Privacy Policy

1. Who We Are

Mason's Vault (masonsvault.us / masonsvault.app) is a firearm law compliance platform created by Aldo Barraza, a U.S. military veteran based in Centreville, Virginia. Contact: privacy@masonsvault.us

2. What We Collect

Local Storage mode (no account): Nothing. Your firearm inventory never leaves your device. We have no access to it.

Cloud Sync account: Your email address for authentication, and an encrypted blob of your vault data — encrypted client-side with AES-256-GCM before transmission. We store only ciphertext. We cannot decrypt it. Unencrypted metadata stored: firearm count and magazine count (integers only, for sync).

Law alert subscribers: Email address and optionally your state. Managed via ConvertKit. Unsubscribe anytime.

Server logs: Standard web logs (IP address, browser type, pages visited) retained for 30 days via Netlify hosting.

3. What We Cannot Read

Your vault — firearm inventory, serial numbers, acquisition records, magazine data, documentation checklists — is encrypted client-side before reaching our servers. The key is derived from your password using PBKDF2 (310,000 iterations, SHA-256). We store only the encrypted output. We cannot read your vault. A court order or data breach cannot expose your firearm inventory — only unreadable ciphertext exists on our servers.

4. What We Do Not Do

• We do not sell your data. Ever.
• We do not run advertising or tracking pixels.
• We do not share your information with third parties except to operate the service (Supabase for auth/storage, ConvertKit for email — both under data processing agreements).
• We do not use your data to train AI models.
• We do not retain deleted data beyond 30 days.

5. Third-Party Services

• Supabase (supabase.com) — Authentication and encrypted storage. SOC 2 Type II certified. US-East region.
• ConvertKit / Kit (kit.com) — Email list for law alerts. Unsubscribe anytime via link in any email.
• Netlify — Website hosting. Standard server logs, 30-day retention.
• Google Fonts — Font delivery via Google CDN.
• Anthropic Claude API — Used in the AI Law Entry Tool (admin only). No user vault data is sent to this API.

6. Password & Encryption Notice

Because vault data is encrypted with a key derived from your password, we cannot reset your password or recover vault data if you forget it. This is intentional — it means no one, including us, can access your firearm records. Store your password in a password manager. If lost, cloud vault data is unrecoverable (local device copy remains accessible).

7. Your Rights

• Access: Email privacy@masonsvault.us to request any data we hold about you.
• Deletion: Delete your account in profile settings or email us. Encrypted vault data deleted within 30 days.
• Unsubscribe: Any law alert email has an unsubscribe link.
• Portability: Export your vault anytime as JSON from My Vault → Export Backup.

8. Law Enforcement Requests

If we receive valid legal process (subpoena, court order) we will respond as required by law. However, because vault data is encrypted and we do not hold the decryption key, we cannot produce the contents of your firearm inventory in response to any legal process. We can only produce encrypted ciphertext, your email address, and item count metadata. We will notify you of legal requests unless prohibited by court order.

9. Children

Mason's Vault is not directed to persons under 18. We do not knowingly collect information from minors.

10. Changes

Material changes will be posted here with an updated date. Law alert subscribers will be notified by email of significant changes.

11. Contact

Privacy questions: privacy@masonsvault.us
Mason's Vault · masonsvault.us · Centreville, Virginia