Join. Talk. Leave. Nothing remains.
Nothing that identifies you. Vaultlix does not require an account, email address, phone number, or any personal information to use.
What does exist on our servers, only for as long as a room itself exists, is:
A session token is also kept in your browser's own localStorage, on your device — not on our servers — so the app can restore your open rooms if you reload or reopen it.
All messages are end-to-end encrypted using AES-256-GCM with keys generated in your browser. The server never sees your message content — only encrypted ciphertext that it cannot read.
There is no traditional database and no ongoing backups — server-side data lives only in memory during normal operation. The one exception: in the brief moments during a planned server restart (for example, a deployment), the server writes a temporary snapshot of that same in-memory data to disk purely so open rooms aren't wiped out, then reloads and deletes that snapshot the moment it's back online. This snapshot holds nothing beyond what the server already had in memory — the same encrypted message content, not new plaintext — and it does not help against an unexpected crash, only a graceful restart.
A room and everything in it (messages, member names, subscriptions) is deleted immediately if either person uses "Close & erase." Otherwise, a room is automatically and permanently deleted after a period of inactivity: 24 hours for a quick/one-time room, or 4 days for a named room — measured from the last activity in that room, not from when it was created. Simply closing your browser tab does not immediately delete a room; the idle timer above is what eventually does.
Disappearing-message timers, when enabled, delete an individual message from the server as soon as its timer expires, independent of the room's own lifetime.
Files are encrypted in your browser before upload, transmitted as encrypted data, and delivered directly to the recipient. Files are not stored on our servers beyond the same room lifetime described above.
Voice calls are set up over an encrypted signaling channel, and the connection itself is encrypted in transit (DTLS-SRTP, standard for WebRTC calls). To protect both callers' IP addresses from being exposed to each other, call audio is always relayed through a TURN server operated by Cloudflare, rather than connecting the two devices directly. This means call audio is not end-to-end encrypted the same way text messages are — Cloudflare's relay is technically an intermediary point in the connection, though it is not a party we share data with beyond what's needed to relay the call, and no call audio is recorded or stored by Vaultlix.
We do not use cookies, analytics trackers, advertising pixels, or any third-party tracking tools. We do not use Google Analytics or any equivalent service.
Vaultlix is hosted on Railway (railway.app). Railway may collect standard infrastructure logs including IP addresses. Please review Railway's privacy policy for details. We use Google Fonts for typography — fonts are loaded from Google's servers. Voice calls are relayed through Cloudflare's TURN service. Push notifications are delivered through Apple's and Google's respective push notification services, which see that a notification was sent to your device but not its content.
Vaultlix is not intended for use by anyone under the age of 18. We do not knowingly collect information from minors.
Vaultlix is operated from India and this policy is governed by Indian law, as stated below. If you access Vaultlix from another country, you do so on the understanding that your data may be handled under Indian law; where the law of your own country grants you additional rights that cannot be waived, this policy does not limit those rights.
We may update this policy from time to time. Updates will be reflected on this page with a revised effective date.
This policy is governed by the laws of India, including the Information Technology Act, 2000 and the Digital Personal Data Protection Act, 2023.
Vaultlix is an anonymous, encrypted messaging and voice-calling service. It allows two people to communicate privately without accounts or stored data. Rooms are temporary: they are deleted immediately when either person uses "Close & erase," and otherwise expire automatically after a period of inactivity, as described in our Privacy Policy.
You may use Vaultlix for any lawful purpose. You may not use Vaultlix to:
Vaultlix is provided "as is" without warranties of any kind. We do not guarantee that the service will be available, error-free, or suitable for your specific needs.
To the fullest extent permitted by law, Vaultlix and its operators shall not be liable for any direct, indirect, incidental, or consequential damages arising from your use of the service.
Your use of Vaultlix is also governed by our Privacy Policy.
We reserve the right to terminate or restrict access to Vaultlix at any time, for any reason, without notice.
These terms are governed by the laws of India. Any disputes shall be subject to the exclusive jurisdiction of courts in Chennai, Tamil Nadu.
For any questions regarding these terms, contact us at legal@vaultlix.com