Privacy Policy

Last updated: June 2025

Overview

VaultSpec Authenticator (“the App”) is a fully offline, open-source two-factor authentication application. It is designed with a zero-trust, privacy-first architecture. The App does not collect, transmit, or share any personal data whatsoever.

Data Storage

All data — including TOTP secrets, account metadata, and application preferences — is stored exclusively on your device. TOTP secrets are encrypted using AES-256-GCM with a master key derived via SCrypt. Preferences are stored using Android's EncryptedSharedPreferences backed by the hardware Keystore.

No data is ever transmitted to any server, cloud service, or third party. The App makes zero network requests.

Camera Permission

The App requests camera access solely for scanning QR codes to add new authenticator accounts. Camera frames are processed locally on-device using ML Kit's barcode scanner. No images or camera data are stored, transmitted, or shared. The camera is only activated when you explicitly open the QR scanner.

Biometric Data

The App supports biometric unlock (fingerprint/face) via Android's BiometricPrompt API. Biometric data is handled entirely by the Android operating system and hardware Trusted Execution Environment (TEE). The App never accesses, stores, or processes raw biometric data.

Backups

The App allows you to create encrypted backups of your vault to a local directory of your choice. Backups are encrypted with AES-256-GCM using a separate password you provide. Backup files are stored only where you choose — the App does not upload them anywhere.

Analytics & Tracking

The App contains no analytics, no telemetry, no crash reporting, no advertising SDKs, and no tracking of any kind. The App does not use Google Analytics, Firebase, or any similar service.

Third-Party Services

The App does not integrate with any third-party services that collect user data. It is fully self-contained and operates entirely offline.

Open Source

VaultSpec Authenticator is open source under the GPL-3.0 license. You can audit the complete source code at github.com/VaultSpec/authenticator-android.

Contact

If you have questions about this privacy policy, you can reach us at dhruvesh3466@protonmail.com or open an issue on our GitHub repository.