Legal

Privacy Policy

Effective date: April 28, 2026  ·  Last updated: April 28, 2026

Table of Contents
  1. Overview & Our Privacy Commitment
  2. Offline Mode vs. Registered Account
  3. Information We Collect
  4. How Your Data Is Encrypted
  5. AI & LLM Processing
  6. How We Share Information
  7. Data Storage & Retention
  8. Your Rights & Controls
  9. Camera Permission
  10. Children's Privacy
  11. Changes to This Policy
  12. Contact Us

1. Overview & Our Privacy Commitment

Core principle: Infolio is designed so that we are mathematically unable to read your documents. Your Vault Password never leaves your device. Only encrypted blobs and encrypted keys are stored on our servers.

Infolio ("we", "our", or "us") is an end-to-end encrypted personal document archive application available on iOS and Android. This Privacy Policy describes what information we collect, how we use it, and the choices you have.

Because Infolio uses a zero-knowledge encryption architecture, the privacy protections described in this policy are enforced cryptographically — not just by policy.

2. Offline Mode vs. Registered Account

Infolio operates in two distinct modes with very different privacy profiles:

Offline Mode (No Account)

You can use Infolio without registering or providing any personal information. In this mode:

  • All data is stored exclusively on your device.
  • No account is created and no data is sent to our servers.
  • No personal information is collected by us.
  • If you use the platform's free LLM quota, only the processed text (not original files) is sent to our LLM proxy, and only to process the specific document you submit.

Registered Account Mode

When you register with Apple Sign-In (iOS) or Google Sign-In (Android), additional data is collected to provide cloud synchronization and key management. See Section 3 for details.

3. Information We Collect

3.1 Account Information (Registered Users Only)

  • OAuth identity: An opaque OAuth subject identifier (oauth_sub) and provider name (Apple or Google) received from the OAuth provider during sign-in. We do not store your Apple Relay email or Google email unless Google shares it as part of the token scope.
  • Encrypted Master Key (EMK): An AES-256-GCM encrypted version of your Master Key, encrypted by a Key Encryption Key derived from your Vault Password on your device. We cannot decrypt this.
  • Argon2 salt: A random salt used for key derivation, stored alongside EMK.
  • Password hint (optional): A plain-text reminder phrase you choose to set. This is not your password. Stored so you can retrieve it if you forget your Vault Password.
  • JWT and refresh tokens: Session tokens used to authenticate API requests. Refresh tokens are stored on your device's Keychain / Keystore.

3.2 Document Metadata (Registered Users Only)

When you archive a document, the following metadata may be stored server-side:

  • Document identifier (UUID), creation and modification timestamps.
  • Encrypted Document Encryption Key (EDEK) — encrypted with your Space Key, which is itself encrypted. We cannot decrypt document keys.
  • File size and MIME type of the encrypted blob.
  • The encrypted blob itself, stored in Cloudflare R2 object storage.

We do not store document titles, tags, extracted text, or any content that would allow us to identify what a document contains. All searchable content lives exclusively in the encrypted SQLCipher database on your device.

3.3 Technical & Diagnostic Data

  • Standard web server access logs (IP address, timestamp, HTTP method, response code) with a maximum retention of 30 days.
  • Crash reports may be collected via platform-provided mechanisms (Apple / Google crash reporting). These do not include document contents.

3.4 Data We Do Not Collect

  • Document content, extracted text, or search queries — these never leave your device.
  • Your Vault Password or any key derivation input.
  • Camera images or scanned documents in plaintext.
  • Location data.
  • Advertising identifiers.
  • Any data in Offline Mode.

4. How Your Data Is Encrypted

Zero-Knowledge Architecture: Your Vault Password is used to derive a Key Encryption Key (KEK) using Argon2id on your device. The KEK encrypts your Master Key (MK). The MK wraps a per-Space Space Key (SK). Each document's unique Document Encryption Key (DEK) is encrypted by the SK. Only encrypted keys ever reach our servers.

The key hierarchy is as follows:

  • KEK — Derived from Vault Password using Argon2id (3 iterations, 64 MB memory). Never stored anywhere.
  • MK (Master Key) — Random 256-bit key generated on your device. Stored encrypted (EMK) on our servers. Stored plaintext only in your device's secure enclave (Keychain / Keystore).
  • SK (Space Key) — Random 256-bit key per Space. Stored encrypted (ESK) on our servers.
  • DEK (Document Encryption Key) — Random 256-bit key per document. Stored encrypted (EDEK) on our servers.

