Privacy Policy
How we collect, use, and protect your data
Last Updated: February 12, 2026
🔐 Our Commitment to Your Privacy
At Thelix Holdings, your privacy and data security are our top priorities. This Privacy Policy explains how Thelix Vault collects, uses, stores, and protects your personal information and credentials.
Key Principle: We use zero-knowledge architecture. Your credentials are encrypted before they ever reach our servers, and only you can decrypt them with your password.
1. Information We Collect
• Credential Data (Encrypted)
When you save credentials to Thelix Vault, we collect:
- ✓ Account names and descriptions you provide
- ✓ Usernames and email addresses
- ✓ Passwords (encrypted with AES-256-GCM before storage)
- ✓ Website URLs where credentials are used
- ✓ Multi-factor authentication information (if provided)
- ✓ Notes and access information you add
Important: All passwords are encrypted using AES-256-GCM on your device before transmission. We never have access to your unencrypted passwords.
• Authentication Information
- ✓ Business unit identifier (SBU slug)
- ✓ Hashed business unit password (bcrypt with 12 rounds)
- ✓ Session tokens (stored in secure, HttpOnly cookies)
- ✓ Login timestamps
• Audit and Security Data
For security and compliance purposes, we log:
- ✓ IP addresses of access attempts
- ✓ Browser user agent information
- ✓ Timestamps of all actions
- ✓ Actions performed (view, edit, delete credentials)
- ✓ Login and logout events
- ✓ Failed authentication attempts
• System Information
- ✓ Browser type and version
- ✓ Operating system
- ✓ Device type (desktop, mobile, tablet)
- ✓ Screen resolution (for responsive design)
2. How We Use Your Information
Provide Core Services
- • Store and retrieve your encrypted credentials
- • Authenticate you to your business unit vault
- • Enable credential autofill in Chrome extension
- • Synchronize credentials across your devices
Security and Compliance
- • Monitor for unauthorized access attempts
- • Maintain comprehensive audit logs
- • Detect and prevent security breaches
- • Comply with organizational security policies
Improve Our Service
- • Analyze usage patterns to improve user experience
- • Identify and fix technical issues
- • Optimize performance and reliability
- • Develop new features based on usage data
Legal Compliance
- • Comply with applicable laws and regulations
- • Respond to legal requests and prevent fraud
- • Enforce our terms of service
- • Protect rights, property, and safety
3. How We Protect Your Data
End-to-End Encryption
AES-256-GCM encryption for all passwords. Encrypted on your device before transmission.
Secure Communication
HTTPS/TLS encryption for all data transmission. Secure, HttpOnly cookies with SameSite protection.
Database Security
PostgreSQL with encrypted connections. Regular security patches and updates. Access controls and monitoring.
Access Controls
Re-authentication required to view passwords. Automatic session timeout after 1 hour. Role-based permissions.
Additional Security Measures
- ✓ Regular security audits and penetration testing
- ✓ Comprehensive audit logging of all access
- ✓ Automated backup and disaster recovery procedures
- ✓ Staff security training and background checks
- ✓ Incident response and breach notification procedures
4. Data Sharing and Disclosure
We Do NOT:
- ✗ Sell your data to third parties
- ✗ Share credentials with advertisers
- ✗ Use your data for marketing purposes
- ✗ Provide access to external analytics services
- ✗ Share data with social media platforms
Within Your Organization
Your credentials are isolated within your business unit. Super Administrators can view metadata (account names, URLs) but cannot access encrypted passwords without your business unit password.
Legal Requirements
We may disclose information if required by law, court order, or legal process. We will notify you of such requests unless prohibited by law.
Service Providers
We use trusted service providers for infrastructure (DigitalOcean for hosting). These providers are bound by strict confidentiality agreements and cannot access encrypted data.
5. Your Privacy Rights
Access Your Data
You can view all your stored credentials at any time through the vault dashboard or Chrome extension.
Update Your Data
Edit or update any credential information at any time. Changes are reflected immediately across all your devices.
Delete Your Data
Delete individual credentials or request deletion of your entire business unit account through your administrator.
Export Your Data
Export all your credentials to Excel format at any time. Includes all metadata and passwords in plain text.
Review Audit Logs
Administrators can review complete audit logs showing all access to your business unit's credentials.
Object to Processing
Contact your administrator to object to specific data processing activities or request restrictions.
6. Data Retention
Active Credentials
Stored as long as your business unit account is active. You can delete credentials at any time.
Audit Logs
Retained for 2 years for security and compliance purposes. Contains access records but not credential content.
Deleted Credentials
Permanently deleted within 30 days of deletion request. Audit logs of the deletion are retained.
Account Closure
Upon business unit closure, all credentials are deleted within 90 days. Audit logs retained for compliance.
7. Cookies and Tracking
Essential Cookies
We use cookies necessary for the service to function:
- • vault_session - Maintains your login session (HttpOnly, Secure, 1 hour)
- • theme_preference - Stores dark/light mode preference (persistent)
No Tracking: We do NOT use tracking cookies, analytics cookies, advertising cookies, or third-party cookies.
8. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes:
- ✓ We will update the "Last Updated" date at the top
- ✓ We will notify you via email or in-app notification
- ✓ We will provide a summary of changes in the notification
- ✓ Continued use after notification constitutes acceptance
9. Contact Us
For questions, concerns, or requests regarding this Privacy Policy or your data:
Organization: Thelix Holdings
Email: [email protected]
Your Administrator: For immediate assistance, contact your organization's super administrator or IT support team
Compliance & Certifications
Thelix Vault is designed to help your organization comply with: