Introduction
CustoriaLabs ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we handle information when you use the Custoria Inventory mobile application (the "App").
Zero-Knowledge Architecture
We cannot access your data. Custoria uses end-to-end encryption with zero-knowledge architecture, meaning:
- Your vault items are encrypted on your device before being stored
- Only you have the encryption keys
- We cannot read, access, or decrypt your data
- Even if compelled by law, we cannot provide your unencrypted data
Information We Collect
Information You Provide
When you use Custoria, you voluntarily provide:
- Account Information: Email address for authentication
- Vault Items: Photos, descriptions, values, and other details about your items
- User Preferences: Settings and customization choices
Information Automatically Collected
- Authentication Data: Firebase Authentication manages login sessions
- Usage Analytics: Anonymous app usage statistics (crashes, performance)
- Device Information: Device type, OS version (for compatibility)
Information We Do NOT Collect
- ❌ Your vault item contents (encrypted, we cannot access)
- ❌ Your encryption keys (stored locally only)
- ❌ Location data
- ❌ Contacts
- ❌ Photos beyond what you explicitly add to the app
How We Use Information
Account Management
- Authenticate your identity
- Provide app functionality
- Sync encrypted data across your devices
Service Improvement
- Fix bugs and crashes
- Improve performance
- Develop new features
Legal Compliance
- Comply with applicable laws
- Respond to legal requests (limited to account existence only)
Data Storage
Encryption
- Local Storage: AES-GCM encryption with 256-bit keys
- Cloud Storage: Encrypted data stored in Firebase (Google Cloud)
- Keys: Stored securely in iOS Keychain
- Key Derivation: PBKDF2 with 100,000 iterations
Data Location
Your encrypted data is stored on:
- Google Cloud Platform (Firebase Firestore and Storage)
- Servers located in: United States
Third-Party Services
Firebase (Google)
We use Firebase for:
- Authentication
- Encrypted data storage
- Analytics
Firebase Privacy Policy: https://firebase.google.com/support/privacy
Gemini AI (Google)
We use Gemini AI for:
- Item identification from photos
- Value estimation
Privacy Protection:
- Images sent to Gemini are temporary
- No persistent storage of your images
- Used only for analysis
- Not used for AI training
Gemini Privacy Policy: https://policies.google.com/privacy
Your Rights
Data Access
- View all your data in the app
- Export your data as PDF
Data Deletion
- Delete individual items
- Delete all items
- Delete your account (permanent)
Data Portability
- Export your inventory as PDF
- Export as JSON (coming soon)
Children's Privacy
Custoria is not intended for users under 13 years of age. We do not knowingly collect information from children under 13.
Data Retention
- Active Accounts: Data retained while account is active
- Deleted Accounts: All data permanently deleted within 30 days
- Inactive Accounts: No automatic deletion (you control your data)
Security
We implement industry-standard security measures:
- End-to-end encryption
- Secure key storage (iOS Keychain)
- Regular security audits
- Zero-knowledge architecture
However, no method of transmission over the Internet is 100% secure.
International Users
If you are located outside the United States:
- Your data may be transferred to and stored in the United States
- By using Custoria, you consent to this transfer
- We comply with applicable data protection laws
Changes to This Policy
We may update this Privacy Policy. We will notify you by:
- Posting the new policy in the app
- Updating the "Last Updated" date
- Requiring acceptance for material changes
Your Consent
By using Custoria, you consent to this Privacy Policy.
Summary (Plain English)
- ✅ We can't see your data - Everything is encrypted
- ✅ You control your data - Delete anytime
- ✅ Minimal data collection - Only what's necessary
- ✅ Transparent partners - Firebase & Gemini AI
- ✅ Your keys, your data - Zero-knowledge security