Privacy Policy

At Nascentra, also known as Nascentra Labs, we prioritize the engineering of privacy-focused software systems. This policy governs KiWi Vault, a localized secure environment designed by us to safeguard sensitive digital assets. Throughout this document, "we," "us," and "our" refer to the collective teams at Nascentra Labs. This document outlines our "Zero-Knowledge" architecture and "Offline-First" methodology, ensuring that data remains under the absolute control of the user. By utilizing our services, you acknowledge the protocols detailed herein regarding data sovereignty, encryption standards, and the limitation of our access to your information.

1. Zero-Knowledge Architecture

Our technical infrastructure is predicated on a Zero-Knowledge framework. This architecture ensures that we lack the technical capability to access, view, or decrypt the information stored within your vault. Unlike centralized cloud services that utilize server-side master keys, our system generates and manages all cryptographic keys exclusively on your physical device. We act solely as the software provider, not the data custodian. Consequently, we cannot comply with data requests from third parties or government agencies regarding your specific content, as the data is mathematically inaccessible to us. This design guarantees that the privacy of your information is protected by local encryption rather than administrative promises.

2. Anonymous Access Model

We do not require account registration or the provision of personal identifiers such as email addresses or phone numbers. This model eliminates the collection of identity-linked metadata that typically accompanies modern application usage. By removing the registration layer, we ensure that there is no database entry connecting your physical identity to your vault. Your usage is entirely anonymous to us; in the event of an external security breach of our company infrastructure, no user data would be compromised because no user database exists. Your vault is a technologically isolated instance, functionally linked only to the specific hardware on which it is installed.

3. Local-First Data Residency

The application utilizes a Local-First storage architecture, meaning every file protected within the environment is written directly to the device’s internal, sandboxed storage. We do not operate or utilize remote servers for data synchronization, hosting, or external processing. This prevents the inherent risks associated with data in transit and remote residency. Your information remains within the physical boundaries of your device at all times. This approach grants you total data sovereignty; the availability and security of your information are not dependent on our server uptime or corporate longevity. If the device is offline, the data remains accessible to you via your local credentials.

4. Encryption Standards

Data security is enforced via the Advanced Encryption Standard (AES) with a 256-bit key length. This protocol is the established global standard for the protection of classified information. Upon importation, files are transformed into an unreadable cipher through a key derivation process utilizing cryptographic salts and your local credentials. The encryption key is never stored in a plaintext format, ensuring that even physical access to the device’s storage chips would result in the discovery of random, non-contextual data. Our implementation of AES-256 is designed to be computationally unfeasible to breach with current technology, providing a robust defense against unauthorized forensic analysis.

5. Media and Content Access Protocols

To facilitate the encryption of existing assets, the application requests granular permissions to access the device’s media libraries, including photos, videos, audio files, and music. This access is managed via specialized system APIs, ensuring that we do not scan or index files that you have not explicitly selected for protection. We do not analyze metadata or generate remote thumbnails for your content. The permission acts strictly as a temporary bridge to allow the user to choose specific assets—whether they are images, recordings, or documents—for migration into the encrypted container. Once imported, the assets are placed within a secure sandbox, isolated from other applications and system processes to prevent unauthorized viewing.

6. Comprehensive File Management

The application requires permissions related to the management of files and directories on your device storage to ensure the successful execution of its core privacy functions. This level of access is necessary for the "Secure Migration" process, allowing the application to locate files in public directories, encrypt them into the vault, and subsequently execute a secure deletion of the unencrypted original. This prevents the persistence of unencrypted "data remnants" on the device storage. A full list of these technical requirements is disclosed in the app permissions section of the Google Play Store under the KiWi Vault listing. These permissions are audited to ensure they align strictly with the security functions of the vault while respecting the user's right to manage their own storage environment.

7. Data Deletion Standards

The application employs a secure wiping protocol when moving files into the vault. Standard file deletion often leaves recoverable fragments on the disk; our system targets the original file’s physical storage address to ensure the unencrypted version is effectively destroyed upon successful encryption. This minimizes the risk of data leakage through forensic recovery tools. By overwriting or utilizing system-level secure deletion commands, we ensure that the only accessible version of your file is the encrypted one residing within the vault. This process is essential for maintaining the integrity of the secure environment and ensuring that "deleted" public files cannot be easily recovered.

