Privacy Policy

Last Updated: December 23, 2025

Blackbox ("we," "our," or "us") is committed to protecting your privacy and maintaining the highest standards of data security. This Privacy Policy explains how we handle your data, our zero-knowledge architecture, and your rights regarding your information when you use our mobile application ("App").

1. Zero-Knowledge Architecture

Blackbox is built on a zero-knowledge architecture, which means we cannot access, read, or decrypt your data under any circumstances. This fundamental principle ensures your complete privacy and security.

1.1 What We Cannot Access

  • We cannot decrypt your data - All vault data is encrypted using AES-256 encryption before it leaves your device
  • We cannot read your data - We have no access to encryption keys or your PIN
  • We cannot access your PIN - Your PIN never leaves your device and is only used locally for encryption/decryption
  • We cannot access encryption keys - Keys are derived from your PIN using PBKDF2 and never transmitted
  • We act as a pass-through - We only sync encrypted files; we do not process or handle your data

2. Data Encryption and Security

2.1 End-to-End Encryption (E2EE)

All vault data is protected using industry-standard, military-grade encryption:

  • Encryption Standard: Advanced Encryption Standard (AES) with 256-bit keys
  • Key Derivation: Industry-standard key derivation function with sufficient iterations to ensure strong key generation
  • Encryption Mode: Secure block cipher mode with unique initialization vectors for each operation
  • Salt: Unique cryptographically secure random salt generated for each encryption operation
  • Client-Side Encryption: All encryption and decryption occurs on your device before any data transmission
  • No Backdoors: The encryption implementation has no backdoors or master keys that could compromise your data

2.2 PIN Security

  • Your PIN is never transmitted over the network
  • Your PIN is never stored in cloud storage
  • Your PIN is only used locally on your device for encryption and decryption
  • Encryption keys are derived from your PIN using PBKDF2 and never leave your device
  • If you forget your PIN, we cannot recover your data - this is by design to ensure your privacy

2.3 Data Flow

Here's how your data is protected:

  1. On Your Device: Vault data is encrypted using AES-256 with a key derived from your PIN
  2. Before Upload: Only the encrypted data (unreadable without your PIN) is prepared for sync
  3. During Sync: Encrypted data is transmitted to cloud storage (your iCloud/Google Drive or our secure servers)
  4. In Cloud Storage: Data remains encrypted and unreadable without your PIN
  5. On Restore: Encrypted data is downloaded and decrypted locally on your device using your PIN

3. Information We Collect

3.1 Vault Data

We do not collect, process, or have access to your vault data. Your vaults contain:

  • Files, photos, videos, notes, and other content you store in vaults
  • All content is encrypted on your device before any storage or sync
  • We only handle encrypted blobs that are unreadable without your PIN
  • We cannot see, read, or access the contents of your vaults

3.2 Subscription Information

For Premium subscription management:

  • We use RevenueCat to process in-app purchases and subscription management
  • RevenueCat collects purchase information, including transaction IDs and subscription status
  • Purchase data is linked to your app store account (Google Play or Apple App Store)
  • We do not collect or store payment card information
  • Subscription status is stored locally on your device using secure storage

3.3 Cloud Sync Data

When you enable cloud sync:

  • User's Storage Option: Encrypted vaults are synced to your own cloud storage (iCloud Drive or Google Drive). We have no access to this data.
  • Blackbox Cloud Option: Encrypted vaults are stored on our secure servers (AWS S3). We store only encrypted blobs that we cannot decrypt.
  • Storage Usage: We track the total size of encrypted data (in GB) for storage limit management, but we cannot see the contents
  • Sync Metadata: We store minimal metadata (vault IDs, last sync timestamps) to manage sync operations
  • No Content Access: We cannot read, decrypt, or access the actual content of your vaults

3.4 App Usage Data

We store the following locally on your device:

  • Premium subscription status (stored securely using Expo SecureStore)
  • Cloud sync preferences (enabled/disabled, sync method selection)
  • Per-vault sync settings (which vaults are enabled for sync)
  • Storage usage statistics (total GB used, for display purposes only)
  • Unlock style preferences (PIN, Pattern Match, Piano Sequence)
  • No usage analytics, telemetry, or behavioral data is sent to our servers

3.5 Authentication Data

For Blackbox Cloud (optional cloud storage service):