All encryption uses AES-256-GCM with unique IVs per encryption operation. Transport uses TLS 1.3. Local database uses SQLCipher (AES-256).

5. AI & LLM Processing

Infolio uses Large Language Models (LLMs) to extract structured content from your documents. We offer three processing modes:

  • Mode A (Multimodal Direct): The original file (image or PDF) is sent to an LLM API for processing. This mode sends file content to an external AI service.
  • Mode B (OCR then LLM): On-device OCR extracts text first. Only the extracted text is sent to an LLM API. The original file never leaves your device.
  • Mode C (Fully Offline): On-device OCR combined with a locally running LLM (e.g., Ollama). No data leaves your device.

When data is sent to an LLM API (Modes A or B):

  • If you use our platform LLM quota, requests are proxied through our servers to our LLM provider. We do not log document content. Requests are subject to our LLM provider's privacy policy.
  • If you use your own BYOK (Bring Your Own Key), requests go directly from your device to the LLM provider of your choice. We are not involved in that data flow.

We do not use your documents to train AI models.

6. How We Share Information

We do not sell your personal information. We share information only in the following limited circumstances:

  • Cloud infrastructure: Encrypted blobs are stored in Cloudflare R2. Cloudflare processes data as a data processor under our instructions. Cloudflare cannot decrypt your content.
  • LLM providers: When you use platform LLM quota in Mode A or B, document content (as defined in Section 5) is shared with our LLM provider solely to perform the processing you requested.
  • OAuth providers: Apple and Google receive no document data. We only receive an identity token from them during sign-in.
  • Legal requirements: We may disclose information where required by applicable law, regulation, or valid legal process. Because of our encryption architecture, we can only provide encrypted blobs and encrypted keys — which are meaningless without your Vault Password.

7. Data Storage & Retention

Server-side data (registered users) is retained for as long as your account exists. You may delete your account at any time through the app settings, which will permanently erase all server-side data associated with your account including all encrypted blobs, EMK, and Space Keys.

Local data on your device is controlled by you and is not deleted by account deletion. To remove local data, use the "Delete All Local Data" function in app settings.

Server access logs are retained for a maximum of 30 days.

8. Your Rights & Controls

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: Request a copy of data we hold about you.
  • Deletion: Delete your account and all associated server-side data via app settings.
  • Portability: Export all your original files at any time using the "Export My Data" function, which produces a ZIP archive of all your documents.
  • Rectification: Update your password hint or account details in settings.
  • Objection / Restriction: Contact us to object to or restrict processing of your data.

For EU/EEA residents, these rights are provided under the General Data Protection Regulation (GDPR). For California residents, these rights are provided under the California Consumer Privacy Act (CCPA).

To exercise your rights, contact us at the address in Section 11.

8b. Camera Permission

Camera access is used exclusively for document scanning within the app. Infolio does not record video, stream camera output, or transmit images to any server without your explicit action to import a document.

Infolio requests access to your device camera (android.permission.CAMERA on Android; NSCameraUsageDescription on iOS) for the following purpose only:

  • Document scanning: Capturing a photo of a physical document (e.g., a receipt, contract, or ID) so it can be imported into your encrypted archive. On Android this uses the ML Kit Document Scanner API; on iOS it uses VisionKit's VNDocumentCameraViewController.

Camera access is not used for:

  • Facial recognition, biometrics, or user identification (biometric unlock uses the OS-provided Face ID / fingerprint APIs, which never expose raw camera data to the app).
  • Continuous background recording or monitoring.
  • Advertising, analytics, or any purpose unrelated to document capture.

Photos taken through the in-app scanner are stored only temporarily in the data/cam/ directory inside the app's private Documents folder. Immediately after capture, the image is encrypted with your vault key and ingested into your encrypted archive — the plaintext original in data/cam/ is then deleted automatically. Under normal operation no unencrypted scan remains on disk after import completes. This directory is only accessible to Infolio and is not shared with other apps. Any residual files (e.g. from an interrupted import) can be cleared manually via Settings → Clear Cache.

Camera permission is requested only when you actively initiate a document scan. You may deny or revoke camera permission at any time in your device Settings; doing so will only disable the scan feature — all other app functionality remains available.

9. Children's Privacy

Infolio is not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided personal information, we will promptly delete it. If you believe your child has provided us with personal information, please contact us.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you through the app or by updating the "Last updated" date at the top of this document. Continued use of Infolio after changes are posted constitutes your acceptance of the updated policy.

11. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us: