Privacy Policy
Stash: Private Photo Vault
Last updated: March 1, 2026
This privacy policy applies to the application "Stash: Private Photo Vault" ("Stash", "the App"), published by Eduard Bruch. Stash is an encrypted file vault that allows users to securely store photos, videos, documents, audio files, and other files on their device. The App includes disguise modes (calculator, fitness tracker, music player), a decoy vault, intruder detection, a private browser, and secure notes.
We take your privacy seriously. This policy explains in detail what data the App collects, how it is processed, where it is stored, and what rights you have.
1. Data Controller
2. Fundamental Principle: On-Device Only
We do not operate any servers that receive, store, or process your data. All vault content — including photos, videos, documents, audio files, notes, browsing data, and settings — is stored exclusively on your device. We have no technical ability to access, view, retrieve, or recover any of your encrypted data. We cannot see what you store, how you use the App, or how often you open it.
3. Data We Collect and Process
3.1 Vault Content (Photos, Videos, Documents, Audio, Files)
Files you import into the vault — including photos, videos, PDFs, documents, MP3s, audio files, and any other file type — are encrypted using AES-256-CBC encryption with a randomly generated 256-bit key and per-file initialization vectors (IV). Encrypted files are stored locally in the App's sandboxed storage directory. The encryption key is stored in the iOS Keychain (or Android Keystore on Android devices), protected by the operating system's hardware-backed security.
Files are never transmitted to any external server, cloud service, or third party. Thumbnails for photos are also encrypted and stored locally. Non-image files (documents, audio, etc.) do not generate thumbnails.
3.2 PIN Code
Your PIN is stored as a SHA-256 cryptographic hash in the device's local database. The original PIN is never stored in plaintext. Because SHA-256 is a one-way hash function, your PIN cannot be reverse-engineered, recovered, or read by us or anyone else — including law enforcement.
3.3 Decoy PIN
If you set up a decoy PIN, it is stored as a separate SHA-256 hash under the same conditions as the main PIN. The decoy PIN opens a separate vault containing only items you have explicitly marked as decoy content. This feature exists to provide plausible deniability under duress.
3.4 Secure Notes
Notes created within the App are encrypted on-device using the same AES-256-CBC encryption as vault files. Both the note title and content are encrypted before storage. Encrypted notes are never transmitted externally.
3.5 Biometric Data (Face ID / Touch ID)
If you enable biometric unlock, authentication is handled entirely by the operating system's LocalAuthentication framework (iOS) or BiometricPrompt API (Android). The App never receives, stores, processes, or transmits your biometric data. It receives only a boolean success or failure result from the operating system. No fingerprint templates, facial geometry, or biometric identifiers are accessible to the App at any time.
3.6 Intruder Detection Photos
When you enable the intruder detection feature (premium only) and an incorrect PIN is entered, the App captures a photograph using the device's front-facing camera. These photographs are:
- Stored locally on your device only
- Never transmitted to any external server or third party
- Accessible only after successful authentication within the App
- Deletable by you at any time from within the App
The intruder detection feature is disabled by default and requires your explicit opt-in. It captures only when triggered by a failed PIN attempt, not continuously.
Legal basis: Art. 6(1)(a) GDPR (your explicit consent when enabling the feature) and Art. 6(1)(f) GDPR (legitimate interest in protecting the security of your device and personal data).
3.7 Disguise Modes
Stash includes three disguise modes: a fully functional calculator, a fitness tracker, and a music player. Each disguise stores non-sensitive surface-level data (calculator history, simulated step counts, or music library metadata) locally on your device. This data exists solely to make the disguise appear genuine and is never transmitted externally.
3.8 Private Browser
The built-in private browser uses a standard WebView component. Browsing history is not persistently saved by the App. Cookies and local storage created by visited websites are stored by the WebView engine and can be cleared manually from within the App. The App itself does not log, monitor, or transmit your browsing activity. Websites you visit may independently collect data according to their own privacy policies.
3.9 Recovery Email
If you choose to provide a recovery email address, it is stored locally in plaintext in the App's database on your device. It is never transmitted to our servers or any third party. This feature is optional.
3.10 Temporary Decrypted Files
When you open a file to view or share it, the App temporarily writes a decrypted copy to the device's temporary directory. These temporary files are automatically deleted when the vault is locked, when the App moves to the background (if auto-lock is enabled), or when the operating system clears temporary storage.
3.11 App Settings and Preferences
Your app settings (disguise mode selection, biometrics toggle, intruder detection toggle, auto-lock preferences, etc.) are stored locally in the App's SQLite database. These are never transmitted externally.
