Skip to content
meerhelm
Back to SecDocKeeper

Privacy policy

SecDocKeeper

Effective 8 May 2026 · Last updated 8 May 2026

The short version

SecDocKeeper is a local-first, end-to-end encrypted document vault. Your documents, the text extracted from them, your tags, your folders, and your master password never leave your device. There is no server, no account, no analytics, and no advertising.

1. Who this policy applies to

This policy describes how the SecDocKeeper application (the "app") handles information across the platforms it runs on: Android, iOS, macOS, Windows, and Linux. The app is published by meerhelm, a solo, EU-based software studio, and is open-source software at github.com/meerhelm/secdockeeper.

2. Information we do not collect

We do not operate any servers that receive data from the app. Specifically, the app does not collect, transmit, or store on remote infrastructure any of the following:

  • Your documents, their contents, file names, or thumbnails.
  • Text extracted from your documents by on-device OCR.
  • Tags, folders, or any metadata you create inside the vault.
  • Your master password, biometric data, or any cryptographic keys.
  • Your IP address, device identifiers, advertising IDs, or location.
  • Crash reports, telemetry, analytics, or usage statistics.

The app's source code makes no network calls, and it does not embed any third-party SDK that would perform networking on its behalf.

3. Information processed locally on your device

The app processes the following data only on your device, in storage that is private to the app and encrypted with keys derived from your master password:

  • Documents you import or scan. Each document is encrypted with a per-document key (AES-256-GCM) and stored as an encrypted blob in the app's private storage directory.
  • OCR text. When you import a document, the app uses Google ML Kit Text Recognition to extract searchable text. ML Kit Text Recognition runs entirely on your device; it does not send images or text to Google or any other party. The extracted text is stored encrypted alongside the document so you can search inside the vault.
  • Tags, folders, and document metadata. Stored in an encrypted SQLCipher database in the app's private storage.
  • Hidden tags. Stored as keyed hashes; their plaintext names never persist on disk.
  • Your master password. Used only to derive an encryption key (Argon2id). The password itself is never written to disk by the app. The derived key exists in memory only while the vault is unlocked, and is erased when the app is locked or backgrounded according to your auto-lock setting.
  • Biometric unlock secret (optional). If you enable biometric unlock, the app stores your master password sealed inside the platform's secure store via the flutter_secure_storage library:
    • Android — Android Keystore + EncryptedSharedPreferences
    • iOS / macOS — Apple Keychain (Secure Enclave where available)
    • Windows — Windows Credential Manager
    • Linux — libsecret (e.g., GNOME Keyring)

    It is never accessible to the app without a successful biometric prompt and never leaves the device.

4. Permissions the app requests, and why

The app requests the minimum permissions needed for the features you use. Permissions vary by platform.

Android

  • Biometric (USE_BIOMETRIC). Only used when you opt in to biometric unlock.
  • Camera. Requested at runtime when you tap the in-app document scanner. Captured frames are turned into an encrypted document inside the vault and are never sent off-device.
  • File access (system file picker / share sheet). The app uses Android's system pickers to let you select files to import or destinations for exports and backups. The app only accesses files you explicitly choose; it does not browse your device storage on its own.

iOS / macOS

  • Camera (NSCameraUsageDescription). Used by the in-app document scanner.
  • Face ID / Touch ID (NSFaceIDUsageDescription). Used only for biometric unlock if you enable it.
  • Photo Library (NSPhotoLibraryUsageDescription). Declared because a third-party framework the app depends on references the Photos API. The app itself does not access your photo library. iOS still requires the declaration to be present.

Windows / Linux

  • Biometric (Windows Hello / Linux fingerprint). Only used when you opt in to biometric unlock, where the OS supports it.
  • File access via the system file picker. As on other platforms, the app only reads files you explicitly select.

5. Sharing and exports you initiate

The app provides three user-initiated ways to move data out of the vault. In every case the action only happens because you ask for it, and the app does not transmit anything by itself:

  • Open with another app. When you open a document, the app writes a temporary decrypted copy to a private cache directory so the system viewer can display it. The temporary file is deleted when the vault locks.
  • Share an encrypted bundle. The "share" feature produces an encrypted .sdkblob file plus a separate .sdkkey.json key file. Each share uses a fresh data key, so each instance can be revoked independently. Both files are handed to the system share sheet for you to send via the channel of your choice. The app does not choose where the data goes.
  • Backup and restore. The "backup" feature produces a ZIP containing the encrypted database and encrypted blobs. No plaintext is included; the backup is unreadable without your master password. The destination is chosen by you via the system share sheet or file picker.

Once data leaves the app through any of these flows, the privacy and security of the destination (cloud storage, messaging app, email, etc.) is governed by that destination's own policies, not this one.

6. Third-party services

The app uses Google ML Kit Text Recognition for on-device OCR. The on-device variant of this library does not transmit images, text, or metadata to Google. See Google ML Kit Terms for details.

The app does not embed any analytics SDK, advertising SDK, crash reporting service, social-login provider, push notification service, or other third-party data collection component.

7. Children's privacy

The app is not directed at children under 13 (or the equivalent minimum age in your jurisdiction). Because the app does not collect any personal information, it does not knowingly collect information from children.

8. Security

Documents at rest are encrypted with AES-256-GCM under per-document keys, which are themselves wrapped by a master key derived from your password using Argon2id (default parameters: m=64MiB, t=3, p=1). Metadata is stored in a SQLCipher-encrypted database. Auto-lock clears keys from memory when the app is backgrounded.

If you forget your master password, your data cannot be recovered. We have no copy of your password, no recovery key, and no escrow.

For details on the threat model and cryptographic design, see the security documentation. To report a vulnerability, see our security policy.

9. Data deletion and system backups

Because the app stores data only on your device, you can delete all data by either deleting the vault from inside the app or uninstalling the app. There is no server-side data to delete and no account to close.

Different operating systems handle app data backups differently. The app is configured to keep your vault out of OS-level backups where it can:

  • Android. The app sets allowBackup="false", which excludes the vault from Android Auto Backup to Google Drive.
  • iOS. The vault may be included in iCloud Backup if you have it enabled. Because the data is ciphertext encrypted under your master password, the backup contents are not directly readable, but a strong master password is the only thing standing between an offline copy of the ciphertext and brute-force attempts. You can exclude the app from iCloud Backup in iOS Settings.
  • macOS. The vault may be included in Time Machine backups. The same caveat applies: ciphertext is unreadable without your master password, but the strength of that password is what guarantees confidentiality of any backed-up copy.
  • Windows. The vault is stored in the per-user local app data directory, which is included in OneDrive Folder Backup or Windows File History only if you have configured those services to back up that location.
  • Linux. Whether the vault is included in any backup depends entirely on your local backup configuration (rsync, Déjà Dup, Borg, etc.). The app does not interact with any backup service.

In every case the data is encrypted; in no case is the master password ever included in any export, share, or backup.

10. Changes to this policy

We may update this policy if the app's data handling changes — for example, if a new feature introduces a new permission. Material changes will be reflected in the "Last updated" date above and announced in the project's release notes. Continuing to use the app after an update constitutes acceptance of the revised policy.

11. Contact

For privacy questions, write to [email protected].

For source-code or security-disclosure questions, open an issue at github.com/meerhelm/secdockeeper/issues, or for suspected vulnerabilities follow the private vulnerability reporting process instead of a public issue.