  • If you choose to use Blackbox Cloud, you may create an account with email and password
  • Passwords are hashed using bcrypt before storage
  • We use JWT tokens for authentication (stored securely on your device)
  • Authentication is only used to manage your cloud storage account - it does not provide access to your encrypted vault data

4. How We Use Your Information

4.1 Vault Data

  • We do not use your vault data - We cannot access it due to our zero-knowledge architecture
  • Encrypted vault files are stored or synced as-is without any processing
  • We do not analyze, scan, or inspect the contents of your vaults
  • We do not use your data for advertising, analytics, or any other purpose

4.2 Subscription Management

  • Purchase information is used to verify and maintain your Premium subscription status
  • Subscription status is checked through RevenueCat's servers to ensure validity
  • Purchase data is used to restore your subscription if you reinstall the App
  • Storage tier purchases are tracked to manage your cloud storage limits

4.3 Cloud Sync Services

  • User's Storage: We facilitate sync to your iCloud/Google Drive, but we do not access the data
  • Blackbox Cloud: We store encrypted vault files on secure servers (AWS S3) with server-side encryption
  • We track storage usage (total GB) to enforce storage limits for Premium users
  • We do not decrypt, read, or process the encrypted vault files
  • Sync operations are automated and do not involve human access to your data

5. Data Storage and Security

5.1 Local Storage

  • All vault data is stored locally on your device in encrypted format
  • Vault files are encrypted using AES-256 before being written to device storage
  • User preferences and settings are stored using Expo SecureStore (encrypted storage)
  • Unlock patterns and piano sequences are encrypted and stored securely
  • You can clear app data at any time through your device settings

5.2 Cloud Storage Options

5.2.1 User's Storage (iCloud/Google Drive)

  • Encrypted vaults are synced to your own cloud storage account
  • You maintain full ownership and control of your data
  • We have no access to your iCloud or Google Drive accounts
  • Data is subject to your cloud provider's terms and privacy policies
  • You can disable sync or delete cloud data at any time

5.2.2 Blackbox Cloud (Our Servers)

  • Encrypted vaults are stored on AWS S3 (Amazon Web Services)
  • Data is stored with server-side encryption (AES256) as an additional security layer
  • Each user's data is isolated in separate folders (user isolation)
  • We use industry-standard security practices and access controls
  • Even with server access, we cannot decrypt your data without your PIN
  • Data is stored in secure data centers with physical and digital security measures

5.3 Third-Party Services

  • RevenueCat: Handles subscription management. Purchase data is encrypted in transit and at rest. See RevenueCat's Privacy Policy for details.
  • AWS S3: Provides cloud storage infrastructure for Blackbox Cloud. Data is encrypted at rest and in transit. See AWS Privacy Policy for details.
  • Google Play / Apple App Store: Handles payment processing. We do not receive payment card information.
  • iCloud Drive / Google Drive: When using user's storage option, your encrypted data is stored in your own cloud accounts, subject to their privacy policies.

5.4 Security Measures

  • End-to-End Encryption: All vault data is encrypted before leaving your device
  • Strong Key Derivation: Industry-standard key derivation with sufficient computational cost to prevent brute-force attacks
  • Unique Encryption: Each vault and file uses unique encryption keys and initialization vectors
  • Secure Storage: Sensitive data (PINs, patterns, sequences) stored using secure, encrypted device storage
  • HTTPS/TLS: All network communications are encrypted using the latest TLS protocols
  • Rate Limiting: API endpoints are protected with rate limiting to prevent abuse and brute-force attempts
  • No Backdoors: We have designed the system so that even we cannot access your data
  • Regular Security Updates: We continuously update our security practices to address emerging threats

6. Data Sharing and Disclosure

We do not sell, trade, or rent your personal information or vault data. We share data only in the following limited circumstances:

  • RevenueCat: Purchase and subscription data is shared with RevenueCat for subscription management. This does not include vault data.
  • AWS S3: Encrypted vault files are stored on AWS S3 for Blackbox Cloud users. AWS cannot decrypt the data.
  • Your Cloud Storage: When using user's storage option, encrypted vaults are synced to your iCloud/Google Drive account.
  • Legal Requirements: We may disclose information if required by law, court order, or to protect our rights, property, or safety. However, we can only provide encrypted data that we cannot decrypt.
  • Service Providers: We may use third-party services (hosting, payment processing) that process encrypted data, but they cannot decrypt it.