4. Subscription Data and Third-Party Services
4.1 In-App Purchases
Subscriptions and one-time purchases are processed by Apple (App Store) or Google (Google Play). We do not have access to your payment information, credit card number, or billing address. Subscription status is verified through RevenueCat, Inc. (San Francisco, USA), which receives anonymized transaction identifiers from Apple or Google to confirm your subscription status.
RevenueCat does not receive any vault content, personal files, PIN, biometric data, or personal identifying information beyond what Apple or Google provides as part of the standard purchase verification process.
Legal basis: Art. 6(1)(b) GDPR (performance of contract). Data transfer to the USA is covered by the EU-U.S. Data Privacy Framework. See RevenueCat's Privacy Policy.
4.2 Google Fonts
The App uses Google Fonts for typography. Font files may be downloaded from Google's servers on first launch. This is a standard HTTP request that does not transmit personal data. See Google Fonts Privacy FAQ.
5. Analytics, Tracking, and Advertising
The App does not use any analytics frameworks (no Firebase Analytics, no Crashlytics, no Mixpanel, no Amplitude, no Flurry, or similar). The App does not contain any advertising SDKs or ad networks. The App does not track your usage behavior, feature interactions, session duration, or any other telemetry. No usage data is collected, stored, or transmitted. We have zero visibility into how you use the App.
6. Device Permissions
The App requests the following device permissions, each for a specific and limited purpose:
All permissions are requested at runtime and can be revoked at any time through your device's Settings app. The App functions with reduced capability if permissions are denied.
7. Data Sharing
We do not sell, rent, lease, trade, or share your personal data with any third party. The only third-party service that receives any data is RevenueCat for subscription verification, as described in Section 4.1. No vault content, personal files, notes, browsing data, or biometric information is ever shared with anyone.
8. Data Retention and Deletion
All data is stored on your device for as long as the App is installed. You can delete individual items, notes, albums, intruder photos, and browser data at any time from within the App. You can delete all App data at once using the "Reset Vault" option in the App's settings. Uninstalling the App permanently deletes all locally stored data, including encrypted files and the encryption key. Once deleted, encrypted data cannot be recovered by anyone.
9. Data Security
- Encryption algorithm: AES-256-CBC with PKCS7 padding
- Encryption key: 256-bit key generated using a cryptographically secure random number generator, stored in the iOS Keychain (KeychainAccessibility.first_unlock) or Android Keystore
- Initialization vectors: Unique 16-byte IV randomly generated for each encryption operation and prepended to ciphertext
- PIN storage: SHA-256 one-way hash — not reversible
- In-memory caching: Decrypted data is temporarily held in memory for display and cleared when the vault is locked
10. Your Rights Under GDPR
If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation:
- Access (Art. 15) — request confirmation of what data we process. Because all data is stored on your device only, we hold no personal data about you on our systems.
- Rectification (Art. 16) — correct inaccurate data
- Erasure (Art. 17) — delete your data via the App's settings or by uninstalling the App
- Restriction of Processing (Art. 18) — restrict processing of your data
- Data Portability (Art. 20) — receive your data in a portable format
- Objection (Art. 21) — object to processing based on legitimate interest
- Withdraw Consent (Art. 7(3)) — withdraw consent at any time, for example by disabling intruder detection
To exercise any of these rights, contact us at support@eduardbruch.com.
11. California Residents (CCPA / CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):
- We do not sell your personal information.
- We do not share your personal information for cross-context behavioral advertising.
- We do not use sensitive personal information for purposes beyond what is necessary to provide the App.
California residents may contact support@eduardbruch.com to exercise their CCPA/CPRA rights.
12. Right to Lodge a Complaint
If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. Our competent authority is:
Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit
Ludwig-Erhard-Str. 22, 7. OG, 20459 Hamburg
13. Children's Privacy
The App is not directed at children under the age of 13 (as defined by COPPA) or under the age of 16 (as defined by GDPR). We do not knowingly collect personal information from children. If we become aware that a child has provided personal information, we will take steps to delete such information.
14. International Data Transfers
The only international data transfer occurs through RevenueCat (USA) for subscription verification. This transfer is protected under the EU-U.S. Data Privacy Framework. All other data remains on your device and is never transferred internationally.
15. Changes to This Policy
We may update this privacy policy from time to time to reflect changes in the App, applicable law, or our practices. Changes will be reflected on this page with an updated "Last updated" date. We encourage you to review this policy periodically. Your continued use of the App after changes constitutes acceptance of the updated policy.
16. Contact
For questions, concerns, or requests regarding this privacy policy or your data, contact: