Privacy Policy

The provider of the App and, where applicable, the data controller is:

XVault
Email: privacy@xvault.app

If you require our full registered business name and postal address for a data request, please contact us at the email above and we will provide them.

To match the disclosures on our App Store product page:

• Data Not Collected. XVault does not collect any data from you that is linked or not linked to your identity.
• Tracking. XVault does not track you across apps or websites owned by other companies. We do not present an App Tracking Transparency prompt because we do not engage in tracking as defined by Apple.
• Third-party SDKs. XVault does not include third-party analytics, advertising, attribution, or tracking SDKs.
• Account. There is no account to create. There are no usernames, passwords, emails, or phone numbers stored by us.

We do not collect, store, transmit, or have access to:

• Your recovery phrase, mnemonic, XRPL family seed (beginning with "s"), or raw private keys.
• Your name, email, phone number, address, date of birth, or government identifiers.
• Account credentials (there are no accounts).
• Contacts, photo library, location, health, financial, or browsing data.
• Device identifiers used for advertising (IDFA) or cross-app tracking.

Your keys are generated on your device and stored in the iOS Keychain with hardware-backed Secure Enclave protection. They never leave your device.

The following data is created and stored locally on your device. It is not transmitted to us and we cannot access it:

• Your encrypted wallet(s), wallet labels, and address book entries.
• App preferences (theme, biometric setting, auto-lock timer, PIN hash).
• Local transaction history and analytics derived from public XRP Ledger data.
• CSV files you choose to export (saved by you to a location you choose).

To function, the App must communicate with public services. These requests are made directly from your device:

• XRP Ledger mainnet. The App connects to public XRPL nodes to read on-chain data and broadcast signed transactions. Wallet addresses and transactions on the XRP Ledger are public by design and visible to anyone.
• Market data providers. The App fetches public market data (price, market cap, volume, chart, trending tokens). These requests do not include your wallet address, recovery phrase, or any personal identifier.
• Network metadata. Operators of the services above may observe your IP address and standard HTTP request metadata as part of normal internet operation. We do not control their practices. The current list of providers is available in the App's "About" screen, along with links to their privacy policies.

We do not receive or store any of this network traffic.

• Camera (NSCameraUsageDescription). Only when you tap the QR scanner, to read an XRP address. Camera frames are processed on-device and not saved.
• Face ID / Touch ID / Optic ID (NSFaceIDUsageDescription). To unlock the App and confirm transactions. Biometric templates never leave Apple's Secure Enclave; we never see them.
• Files (export). Only when you choose to export your activity to CSV.

The App requests no other permissions.

XVault is rated 17+ on the App Store and is not directed to children under 13 (or the equivalent minimum age in your country). We do not knowingly process information from children. If you believe a child has used the App, please contact us.

Where the GDPR or UK GDPR applies and to the extent any limited processing occurs (for example, responding to your support email), our legal basis is:

• Performance of a contract — to provide the App you installed.
• Legitimate interests — to operate, secure, and improve the App, balanced against your rights.
• Consent — where required, for example device permissions you grant in iOS.

Subject to applicable law (including GDPR/UK GDPR and CCPA/CPRA), you have the right to access, correct, port, restrict, object to, or delete personal data we hold about you, and to withdraw consent and lodge a complaint with a supervisory authority. Because we do not collect personal data, we typically have nothing to act on. You can erase all local App data at any time by deleting the App from your device. To exercise any right or ask a question, contact privacy@xvault.app.

Do Not Sell or Share / Limit Use (California). We do not sell or share personal information and do not use sensitive personal information for inferring characteristics.

There is no account to delete because we do not create one. To delete all local data, uninstall the App from your device. If you have ever contacted support, you may request deletion of that correspondence by emailing privacy@xvault.app.

We do not retain personal data about you because we do not collect it. Local data lives on your device until you delete the App. Support emails you send us are retained only as long as needed to resolve your request and then deleted.

Because we do not collect personal data, no international transfer of personal information occurs on our side. Public XRP Ledger data and market data are fetched globally over the public internet.

Recovery phrases and private keys are encrypted in the iOS Keychain with hardware-backed protection and signed locally on your device. We never see, store, or transmit your keys. No system is perfectly secure. You are responsible for protecting your device passcode, biometrics, and recovery phrase.

We may update this Privacy Policy from time to time. When we do, we will update the "Effective date" and "Last updated" above and, where required by law, notify you in-app. Continued use of the App after changes means you accept the updated policy.

Questions, requests, or complaints? Email privacy@xvault.app. We respond within 30 days.