8. Hardware and Camera Interaction

We utilize the device's camera and video hardware to provide advanced security features, such as capturing media directly into the vault and supporting the "intruder detection" functionality. These features allow the application to capture images or video clips locally if unauthorized access attempts are detected. Content captured through this interface bypasses the system gallery and public folders entirely, ensuring that sensitive captures are never synced to third-party cloud services. Furthermore, all media captured via the in-app hardware interface is encrypted immediately upon creation, maintaining a consistent security chain from the lens to the encrypted storage container.

9. Biometric and Fingerprint Hardware

We integrate with native system Biometric and Fingerprint hardware to provide secure and convenient access to your vault. The application does not interact with, store, or transmit your actual biometric templates. Instead, we utilize standard hardware-level protocols that return a secure confirmation from the device’s trusted execution environment regarding the success of an authentication attempt. This ensures your biometric identity remains restricted to your local hardware and is never accessible to our team or any external network. The use of this hardware is optional and can be managed through the application’s security settings.

10. Network Connectivity and Service Verification

The application requires network access solely for administrative and functional purposes managed through Google Play Services. This includes "Full Network Access" and the ability to "View Network Connections" strictly to facilitate Google Play Billing and the Google Play License Check. These interactions are necessary to verify premium subscriptions, process lifetime license purchases, and ensure the application receives critical security updates. We do not use this connectivity to transmit your vaulted data or track your behavior. Outside of these specific license and update checks, the core vault functionality remains entirely offline to preserve your privacy.

11. Account Recovery Mechanisms

Due to our Zero-Knowledge architecture, we do not maintain a server-side password reset functionality. We provide a local recovery option via Security Questions. If configured, the answers are hashed and stored locally on the device. This represents the sole method of regaining access to the vault should the primary credentials be forgotten. We advise users to select answers that are non-obvious to third parties but easily recallable, as we cannot assist in the recovery of lost local hashes.

12. Access Limitations

If you do not configure Security Questions and subsequently lose your PIN or Pattern, your data will become permanently inaccessible. We cannot bypass or "break" the local encryption to restore access, as we do not possess the underlying keys. This limitation is a fundamental security requirement; if a recovery backdoor existed for us, it would also exist for potential attackers. Users must accept the responsibility of maintaining their credentials or recovery questions.

13. Cloud Interaction Policy

The application does not perform automated backups to any third-party cloud provider. This policy is in place to prevent the exposure of encrypted data to external servers where it could be subject to unauthorized access, subpoenas, or data breaches. Users are responsible for the physical backup of their device. We prioritize the avoidance of cloud-based vulnerabilities, ensuring that your data residency remains strictly local.

14. Subscription and Billing

Premium features are provided via a subscription model. All financial transactions are processed exclusively through Google Play Billing. We do not collect or store credit card numbers, billing addresses, or legal names. We receive only an anonymized transaction token to verify license status. Your financial information is managed by the app store provider, ensuring that your banking details remain isolated from our internal systems.

15. Third-Party Analytics

We do not utilize third-party analytics SDKs, such as Firebase Analytics or Google Analytics. We do not track session duration, screen navigation, or feature engagement. Our development priorities are driven by security audits rather than user behavior metrics. This ensures that no telemetry data regarding your usage patterns is ever generated or transmitted to external servers.

16. Diagnostic Data Collection

The application does not automatically collect or transmit crash logs or diagnostic reports. Technical issues must be reported manually to our support team. This ensures that no device metadata is sent to us without your explicit consent and action. Information provided during support interactions is used solely for the resolution of the reported technical issue and is not retained for marketing purposes.

17. Data Portability

Users retain the right to export their data at any time. We provide a bulk decryption feature that restores files to the device’s public gallery in their original format. We do not utilize proprietary file formats that "lock" your data into our ecosystem. You maintain the absolute right to migrate your assets out of the secure container whenever you choose.

18. Regulatory Compliance

KiWi Vault is designed to exceed the requirements of global privacy regulations, including GDPR, CCPA, and PECA. By adhering to a data minimization strategy, we ensure that the only data collected is the absolute minimum required for license verification. Your rights to access, rectification, and erasure are exercised directly through your management of the application on your hardware.

19. Liability Disclaimer

We function as a provider of encryption tools and are not a data custodian. We are not responsible for data loss resulting from forgotten credentials, failure to set recovery questions, device hardware failure, or the accidental uninstallation of the application. The user assumes all risk associated with the management of their local storage and authentication security.

20. Contact Information

For security disclosures, technical inquiries, or policy clarifications, please contact the engineering team:

• Email: Nascentra@gmail.com
• WhatsApp/Support: +92 347 7419855
• Web: nascentra.com