Privacy Policy.

1. About this policy

This Privacy Policy describes how 2FA AuthVault ("the app," "AuthVault") handles information when you use it on your iPhone or iPad. The app is published by Urvik Moradiya, an independent iOS developer operating as Morhover Creations (referred to below as "we," "us," or "I"), based in India.

This policy is written in plain English on purpose. If anything below is unclear, email urvikmoradiya@gmail.com and I'll explain.

2. Data we collect

Information you provide to us

None. AuthVault does not require you to create an account, log in, or supply your name, email address, phone number, date of birth, or any other personal identifier. There is no sign-up screen because there is no server-side account system.

Information collected automatically

None. We do not embed any third-party analytics, advertising, attribution, A/B testing, fingerprinting, or remote-logging frameworks inside AuthVault. The app does not silently transmit usage data, device identifiers, IP addresses, or any other information to us or anyone else.

What Apple may collect

When you download AuthVault from the App Store, Apple may collect download statistics, crash reports, and aggregate anonymous metrics through App Store Connect — independently of the app itself. This activity is governed by Apple's Privacy Policy, not by us, and we never receive personally-identifying information from it.

3. Data stored on your device

AuthVault stores the following items locally on your iPhone:

• Account names and labels you assign to each 2FA entry (e.g. "Gmail," "GitHub").
• 2FA secret keys (TOTP / HOTP secrets) you add by scanning a QR code or entering manually.
• Configuration values like algorithm (SHA-1 / SHA-256 / SHA-512), digit count, and refresh period.
• Your in-app preferences such as Face ID lock setting, sort order, and onboarding completion.

Sensitive items — specifically, your 2FA secret keys — are stored inside Apple's iOS Keychain, which is hardware-backed by the Secure Enclave on your device. Less-sensitive preferences are stored in the app's sandboxed local storage, which iOS isolates from other applications.

When you delete the app from your iPhone, this data is removed along with it.

4. Camera permission

AuthVault uses your device's camera for one purpose only: scanning QR codes that contain 2FA setup information.

When you tap "Scan QR Code" while adding a new 2FA account, the app opens a live camera view. The camera feed is processed entirely on your device in real time to detect and decode TOTP/HOTP setup QR codes.

What we do not do:

• We do not record video or save photos from the camera feed.
• We do not transmit any frame of camera data over the network.
• We do not access the camera in the background or when you are not actively scanning.
• We do not use the camera for face detection, scene analysis, or any purpose unrelated to QR decoding.

Once a QR code is decoded, the resulting secret is saved to Keychain (see Section 3) and the camera feed is discarded.

You can revoke camera access at any time in iOS Settings → Privacy & Security → Camera → AuthVault. The app will continue to work for all features other than QR scanning.

5. Photo library permission

If you choose to import a QR code from an image you've already saved (using "Import from Photos"), AuthVault will request access to your photo library.

• You select which photo to import — the app does not browse, index, or read any image you do not explicitly choose.
• The selected image is decoded for a QR code on-device, and the image itself is not retained or copied by AuthVault.
• No image data is uploaded to any server.

You can revoke or restrict photo access at any time in iOS Settings → Privacy & Security → Photos → AuthVault.

6. Storage & file access

AuthVault uses iOS's standard sandboxed app storage and the iOS Keychain. Specifically:

• The app does not request access to your broader file system, the Files app, iCloud Drive, or external storage providers.
• The app stores its data inside its own private sandbox container, which iOS isolates from every other app on your device.
• Sensitive cryptographic material (2FA secrets) is stored in iOS Keychain, encrypted at rest using keys protected by the Secure Enclave.
• The app does not read, write, or modify files outside of its own sandbox.

If you choose to back up or restore your iPhone using iCloud or a local Mac/PC backup, your AuthVault data may be included in that backup according to your iOS backup settings — these backups are managed by Apple and are not something we can see, touch, or access.

7. Face ID / Touch ID

AuthVault offers an optional setting to require Face ID or Touch ID before opening the app. When this is enabled:

• iOS performs the biometric match locally on your device using Apple's standard LocalAuthentication framework.
• Your biometric data (face geometry, fingerprint templates) never leaves the Secure Enclave and is never seen by AuthVault.
• The app receives only a yes/no result from iOS — never the underlying biometric.

Biometric data is governed entirely by Apple. We have no ability to access, store, or transmit it.

8. Subscriptions & in-app purchases

AuthVault may offer a paid subscription or one-time in-app purchase to unlock premium features.

How payments are handled

All payments, subscriptions, renewals, refunds, and cancellations for in-app purchases are processed entirely by Apple through your Apple ID and App Store account. We never receive, see, or store:

• Your credit card or payment method details
• Your billing address
• Your full Apple ID email or full name
• Any other financial information

Apple provides our app with a receipt — a cryptographic confirmation that a valid purchase has been made — which the app uses to unlock the corresponding feature on your device. The receipt is validated either locally or via Apple's StoreKit servers and does not contain personally-identifying details we could use to track you.

Managing your subscription

To view, change, or cancel a subscription, open the iOS Settings app → tap your name at the top → Subscriptions. You can also do this from the App Store app. Cancelling stops future charges; access to premium features remains until the end of the period you've already paid for.

