Privacy policy

OC Vault is designed so that OrangeCheck cannot read your data. Encryption and decryption happen in your browser. What OrangeCheck stores is an opaque, double-encrypted blob with no readable item names, types, or contents.

• identity addressthe Bitcoin address you sign in with — public on-chain already; no email, no name
• payment recordsfor paid tiers: the Lightning invoice id, sats paid, tier, and entitlement expiry. No card number, no billing address
• encrypted blobsopaque ciphertext keyed to your identity address — OrangeCheck cannot decrypt it
• access tokensfor developer / CLI / CI access: an SHA-256 hash of each token, an optional label, the granted scope (read or read-write), creation / last-used / optional expiry timestamps. We never store the token itself — only its hash.
• technical dataIP address and request metadata, for security and rate limiting

• >>The contents of any vault item
• >>The names, titles, or types of your items
• >>How many items you store or how often you use them
• >>Your vault key or any recovery material
• >>Your access tokens (only the SHA-256 hash is stored)
• >>Which sites the browser extension autofilled on — origin matching happens locally in your browser

The same encrypted vault is reachable from three surfaces. The zero-knowledge guarantee — that OrangeCheck only ever holds ciphertext — applies to all of them.

browser extension (OC Vault for Chromium / Firefox)

The extension fetches the same encrypted blobs the web app does, caches them as ciphertext in browser-extension storage, and decrypts in the service worker only after you enter your passphrase. The vault key lives in memory and a RAM-only storage.session slot — it is never written to disk. The content script that offers autofill receives one entry's field values at fill time and nothing else; it never receives the vault key or the entry index. The extension talks only to your own vault.ochk.io account: no analytics, no telemetry, no remote code.

developer platform — access tokens, CLI, SDK, GitHub Action

For headless access (oc-vault CLI, the @orangecheck/vault-core SDK, CI / GitHub Actions), you may mint access tokens at vault.ochk.io/vault/developer. A token authorizes transport only — it lets the caller fetch your encrypted blobs and the passphrase-wrapped escrow, and (for tokens minted with a write scope) write new ciphertext. A token carries no key material: a leaked token yields only ciphertext, the same thing the server already holds. The passphrase still performs decryption in your local process and is never transmitted. We store only the SHA-256 hash of each token; tokens can be revoked at any time from the same page.

Essential cookies only, plus a theme preference. Page analytics use Plausible — cookie-free, no PII, aggregate only. No advertising or tracking cookies.

• encrypted blobsretained while your account is active; deleted on account deletion
• payment recordsretained as required for accounting and entitlement verification
• technical logsretained 90 days, then auto-deleted

Client-side AES-256-GCM encryption, HTTPS in transit, and a server that only ever holds ciphertext. No method of storage is perfectly secure — we use reasonable measures but do not warrant security; see the Terms of Service. Because of the encryption design, a compromise of OrangeCheck infrastructure exposes ciphertext, not your secrets.

• access & portabilityrequest a copy of your personal information in a machine-readable format
• correctionrequest correction of inaccurate or incomplete information
• deletionrequest deletion of personal information we hold (data published to public networks cannot be deleted by us — see retention)
• objectionobject to or restrict processing in certain circumstances
• withdraw consentwithdraw consent where consent is the legal basis for processing

To exercise any right, email hello@ochk.io. We respond within 30 days.

OrangeCheck is operated from the United States. If you access OC Vault from elsewhere, your information may be transferred to, stored, and processed in the US or other countries where our service providers operate. For users in the EEA, UK, or Switzerland, we rely on appropriate safeguards for international transfers.

california (ccpa / cpra)

• >>Right to know the categories of personal information collected
• >>Right to delete and to correct your personal information
• >>Right to opt out of sale or sharing — we do not sell or share personal information
• >>Right to limit use of sensitive personal information — we do not collect sensitive PI as defined by the CPRA
• >>Right to non-discrimination for exercising your rights

europe (gdpr) & united kingdom (uk gdpr)

• legal basisconsent, contract performance, legitimate interests (security, abuse prevention, service improvement), and legal obligations
• your rightsaccess, rectification, erasure, restriction, portability, objection, and withdrawal of consent
• supervisory authorityright to lodge a complaint with your local EU/EEA data-protection authority, or the UK ICO
• eu/uk representativeif and when required, we will designate an Article 27 representative and publish the details here

other jurisdictions

If you reside in a jurisdiction with a comprehensive privacy law — including Brazil (LGPD), Canada (PIPEDA / Law 25), Australia, Japan (APPI), South Korea (PIPA), Switzerland (FADP), or any U.S. state privacy law — you have the equivalent rights of access, correction, deletion, portability, and objection. Email hello@ochk.io and we will honour applicable rights under the law of your residence.

OC Vault is not intended for children under 13 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children. If you believe we have, email hello@ochk.io immediately and we will delete it.

• >>We will update the "last updated" date above
• >>For material changes, we will provide prominent notice on the website
• >>Continued use after changes constitutes acceptance