Effective June 10, 2026

Privacy Policy

Apex Radius Inc. ("Apex Radius", "we", "us") operates Vardra, a zero-knowledge password manager built so that we cannot read your vault. This policy explains what we do and do not process, your rights, and how to reach us. It is written to meet Canada's PIPEDA and, where applicable, the EU/UK GDPR and the California CCPA/CPRA.

Our role and the zero-knowledge guarantee

Your passwords, notes, cards, recovery material, and item fields are encrypted on your device with keys derived from your master password and Secret Key before anything leaves it. We never receive your master password, Secret Key, or plaintext vault contents, and we cannot decrypt them. For your vault contents you are the controller; we act only as a processor of the encrypted payload.

What we collect

Account data: email address, account and device identifiers, device labels, email-verification status, plan and subscription status, and authentication metadata needed to operate the Service.

Encrypted sync data: when sync is enabled, encrypted vault payloads and the non-secret metadata required to authenticate, route, and synchronize your account across devices.

Billing data: processed by Stripe. We receive subscription status and limited billing metadata; we do not store full payment card numbers on our systems.

Diagnostics and support: security and sync logs, crash diagnostics, abuse-prevention signals, and the contents of support messages you send us.

We do not sell your personal information, and we do not use your data for advertising.

Why we process it (legal bases)

We process the above to provide and secure the Service (performance of our contract with you), to comply with legal obligations, and for our legitimate interests in preventing abuse and improving reliability. Where consent is the basis (for example certain communications), you may withdraw it at any time.

Sub-processors and international transfers

We rely on a small set of vendors to run the Service — currently Stripe (payments), Resend (transactional email), and Cloudflare (hosting, database, and sync infrastructure). They process data on our behalf under appropriate contractual safeguards. The current list is published at Sub-processors. Data may be processed in Canada, the United States, and other regions where these providers operate; transfers are protected by recognized safeguards such as Standard Contractual Clauses where required.

Retention and deletion

We keep account and billing records for as long as your account is active and as needed to meet legal, tax, security, and dispute-resolution obligations, after which they are deleted or anonymized. You can request deletion of your account and associated data at [email protected]; encrypted sync payloads are removed when you delete your account.

Your rights

Depending on where you live, you have rights to access, correct, delete, port, or restrict processing of your personal information, and to object or withdraw consent. California residents have the right to know, delete, correct, and to opt out of "sale" or "sharing" (we do neither). To exercise any right, email [email protected]; we will respond within the time required by applicable law. You also have the right to complain to your data protection authority, including the Office of the Privacy Commissioner of Canada.

Security

Beyond client-side end-to-end encryption, we apply transport encryption, key zeroization, rate limiting, and access controls on our infrastructure. No method of transmission or storage is perfectly secure; please keep your devices patched and your recovery material safe. Suspected vulnerabilities can be reported per our security.txt.

Children

The Service is not directed to children under 13, and we do not knowingly collect their personal information.

Changes and contact

We will post changes here and update the effective date. For privacy questions or requests, contact the Apex Radius privacy team at [email protected].