Refunds

Refunds for App Store purchases are issued solely by Apple, in line with their policies. Request a refund at reportaproblem.apple.com. We are not able to issue refunds directly because we never receive your payment — Apple does, and Apple pays us a portion later.

9. Third-party services

AuthVault does not integrate any third-party SDKs that process user data. Specifically, the app does not include:

• Analytics services (Firebase Analytics, Google Analytics, Mixpanel, Amplitude, PostHog, etc.)
• Advertising networks (AdMob, Meta Audience Network, Unity Ads, AppLovin, etc.)
• Third-party crash reporting (Crashlytics, Sentry, Bugsnag, etc.)
• Attribution services (AppsFlyer, Adjust, Branch, etc.)
• Customer-support widgets or chat SDKs
• Social-login providers (Sign in with Google, Facebook, etc.)
• Any other framework that transmits user data off-device

The only first-party services involved are Apple's own iOS frameworks (Keychain, Camera, Photos, LocalAuthentication, StoreKit). Apple's role and data handling are governed by Apple's own privacy policy.

If we ever add a third-party service in a future version, we will update this policy and clearly disclose what data is shared, with whom, and why — before that version ships to the App Store.

10. Network & offline behavior

AuthVault's core functionality runs fully offline. You do not need an internet connection to:

• Generate 2FA codes
• Add accounts via QR scan or manual entry
• Search, copy, or delete accounts
• Use Face ID lock

The app may make limited network calls only for:

• Validating in-app purchase receipts with Apple's servers (StoreKit). This communication is between your device and Apple — not us.
• Linking to this Privacy Policy or Terms of Service when you tap those links inside the app, which simply opens your browser.

No 2FA secrets, account names, or personal data are ever sent over the network.

11. Security

We take the following security measures:

• Hardware-backed encryption via iOS Keychain and the Secure Enclave for all 2FA secret keys.
• Sandboxed storage isolating the app's data from every other app on your device.
• Optional Face ID / Touch ID as an additional access control layer.
• No external server that could be breached, because we don't run one.

That said, no software is perfectly secure. If you discover a security issue, please report it responsibly to urvikmoradiya@gmail.com and we will address it as quickly as possible.

You can help keep your data safe by: keeping iOS up to date, using a strong device passcode, enabling Face ID inside AuthVault, and not jailbreaking your device.

12. Children's privacy

AuthVault is not directed at children under 13 (or under the minimum digital-consent age in your country — for example, 16 in some EU member states). We do not knowingly collect personal information from children. Because we do not collect personal information from anyone, we cannot have collected it from a child.

If you believe a child has somehow provided us with personal information, contact urvikmoradiya@gmail.com and we will investigate immediately.

13. Your rights

Privacy laws including the EU GDPR, UK GDPR, California CCPA / CPRA, and India's Digital Personal Data Protection Act (DPDP) grant you certain rights over your personal data. These typically include:

• Right of access — to know what personal data is held about you
• Right of rectification — to correct inaccurate data
• Right to erasure — to have your data deleted
• Right to portability — to receive your data in a portable format
• Right to object — to object to certain processing
• Right against automated decision-making

Because AuthVault does not collect, process, or store personal data on any system we control, most of these rights have nothing to operate on from our end:

• We have no personal-data file we can hand you.
• We have no personal-data record we can correct.
• We have no personal data to delete on a server (because there's no server).
• We do not engage in profiling, automated decision-making, or selling data — now or ever.

Your local data (2FA secrets, preferences) is fully under your control on your device. You can view, modify, or delete any entry directly inside the app, and you can wipe everything by deleting the app.

If you would still like to exercise any privacy right or have a question, email urvikmoradiya@gmail.com and we will respond within 30 days.

14. Deleting your data

You can delete your data at any time, in any of these ways:

1. Delete a single account — swipe on any entry inside the app and tap delete.
2. Delete all accounts — open Settings inside the app and tap "Delete All Accounts" (with confirmation).
3. Delete the entire app — long-press the AuthVault icon on your Home Screen and choose "Delete App." This removes every byte of AuthVault data from your device.

None of these actions require contacting us. The data is local — you remove it locally.

15. International users

AuthVault is available globally on the Apple App Store. Because we do not collect, process, or transfer personal data to any server we operate, there are no international data transfers to disclose. Your data resides where your iPhone resides — and only there.

16. Changes to this policy

If we ever change how AuthVault handles data — for instance, by adding a feature that requires a new permission or a new third-party integration — we will:

• Update this page and bump the "Last updated" date at the top.
• Increment the "Version" number for clarity.
• For meaningful changes, include an in-app notice in the affected app update.

Continued use of AuthVault after changes are posted constitutes acceptance of the updated policy. If you disagree with a change, you can stop using the app and delete it from your device.

17. Contact us

For privacy questions, data requests, security concerns, or anything else covered by this policy:

Urvik Moradiya
Morhover Creations (independent iOS developer)
Email: urvikmoradiya@gmail.com
Website: creation.morhover.com

If you reside in the European Union and feel we have not adequately addressed a privacy concern, you have the right to lodge a complaint with your national Data Protection Authority. If you reside in India, you may approach the Data Protection Board under the DPDP Act.

This Privacy Policy is provided in English. Where it is translated into another language, the English version controls in case of discrepancy.