Preamble
Welcome to SoloBox (hereinafter referred to as "we," "the Platform," or "SoloBox"). SoloBox is a non-custodial digital-asset security protocol built on a zero-knowledge architecture (ZKA) with end-to-end encryption (E2EE). We deeply appreciate the importance of personal privacy and data security.
This Privacy Policy is designed to transparently and clearly explain: what data we collect, what data we do not collect, and how your data is protected by the most rigorous encryption technologies available. This policy forms an integral part of the SoloBox Terms of Service. By registering for and using the Service, you acknowledge that you have read, understood, and agree to the following.
1 Information We Do Not Collect
Due to the physical and technical isolation engineered into SoloBox's underlying architecture, the following categories of information are structurally inaccessible to us — we cannot obtain, store, or process them. This is not a policy commitment; it is an architectural fact:
| Information Type | Explanation |
|---|---|
| Your plaintext data | Any specific files, photos, or text content stored in your digital vault. All data is encrypted before it leaves your device; our servers process only opaque ciphertext binary blobs. |
| Your Master Password | Your Master Password is used exclusively on your local device to derive encryption keys. We do not upload, record, or store your plaintext password. |
| Your decryption keys | Encryption keys exist solely within the hardware security enclave (Secure Enclave) or protected system memory of your local device and are never transmitted to our servers. |
Practical implication: Even if SoloBox's servers were completely compromised, the attacker would obtain only strongly encrypted data packets. Without the Master Password and the key-derivation process residing on your local device, this data is mathematically undecryptable. Likewise, in response to external data-access requests, all we are able to provide is unreadable ciphertext.
2 Minimal Information We Collect
To maintain the normal operation of the SoloBox Service — including account verification, basic communications, and inheritance-protocol triggers — we collect only the following minimal set of necessary information. This practice strictly adheres to the data-minimization principle enshrined in major data-protection regulations such as the GDPR.
| Data Category | Specific Content | Collection Purpose |
|---|---|---|
| Account identifier | Registered email address or phone number. | Account routing and basic communication verification. |
| Encrypted data packages and routing indices | Pure ciphertext data blobs and addressing coordinates (CIDs) pointing to the decentralized network; filenames are encrypted. | Data storage and cross-device synchronization. |
| Designated contact information | Beneficiary contact details (e.g., email) voluntarily provided by you. | Execution of the digital inheritance protocol. |
| Service-status logs | Last-active timestamp and basic device operational status. | Account-activity determination for Sentinel Protocol triggering. |
| Subscription and billing information | Subscription status and payment transaction IDs; full credit-card information is processed by a third-party payment gateway (e.g., Stripe). | Subscription management and billing. |
Important note: All "encrypted data packages" listed above are opaque binary blobs from the perspective of SoloBox's servers. We are unable to infer file type, content, or any business semantics from them.
3 How We Use This Information
The necessary information we collect is used strictly for the following purposes and will not be used beyond the stated scope:
3.1 Providing Core Services
We allocate a secure encrypted environment to your account and ensure that your encrypted data packages can be reliably synchronized and stored across different devices. Throughout this process, the servers handle only ciphertext; no plaintext operations are involved.
3.2 Executing the Digital Inheritance Protocol
We continuously monitor your account's last-active timestamp to determine whether the account is in a prolonged state of inactivity. When your account has been continuously inactive for the configured period (default: 180 days), the system will, in accordance with your pre-configured settings, automatically deliver a notification containing access credentials to your designated contact. For technical details of this process, please refer to the Sentinel Protocol and Inheritance Key Sharding sections of the Technical Whitepaper.
3.3 Safeguarding Account Security
We monitor for abnormal login frequencies and unauthorized access attempts, and implement necessary security measures (e.g., rate limiting, security fuses) to protect your account from cyberattacks.
4 Data Storage and Third-Party Services
SoloBox will never sell your personal information to any third party.
We partner with trusted service providers solely at the technical-infrastructure level. All partners are equally unable to decrypt your core data — they handle only ciphertext. The specific partners and their roles are as follows:
| Service Type | Function | Data Accessible |
|---|---|---|
| Decentralized storage network (IPFS) | Encrypted data packages are distributed across decentralized nodes to ensure long-term security and tamper resistance. | Ciphertext binary blobs only; no key material. |
| Cloud routing service | Provides global high-speed network access and encrypted index relaying. | Encrypted metadata and ciphertext blobs only; no plaintext. |
| Communications provider | Sends system-generated service emails or SMS upon triggering of a preset protocol. | Recipient contact details and notification content only; no user data. |
| Payment gateway (e.g., Stripe) | Processes subscription payments and billing management. | Core payment information (e.g., credit card); SoloBox does not retain this data. |
5 Data Retention and Your Right to Erasure
5.1 Cryptographic Erasure (Crypto-Shredding)
SoloBox strictly complies with the rights granted to you under major global data-protection regulations (e.g., GDPR). Because your data is stored in fully encrypted form, exercising your right to be forgotten can be accomplished through crypto-shredding:
- When you decide to permanently close your account or empty your vault, you simply execute a reset operation in your local secure environment.
- Once the encryption index or keys are destroyed, the corresponding encrypted data packages on the cloud and all IPFS replicas become permanently undecryptable by anyone — including us.
- This process achieves permanent, secure erasure at the technical level with no server-side deletion workflow required.
5.2 Data Retention Period
While your account or subscription remains active, we will continue to securely store your encrypted data. For higher-tier vault plans with the "Digital Perpetuity Fund" activated, encrypted data will continue to persist on the decentralized network even after you stop paying (see Technical Whitepaper, Section 7.3).
5.3 Offline Recovery Capability
SoloBox provides an offline decryption toolkit. Even if the SoloBox service goes permanently offline, you can still recover your data locally using only your Master Password and the offline toolkit. This ensures that your data sovereignty is not contingent upon the operational status of the platform.
6 Your Data Rights
Under applicable data-protection regulations (including but not limited to the GDPR and CCPA), you enjoy the following rights:
| Right | How It Is Exercised |
|---|---|
| Right to be informed | You have the right to know all types of data we collect about you and their purposes. This policy fully discloses this information. |
| Right of access | You may access all of your encrypted data at any time through the client application. Because we cannot view plaintext, your right of access is exercised directly through the decryption capability on your local device. |
| Right to erasure (right to be forgotten) | Achieved through crypto-shredding: destroying local keys renders all cloud data permanently unreadable. See Section 5.1. |
| Right to portability | You may export your decrypted data through the client application at any time and migrate it to another service. |
| Right to rectification | For account-identifier information (e.g., email), you may submit a correction request at any time through the secure support channel. Corrections to encrypted data content are performed by you directly within the client. |
7 Policy Updates and Notification
As the Service evolves or laws and regulations change, we may update this Privacy Policy from time to time. For any material changes — particularly those involving data-processing practices — we will provide advance notice through the following channels:
- Email notification: Sent to your registered email address with a clear description of the changes and their effective date.
- In-app notification: Displayed as a pop-up or banner within the client application to ensure you are aware of the changes before using the Service.
Updated policies will be published at least 30 days before they take effect. Your continued use of the SoloBox Service after the updated policy becomes effective shall be deemed acceptance of the updated terms.
8 Contact Us
If you have any questions regarding this Privacy Policy, your data rights, or SoloBox's security practices, please contact our Privacy Compliance team at any time through the secure support channel on our official website. We undertake to respond to your inquiry within 30 business days of receipt.
This Privacy Policy forms an integral part of the SoloBox Terms of Service. By registering for and using the Service, you acknowledge that you have read, understood, and agree to the above.