NextVault - Privacy Policy

01

Who We Are

Thingsmart Limited (“we”, “us”, “our”) operates the website https://thingsmart.co and publishes the NextVault Android application (package ID: app.nextvault).

We are a UK-based technology consultancy providing digital services including web development, automation, ERP implementation, IoT solutions, and infrastructure consulting for SMEs. NextVault is a free Android password manager published by Thingsmart Limited.

For the purposes of UK data protection law, we are the Data Controller of any personal data we process in connection with our website and services.

📬 Questions about this Privacy Policy?
Contact us at in**@********rt.co
Thingsmart Limited · United Kingdom

02

What Data We Collect

A. NextVault App — Your Credential Data

NextVault is architected so that all credential data remains exclusively on your device. The app stores the following in a SQLCipher-encrypted local database (mysecrets_encrypted.db) — this data is never transmitted to Thingsmart or any third party:

Login credentials (usernames, passwords, URLs)
Banking and card details (account numbers, PINs, sort codes, CVVs)
Personal identification data (passport, national insurance, dates of birth)
TOTP/OTP authenticator secrets (Base32 seeds, otpauth:// URIs)
WiFi credentials, SIM PINs, subscription details
Secret notes and document photos (stored in private app-internal storage)
Collections, category names, and vault structure
Security audit log entries (event type, timestamp, detail — local only)

B. Data Processed Outside Your Device

NextVault makes three outbound network requests, all privacy-preserving by design:

Favicon fetching — When you save a record with a URL field, the app requests a favicon from https://www.google.com/s2/favicons?domain=<domain>&sz=32. Only the domain name is transmitted; no credentials are included. Favicons are cached locally in app_Images/.
Password breach checking (HIBP) — The Password Health dashboard optionally checks your passwords against the HaveIBeenPwned API using k-anonymity: only the first 5 characters of a SHA-1 hash are sent. Your actual passwords are mathematically impossible to reconstruct from this data.
Google Maps directions — When viewing an Address record, tapping “Get Directions” opens https://www.google.com/maps/dir/?api=1&destination=<address> in your device’s browser or Maps app. Only the address text you have stored is transmitted. This request is user-initiated and subject to Google’s own privacy policy. The “Get Current Address” feature uses your device’s GPS via Android’s FusedLocationProviderClient to fill address fields locally — no location data is sent to Thingsmart.

C. Information You Provide via Our Website

When you visit https://thingsmart.co or contact us, we may collect:

Name, email address, phone number, company name
Message content submitted via contact forms or quote requests

D. Automatically Collected Website Data

IP address, browser type and version, device information
Pages visited, time spent, referring website
Cookies and analytics tracking technologies

03

Lawful Basis for Processing (UK GDPR Article 6)

We process personal data under the following lawful bases:

Consent — When you submit a contact form or opt in to marketing communications.
Contractual necessity — When processing is necessary to provide services you have requested.
Legitimate interest — To improve our website, prevent fraud, and operate our business efficiently.
Legal obligation — When required to comply with UK law.

📱 Note on NextVault app data: All credential data processed by the NextVault app is stored exclusively on your device and encrypted with keys derived from your master password. Thingsmart Limited has no access to this data and therefore does not act as a data controller or processor for your vault contents.

04

How We Use Your Data

We use information collected via our website and services to:

Respond to enquiries and provide quotes and services
Communicate about ongoing projects
Improve our website and services
Send marketing communications (only if you opt in)
Comply with legal obligations

The NextVault app processes your credential data solely on your device. All encryption, decryption, search, and export operations are performed locally. The only outbound requests are favicon fetching (domain only, no credentials), the optional HIBP breach check (k-anonymity, no plaintext passwords), and user-initiated Google Maps directions (address text only, opened in your browser).

🚫 We do not sell personal data to third parties. NextVault contains no advertising, no analytics SDK, and no telemetry.

05

Cookies & Tracking Technologies

Our website thingsmart.co may use cookies and similar technologies to:

Analyse website traffic (e.g. Google Analytics)
Improve user experience and remember preferences

A cookie consent banner is displayed on the website allowing you to opt in to non-essential cookies before they are set. You can also manage cookies via your browser settings at any time.

