr (“we”, “us”, or “our”) operates the website mindlockr.com and related services (collectively, the “Service”). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. Please read it carefully. If you disagree with the terms of this policy, please discontinue use of the Service.

2. Information We Collect

Information You Provide Directly

Email address — collected at signup or when joining our waitlist, used solely for authentication and product communications.
Vault names — plaintext labels you choose for your vaults (e.g. “Ledger Nano X”). These are stored unencrypted so we can display them.
Encrypted vault content — images and notes are encrypted in your browser before upload. We store only the resulting ciphertext and cannot read the contents.

Information Collected Automatically

Log data — our hosting provider may collect standard server logs including IP address, browser type, pages visited, and timestamps. These are retained for up to 30 days for security and debugging purposes.
Hashed IP addresses — when you submit a challenge attempt, we store a one-way SHA-256 hash of your IP address to prevent abuse. The original IP address is not retained.
Analytics — we use Plausible Analytics, a privacy-first analytics tool that collects no personally identifiable information, sets no cookies, and does not track users across sites. Aggregate usage statistics (page views, referrers, device types) help us improve the product.

Information from Third-Party Sign-In

If you sign in with Google, we receive your email address and a Google user identifier. We do not receive your Google password, contacts, calendar, or any other Google data.

3. How We Use Your Information

To create and manage your account
To authenticate your identity when you sign in
To store and serve your encrypted vault data
To send transactional emails (email confirmation, password reset)
To send a single launch notification if you joined our waitlist
To detect and prevent fraud, abuse, or violations of our Terms of Service
To monitor and improve the performance and reliability of the Service
To comply with legal obligations

We do not sell, rent, or share your personal data with third parties for advertising or marketing purposes.

4. Cookies & Tracking Technologies

We use a minimal number of cookies strictly necessary for the Service to function:

Authentication cookies — set by Supabase to maintain your logged-in session. These expire when you sign out or after 7 days of inactivity.

We do not use advertising cookies, tracking pixels, or any third-party cookies for marketing. Our analytics provider (Plausible) is cookieless by design.

You can configure your browser to refuse all cookies, but doing so will prevent you from signing in to the Service.

5. How We Share Your Information

We do not sell or rent your personal data. We share data only in these limited circumstances:

Service Providers

We use the following sub-processors to operate the Service. Each is bound by data protection agreements:

Supabase — authentication, database, and file storage. Data is stored on servers in the United States. See their Privacy Policy.
Plausible Analytics — cookieless, anonymous usage analytics. No personal data is shared. See their Privacy Policy.
Google (OAuth only) — used solely to verify your identity if you choose “Sign in with Google”. See Google's Privacy Policy.

Legal Requirements

We may disclose your information if required by law, court order, or governmental authority, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Mindlockr, our users, or others.

Business Transfers

If Mindlockr is acquired, merged, or its assets are transferred, your information may be transferred as part of that transaction. We will notify you via email and/or a notice on the Service before your data is transferred and becomes subject to a different privacy policy.

6. Data Retention & Deletion

We retain your account data and vault data for as long as your account is active or as needed to provide the Service.

To delete your account and all associated data, contact us at @mindlockr. We will process deletion requests within 30 days.

Waitlist email addresses are deleted within 14 days of the launch notification being sent. Server log data is purged after 30 days. Hashed IP addresses from challenge attempts are purged after 90 days.

7. Your Rights

Depending on your jurisdiction, you may have the right to:

Access — request a copy of the personal data we hold about you.
Rectification — request correction of inaccurate personal data.
Erasure — request deletion of your personal data (“right to be forgotten”).
Portability — request your data in a machine-readable format.
Objection — object to processing of your personal data in certain circumstances.
Withdrawal of consent — where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, contact us at @mindlockr. We will respond within 30 days. We may need to verify your identity before processing your request.

8. Security

We implement technical and organizational measures to protect your information. Vault content is encrypted client-side with AES-256-GCM and a key derived via PBKDF2 (600,000 iterations) before transmission. Even in the event of a server-side data breach, an attacker would obtain only encrypted blobs that are computationally infeasible to decrypt without your Master Password.

No method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, but we are committed to using industry-standard practices to protect your data.

9. Children's Privacy

The Service is not directed to children under the age of 13 (or 16 in the European Union). We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us immediately and we will delete it.

10. International Data Transfers

Your information may be transferred to and processed in the United States or other countries where our service providers maintain servers. These countries may have different data protection laws than your country of residence. By using the Service, you consent to such transfers. We take steps to ensure that appropriate safeguards are in place where required by applicable law.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date at the top of the page. For material changes, we will notify registered users by email or by displaying a prominent notice on the Service at least 7 days before the change takes effect. Your continued use of the Service after the effective date constitutes your acceptance of the revised policy.

12. Contact Us

If you have questions about this Privacy Policy, want to exercise your rights, or need to report a privacy concern, please contact us:

Product: Mindlockr

Website: mindlockr.com

Contact: @mindlockr on X (Twitter)

View Terms of Service →