Privacy Policy

The Vilkax Privacy Policy is the canonical contract on what we collect, why, how long we keep it, and your rights under GDPR, CCPA, and the local data-protection laws that apply.

What we collect

Account email - the only field required to use Vilkax. Stored case-insensitive, hash-indexed (SHA-256) for query, and AES-256-GCM encrypted at rest.
Phone number - only if you choose to enrol one (smart 2FA fallback, SMS scam scanning on Pro+). Stored as a SHA-256 hash in our hot indexes; the raw number is held encrypted.
Crypto wallet addresses - only the addresses you explicitly register. Public on-chain data we monitor against threat-intel feeds. Never your private keys.
Postal address - only if you choose to provide one for shipping rewards or compliance KYC.
Threat metadata - for messages you forward / share to Vilkax for scanning, we keep the verdict (kind, category, risk_score, severity) but discard the raw body after the scan completes.
Device fingerprint - OS, browser, hashed UA, last-seen timestamp. Used by smart 2FA to detect anomalous sign-ins.
Device, network & protection signals (opt-in, per-purpose) - to protect you, the apps can collect security signals and send them to us. Each is gated by its own consent toggle in the Privacy Center, is off until you turn it on, and is minimised / hashed before it leaves your device. We never collect a raw process list or your browsing history. What this covers:
- Device security posture - whether the device is rooted / jailbroken, has developer mode or USB debugging on, is disk-encrypted, and its OS version. Used to warn you about a compromised device and to weight its signals. Consent key background_service.
- Device identifier - a per-app, vendor-supplied id (on iOS, the IDFV) stored only as a salted SHA-256 hash, used to compute and remember a device's trust score. The raw id never lands at rest. Consent key background_service.
- Network posture - the connection type, whether a VPN is active, and whether the Wi-Fi is open / unencrypted. The Wi-Fi network name (SSID) is hashed on the device first; the raw SSID never leaves the device. Consent key network_scan.
- App-usage and interaction signals (Android, opt-in) - the foreground time of your top apps (package names only, never app content) to spot a remote-control app active during a scam session, plus in-app interaction events (searches, taps) for product analytics. Consent key app_usage.
- Message / SMS threat verdicts - message text is classified for scams on the device; only the verdict (kind, category, risk score) is uploaded and the raw body is discarded after the scan. Consent keys sms / notifications.
The purpose is protection only - never advertising or profiling. These signals are consent-gated server-side too: even if a tampered app sent a signal whose consent you hadn't granted, our intake (/api/risk/v2/signals, /api/intake/unified-signal, /api/signals/v1/*) checks your persisted consent and drops it. Signal rows are retained per region (EU 90 days / other regions 180 days) and are deleted when you delete your account (see Erasure below).
Coarse location (country) - your country code, derived server-side from the request, used for geo-anomaly sign-in detection. No GPS, no precise location, no location permission is requested for this.
Audit log - every state-changing action you take, with actor, target, IP, and timestamp. Hash-chained so tampering is detectable.
Hearth journal entries (opt-in only) - when you write in Hearth, the text is AES-256-GCM encrypted at rest with a key we rotate. A redacted (no-names, no-numbers) copy lives alongside it solely so a future export gives you readable data. We never train models on your entries; the safety classifier is pattern-based and runs in code, not in an LLM.
KIN location pings (opt-in only, per circle) - when you share live location to a trusted circle, we store latitude/longitude rounded to 6 decimals, GPS accuracy, speed, battery level, and an approximate city derived from the request. Pings live for a maximum of 24 hours, then are pruned automatically. Visibility is per-member-per-circle and respects your share settings (precise / approximate / paused) on every read.

What we do NOT collect

The contents of your inbox, messaging apps, or files. The desktop agent reports event metadata only.
Your private keys, seed phrases, or wallet recovery material. Ever.
Precise geolocation outside of KIN circles you explicitly opt into. Account telemetry stores country code only.
KIN location history beyond 24 hours. Pings older than that are deleted by a daily sweep.
Cross-site browsing behavior. We don't run trackers; fonts are self-hosted, so the only third-party load on the marketing site is Cloudflare Turnstile (the captcha).
Behavioral data for advertising. Vilkax has no ads business.
Public maps of users. KIN circles are isolated by design - no discovery, no global map, no shared visibility.

Your rights

Access - Settings → "Export my data" gives you a single JSON bundle of every record we hold for you (sessions, devices, security events, Hearth entries in redacted form, subscription history). Self-service, instant.
Rectification - fix wrong data via the app's Settings page or through our contact form.
Erasure - Settings → "Schedule account deletion" deactivates your account immediately: it is frozen so no one can sign in, and all your active sessions are revoked on the spot. It is then scheduled for permanent deletion after a 30-day grace window, during which you can cancel and restore it. After the window, a scheduled purge removes your account record and the personal data linked to it - including the device, network and protection signal / telemetry rows we hold against your account. Some records are removed on different timelines where the law requires us to keep them longer (for example billing and security-audit records), and anonymous, aggregate data that carries no identifier and cannot be tied back to you may be retained. If you want confirmation that a specific erasure has completed, contact our privacy team.
Portability - the JSON export is machine-readable for moving to another provider.
Explanation - every automated decision (threat score, AI tier, anomaly flag, KIN ETA) is logged with its inputs. You can request the row that drove any specific call.
Revoke at any time - pause KIN sharing globally or per-circle, revoke individual sessions or devices, disable 2FA, leave a circle, all from the Settings or Security Center page.

Automated decisions and profiling (EU AI Act Art. 50 & GDPR Art. 22)

Vilkax uses AI and machine-learning models to generate risk scores, anomaly flags, and threat classifications for users and their accounts. These scores may affect which features are available to you (alert priority, protective tier gates, or escalation routing). No automated decision produces a legal effect or similarly significant impact without the right to human review. Our legal basis for this profiling is Art. 6(1)(b) GDPR (performance of a contract: the core protection service you signed up for) and Art. 6(1)(f) GDPR (legitimate interest in detecting and preventing fraud and account-level threats).

Your rights regarding automated decisions: you can request an explanation of any specific risk score or automated action affecting your account through our contact form. You can also request human review of any decision you consider to have produced an unjust outcome. Every automated decision is logged with its inputs (see the "Explanation" right above).

Where data lives

Account data is stored in a primary region. Edge caches hold only public, anonymous data (marketing pages, public state aggregates). Specific region details are documented in the Sub-processors section of our DPA, available on request.

Contact

Privacy questions: contact our privacy team.
To reach our data protection officer, contact us and select the privacy topic.
Security disclosures: /.well-known/security.txt

Last updated: 2026-06-09 · Version v3 (disclosed device / network / app-usage protection signals, their consent gating, retention, and confirmed signal-data erasure on account deletion)