📱 NextVault app: The app does not use cookies, advertising SDKs, analytics libraries, or any form of tracking. It requests only the permissions required for its stated functionality: CAMERA (document photos), ACCESS_FINE_LOCATION (address auto-fill only), INTERNET + ACCESS_NETWORK_STATE (favicon fetching, HIBP breach check, and Google Maps directions), and USE_BIOMETRIC.

06

Data Sharing

We may share website and business enquiry data with trusted third-party service providers, including:

Website hosting providers
Email service providers
CRM systems
Analytics providers (Google Analytics)

All third parties are required to protect your data and process it only in accordance with applicable UK data protection laws.

🏪 Google Play Store: NextVault is distributed via Google Play. When you download, install, or review the app, Google processes data in accordance with Google’s Privacy Policy. This includes install and update data, crash reports submitted through Play, and any reviews you post. Thingsmart has no access to individual user identities from Google Play installs.

📱 NextVault app vault data is never shared. Your vault contents are encrypted on-device with keys derived from your master password. We have no technical capability to access, read, or share your credentials — even if compelled to do so.

07

International Transfers

If we transfer personal data outside the UK or EEA in the course of our website or business operations, we ensure appropriate safeguards are in place, such as:

UK International Data Transfer Agreement (IDTA)
Standard Contractual Clauses (SCCs)

NextVault app data does not leave your device and is therefore not subject to international transfer considerations.

08

Data Retention

We retain personal data only for as long as necessary:

Website enquiries — up to 12–24 months
Client project data — for the duration of the contract and up to 6 years for legal and accounting purposes
Marketing data — until you withdraw consent

For NextVault app data: your vault contents remain on your device until you uninstall the app, perform a factory reset, or manually delete the database via the app’s Settings. The in-app security audit log auto-prunes entries older than 90 days. Exported vault files (.tskvault) and encrypted backup files (.tskbackup) stored on your device or cloud storage are solely under your control.

09

Your GDPR Rights

Under UK GDPR, you have the right to:

Access your personal data
Rectify inaccurate data
Request erasure (“Right to be Forgotten”)
Restrict or object to processing
Data portability
Withdraw consent at any time

✉️ To exercise your rights regarding website or business data, email in**@********rt.co

📱 For NextVault app data: your credentials are held exclusively on your device, encrypted under your master password. You have complete control — you can export (.tskvault), delete individual records, or wipe the entire vault via Settings at any time. Thingsmart holds no copy of your vault contents.

10

Data Security

We implement appropriate technical and organisational measures to protect personal data across our website and business operations, including SSL encryption, secure hosting, access controls, and regular software updates.

NextVault is built with a defence-in-depth security architecture. Every credential is protected by three independent encryption layers:

🛡️ NextVault Encryption Architecture

Layer 01 · Master Password

RSA-2048, Android Keystore

Hardware-backed · Never leaves secure enclave · PKCS#11 boundary

Layer 02 · Database

SQLCipher + PBKDF2-HMAC-SHA256

600,000 iterations · Per-install random salt · v3→v4 auto-migration

Layer 03 · Each Record

AES-256-GCM (session key)

Unique IV per record · GCM auth tag · Sub-ms decrypt after login

Export / Backup Files

AES-256-GCM + PBKDF2 310K

Biometric gate required · Salt bundled in envelope · Highest KDF cost

Additional security controls include: FLAG_SECURE on all screens (prevents screenshots and screen recording), 30-second clipboard auto-clear, configurable auto-lock on idle, anti-phishing phrase on the login screen, app integrity check (APK signing certificate verification), and a full security audit log stored locally.

11

Complaints

If you are unhappy with how we handle your personal data, you have the right to lodge a complaint with the UK supervisory authority:

Information Commissioner’s Office (ICO)
Website: https://ico.org.uk
We would, however, appreciate the opportunity to address your concerns directly before you approach the ICO. Please contact us at in**@********rt.co in the first instance.

12

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in the NextVault app, our website, or applicable law. Updates will be posted on this page with a revised “Last updated” date. For material changes, we will update the app store listing accordingly.

The current version covers NextVault v2.0.0 (versionCode 2, package app.nextvault, min SDK 26, target SDK 35).