Privacy Policy

1. Who We Are

CovertX is developed and maintained by Crypton Studio (contact: support@cryptonstudio.app). CovertX is an Android application providing on-device encrypted file storage with decoy vault and intruder detection capabilities.

2. What Data We Collect

The short answer: none of your personal data.

The detailed breakdown:

3. How Your Files Are Handled

When you import a file into CovertX:

• Encryption: The file is encrypted using AES-256-CBC with a key derived from your PIN (SHA-256 hash) immediately on import.
• Storage: Encrypted files are stored in CovertX's private app directory (Documents/covertx_vault/) — inaccessible to other apps via Android's sandbox.
• Original removal: The source file is removed from its original location (gallery, file system) after encryption. It no longer appears in your gallery app.
• Database: File metadata is stored in a SQLCipher-encrypted database with your PIN hash as the passphrase.
• No transmission: At no point does the file, its encrypted form, or any metadata leave your device.

Your files are never transmitted to any server — not ours, not anyone else's.

4. Intruder Detection & Selfies

CovertX includes an intruder detection feature that:

• Monitors failed PIN unlock attempts locally on your device
• After 3 consecutive failed attempts, silently captures a photo using the front camera
• Stores the captured photo in CovertX's encrypted private database — not in your device gallery
• Sends a local push notification to you: "Unauthorized access attempt detected"

Intruder photos are:

• Encrypted with the same AES-256 system as your other files
• Never uploaded to any server
• Visible only to you via the Break-in Log inside CovertX
• Deleted permanently when you clear the intruder log

5. Encryption Specifications

CovertX uses the following encryption architecture:

• File encryption: AES-256-CBC (via the encrypt Dart package)
• Key derivation: SHA-256 hash of user's PIN
• Key storage: flutter_secure_storage — backed by Android Keystore
• Database: SQLCipher — fully encrypted SQLite with PIN hash passphrase
• File deletion: Files are overwritten with random bytes before deletion (secure wipe)

Without your PIN, the encrypted files are unreadable binary data. Even if someone extracted your device's internal storage, they would find only encrypted noise.

6. Third-Party Services

CovertX integrates the following third-party SDKs. These operate under their own privacy policies:

Google AdMob (Free users only)
The free version displays banner and interstitial ads. AdMob may collect device identifiers and approximate location to serve relevant ads. Pro users see no ads and ad serving is disabled.
Google Privacy Policy →

Firebase Analytics & Crashlytics
Used for anonymised crash reporting and app stability monitoring. Crash reports contain stack traces only — no file content, no PIN, no user data is ever included in crash reports.
Firebase Privacy Policy →

RevenueCat
Handles in-app purchase verification and subscription management. RevenueCat receives anonymised purchase data from Google Play to verify Pro status. No file content or vault data is shared.
RevenueCat Privacy Policy →

Google Play Billing
In-app purchases are processed by Google Play. We do not receive or store any payment information.
Google Play Privacy Policy →

7. Permissions We Request

• CAMERA — Required for the intruder detection selfie feature (Pro). Only activated after 3 failed PIN attempts.
• READ_MEDIA_IMAGES / READ_MEDIA_VIDEO / READ_EXTERNAL_STORAGE — Required to import files from your gallery or file system into the encrypted vault.
• WRITE_EXTERNAL_STORAGE (Android <10) — Required to export decrypted files to Downloads when you choose to export.
• USE_BIOMETRIC / USE_FINGERPRINT — For optional biometric unlock. Biometric data is handled entirely by Android's BiometricPrompt API — we never access raw biometric data.
• POST_NOTIFICATIONS — To send intruder alert notifications to you.
• INTERNET — Required only for AdMob (free users), Firebase Crashlytics, and RevenueCat purchase verification. Never used to transmit file content.

8. Data Retention

All vault data exists only on your device with no expiration. You control deletion entirely:

• Delete individual files from within the app (secure wipe)
• Delete entire albums from within the app
• Clear the intruder log from settings
• Uninstall CovertX — all app data is permanently deleted by Android

We have no ability to delete data on your behalf because we have no access to it.

9. Children's Privacy

CovertX is not directed at children under 13. We do not knowingly collect any data from children. The app requires understanding of encryption concepts and PIN management that is unsuitable for children. If you are a parent and believe a child is using this app, please contact us.

10. Your Rights

Since CovertX holds no personal data on any server, traditional data rights (access, erasure, portability) are exercised directly on your device by managing content within the app or uninstalling it. For third-party data (AdMob, Firebase, RevenueCat), refer to their respective privacy policies and opt-out tools.

11. Changes to This Policy

We may update this privacy policy from time to time. Changes will be reflected with a new effective date on this page. Material changes will be noted in the app's Play Store release notes. Continued use of CovertX after changes constitutes acceptance of the updated policy.

12. Contact

Questions about this privacy policy:

• Email: support@cryptonstudio.app
• Website: covertx.cryptonstudio.app