Matrix Vault

Privacy Policy

Effective date: 28 May 2026 · Applies to Matrix Vault for iOS (the "App") and its supporting services.

Matrix Vault is built so that we cannot see your data. This policy describes the few things we necessarily process to operate the App, and the much larger set of things we do not collect at all.

1. Who we are

Matrix Vault is developed by NAB ("we", "our"). The App is distributed via the Apple App Store. Our supporting servers are operated on dedicated hardware in Germany.

2. Summary

• Your vault contents (files, passwords, browser sessions) stay on your device, encrypted with a key derived from your PIN and wrapped by the device's Secure Enclave.
• Messages, calls, and other YoMatrix Messenger traffic are end-to-end encrypted on your device before reaching our server. Our server routes ciphertext only.
• We use no analytics, no telemetry, no third-party SDKs, no advertising identifiers, no tracking pixels, and no fingerprinting libraries.
• We collect the minimum metadata needed to deliver messages, push notifications, and Email Bot mail. That metadata is enumerated below.

3. Data stored on your device

The following stay on your device and are never transmitted to us:

• Files stored in your vault, encrypted with AES-256-GCM.
• Passwords and password attachments, encrypted with the same vault key.
• Matrix WebSurf browser session (ephemeral; cleared automatically).
• Local message history, drafts, and starred items.
• Your PIN (we never receive it; only a scrypt-derived hash unwraps the vault key locally).
• Your Curve25519 messaging keypair and signing keypair (private halves never leave the device).

4. Data we process to operate YoMatrix Messenger

To deliver messages to the right recipient, our server processes the following:

• Your handle. A globally-unique @username you pick at first launch (3–20 chars).
• Your public key. The public half of your Curve25519 identity key, plus your Ed25519 signing public key.
• Prekey bundles. A signed prekey (rotated weekly) and a small pool of one-time prekeys for forward secrecy.
• Ciphertext envelopes. Messages, attachments, story posts, and reactions arrive as opaque ciphertext addressed to a recipient handle. We cannot read them.
• Offline message queue. Encrypted envelopes for recipients currently offline are stored on our server until delivery. Default retention: 30 days, after which undelivered messages are deleted.
• Per-handle online/offline state. Updated only while you have an active connection, for routing decisions.
• Read anchors. Per-conversation last-read pointers (an opaque ciphertext label), so that delivered messages are not redelivered on a future connection.
• Device transfer state. If you move to a new device, a short-lived encrypted handover bundle exists on the server until claimed.

What we do not process

• Plaintext message content.
• Plaintext file or attachment content.
• Contact lists or address books.
• Group membership in cleartext (group routing is via pairwise ciphertext per Signal-style fanout).
• Read receipts beyond the opaque anchor described above.

5. Voice and video calls

Calls use WebRTC peer-to-peer when network conditions allow. Where peer-to-peer is not possible (symmetric NAT, etc.), audio and video relay through our TURN server in encrypted form — we relay encrypted packets without ability to decode media. Signaling (SDP offer/answer, ICE candidates) passes through our server as part of the standard end-to-end-encrypted message channel.

6. Push notifications

When you have notifications enabled, we register your APNs device token (an opaque identifier issued by Apple) so we can deliver a push when a new message arrives. The push payload contains only the encrypted message envelope — no plaintext content, no sender name in cleartext when previews are disabled. If you have previews disabled and your vault is locked, notifications show a generic placeholder only.

7. Email Bots (incoming mail at @matrixvault.app)

If you activate the Email Bot feature, mail sent to your @username@matrixvault.app address is received by our mail server, validated against SPF / DKIM / DMARC, packaged into the standard end-to-end encrypted message format, and delivered to your in-app inbox as ciphertext. The original RFC 5322 message is then discarded from disk; we retain no plaintext mail archive. Sender allowlists and reply rate-limits are enforced on our server based on metadata you provide; reply content from inside the app is signed by our outbound DKIM stack and sent on your behalf.

8. Voicemail transcription and translation

On-device by default (using Apple's on-device speech recognition). If you opt in to server-side transcription (faster, supports more languages), the audio fragment is sent to our Whisper instance, processed in memory only, and the transcript returned. No audio file is written to disk on the server. Same model for server-side translation (NLLB) when you opt in.

9. Account creation and authentication

The App does not collect an email address, phone number, or name to create an account. Your handle plus your generated keypair is your account. Authentication on every API request is via a signed timestamp using your Ed25519 signing key; we verify the signature against your registered public key.

10. Crash reports and analytics

None. Matrix Vault does not include analytics SDKs, crash reporters, or any first-party telemetry channel.

11. Third parties

The following operate outside of our infrastructure and are unavoidable for the App to function:

• Apple Push Notification service (APNs). Apple receives an opaque device token and an encrypted payload when we push to you. Apple's privacy policy.
• Apple App Store. Distribution of the App and in-app purchases.

We do not share any data with advertising networks, data brokers, analytics providers, or third-party SDKs. We have no integrations with social networks.

12. Data location

Our servers are located in Germany (Hetzner Online GmbH). All processing occurs there. By using the App you consent to the transfer of the metadata described above to Germany.

13. Security

• AES-256-GCM for all symmetric encryption.
• Curve25519 ECDH for key agreement; HKDF-SHA-256 for key derivation; Ed25519 for signatures.
• Vault key wrapped via ECIES against a non-extractable Secure Enclave keypair on supported devices.
• Forward secrecy via ephemeral Curve25519 per message.
• Certificate pinning between the iOS app and our API.
• Signed request authentication (Ed25519) on state-changing endpoints.
• Self-hosted, no third-party message processors.

14. Your rights and controls

• Access. All vault data lives on your device; you have it already.
• Erasure. Settings → Delete All Data wipes vault, keys, and local caches. To remove your handle and prekeys from our server, use the in-app account deletion flow.
• Portability. Vault contents can be exported by the device-transfer flow to another iOS device running Matrix Vault.
• Withdrawal of consent. Uninstall the App.

15. Children's privacy

Matrix Vault is intended for users aged 13 and older. We do not knowingly collect data from children under 13.

16. Changes to this policy

If we make material changes, we will update the Effective date at the top of this page and surface a notice inside the App on next launch.

17. Contact

Privacy questions: privacy@matrixvault.app
General support: support@matrixvault.app