Back to Vault
Your Data. Your Rights.

Privacy Policy

Last Updated: March 14, 2026

🔒

Zero-Knowledge Architecture

We encrypt your vault contents before they touch our database. We cannot read your secrets — and therefore cannot sell, share, or hand them over to anyone.

1. Information We Collect

  • Account Data: When you register, we collect your email address and a hashed (bcrypt) version of your password. We never store your plain-text password.
  • Transaction Data: If you purchase premium features, our payment processor (PayHere) collects your billing details. Rahas.lk does not store your credit card information.
  • Encrypted Vault Data: The text and files you upload to your secure vault, stored in AES-256-CBC encrypted form.
  • Analytics: We collect anonymised daily visitor hashes (SHA-256 of IP + User-Agent + date) to count unique visits. No raw IP addresses are stored or retained beyond 90 days.

2. How We Protect Your Data

Rahas.lk is built on a Zero-Knowledge privacy model for your secure vaults:

  • Your sensitive secrets are encrypted with AES-256-CBC immediately upon creation.
  • We do not hold the master decryption keys tied to individual vault contents in a user-accessible way.
  • Because we cannot read your data, we cannot hand it over to third parties, sell it, or use it for advertising.

3. Data Retention and Automated Purging

Our infrastructure is designed to hold data only as long as necessary to fulfill your chosen service:

Burn After Reading Links

The encrypted data row is permanently dropped from our active database the exact millisecond the payload is successfully queried and rendered on a screen. There is no recovery path after a link is burned.

Digital Time Capsules

The encrypted payload remains on our secure servers until the unlock date. Once the recipient unlocks and views the capsule, the data is permanently purged from our active database.

Legacy Vaults

Your encrypted documents are stored as long as your subscription is active and you respond to Heartbeat check-ins. If a Dead Man's Switch is triggered, the system dispatches the decrypted contents to your nominated contacts and subsequently purges the sensitive payload from our active database to ensure post-mortem privacy.

4. Third-Party Sharing

We do not sell, trade, or rent your personal identification information to others. We may share generic aggregated demographic information not linked to any personal identification regarding visitors and users with our business partners. We will cooperate with Sri Lankan law enforcement if served with a valid court order, in which case we can provide IP access logs and account metadata — but not your encrypted vault contents, which we are technically unable to decrypt.

5. Your Rights

Under applicable data protection laws, you have the right to:

  • Request access to the unencrypted personal data we hold about you (e.g., your account email and registration date).
  • Request correction of inaccurate personal data.
  • Request deletion of your account and associated data.

To exercise any of these rights, contact us at support@rahas.lk.

Privacy concerns or data requests?

Contact us at support@rahas.lk

Terms of Service Refund Policy Acceptable Use