Important: Even if we were legally compelled to provide your data, we can only provide encrypted files that are unreadable without your PIN. We do not have the ability to decrypt your data.

7. Your Rights and Choices

7.1 Data Control

  • You own your data: All vault content belongs to you
  • You control encryption: Your PIN controls access to your data
  • You choose sync: Cloud sync is disabled by default and can be enabled/disabled at any time
  • You choose storage: You can use your own cloud storage or Blackbox Cloud
  • You can delete: You can delete vaults, disable sync, or delete cloud data at any time
  • You can export: You can export your vaults locally at any time

7.2 Cloud Sync Management

  • Cloud sync is disabled by default - you must explicitly enable it
  • You can choose which vaults to sync (per-vault control)
  • You can switch between user's storage and Blackbox Cloud at any time
  • You can disable cloud sync entirely, which stops all cloud operations
  • You can delete your cloud data from Blackbox Cloud servers at any time

7.3 Subscription Management

  • You can restore your Premium subscription at any time through the App's settings
  • Subscription purchases are managed through your app store account
  • You can cancel or manage your subscription through Google Play or Apple App Store settings
  • You can purchase additional storage tiers if needed
  • Storage purchases are linked to your Premium subscription

7.4 Data Deletion

  • Local Data: You can delete vaults or clear app data through device settings
  • Cloud Data: You can delete synced vaults from cloud storage at any time
  • Account Deletion: If you delete your Blackbox Cloud account, all encrypted vaults are permanently deleted from our servers
  • No Recovery: Once deleted, encrypted data cannot be recovered (we cannot decrypt it anyway)

8. App Store and Play Store Compliance

8.1 Data Handling

  • We do not handle user data - Data is encrypted client-side before any transmission
  • We do not process user data - We only sync encrypted files without processing
  • We do not have access to user data - Encryption keys never leave the device
  • We act as a pass-through - Encrypted files are synced to cloud storage without decryption
  • Data is stored in user's own cloud storage - When using user's storage option, data goes to their iCloud/Google Drive
  • User maintains full control and ownership - Users can enable/disable sync and delete data at any time

8.2 Data Safety (Play Store)

  • Data encryption: Yes, AES-256 encryption
  • Data sharing: No, we do not share user data
  • Data collection: No, we do not collect user data
  • Data access: No, we cannot access encrypted data
  • Data deletion: Users can delete their data at any time

8.3 App Privacy (App Store)

  • Data collected: None (we don't collect user data)
  • Data linked to user: No (encrypted data cannot be linked to users)
  • Data used to track: No
  • Data shared with third parties: No (except encrypted blobs to cloud storage, which we cannot decrypt)

9. Children's Privacy

Blackbox is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately. However, due to our zero-knowledge architecture, we cannot access or verify the contents of any vaults.

10. International Data Transfers

Your encrypted data may be processed and stored in countries other than your country of residence. RevenueCat, AWS S3, and cloud storage providers operate globally and may transfer data to servers located in different countries. By using the App, you consent to such transfers. However, your data remains encrypted and unreadable regardless of where it is stored.

11. Data Retention

  • Vault Data: Stored locally on your device and in cloud storage (if sync is enabled) until you delete it. We do not retain copies.
  • Purchase Data: RevenueCat retains purchase data as required for subscription management and legal compliance
  • Cloud Storage: Encrypted vaults remain in cloud storage until you delete them or disable sync
  • Account Data: If you delete your Blackbox Cloud account, all encrypted vaults are permanently deleted within 30 days
  • Local Settings: Stored on your device until you uninstall the App or clear app data

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. You are advised to review this Privacy Policy periodically for any changes. Your continued use of the App after changes constitutes acceptance of the updated Privacy Policy.

13. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

Email: support@theothersidestudios.com

Website: www.theothersidestudios.com

Developer: TOSS (The Otherside Studios)

14. Third-Party Privacy Policies

For more information about how third-party services handle your data:

15. Security Best Practices

To maintain the security of your data, we recommend:

  • Choose a strong, unique PIN that you can remember (we cannot recover it if forgotten)
  • Enable cloud sync for backup, but understand that you control when it's enabled
  • Keep your device and app updated to the latest version for security patches
  • Use device-level security (screen lock, biometric authentication)
  • Regularly review your synced vaults and delete unnecessary data
  • Be cautious when sharing your device with others