anonym.legal
Home/Desktop Docs/Security & Privacy

Security & Privacy

How the Desktop App protects your data — vault encryption, data flow, storage policy, and recovery phrase.

Vault EncryptionData FlowWhat We StoreRecovery Phrase

Vault Encryption

Your vault is an encrypted container for all app secrets: encryption keys, presets, and user data. It uses military-grade cryptography.

Encryption Standards

  • AES-256-GCM

    All vault data is encrypted with 256-bit AES in Galois/Counter Mode.

  • Argon2id

    Your PIN is used to derive the vault key via Argon2id (memory-hard KDF).

  • BIP39 Recovery Phrase

    24-word mnemonic phrase for vault recovery. Backed by entropy from a CSPRNG.

  • Memory Zeroization

    Encryption keys are zeroed from memory immediately after use.

Access Control

  • 1

    PIN Unlock

    6-digit PIN for quick access. Derived via Argon2id, never stored in plain text.

  • 2

    Recovery Phrase

    24-word BIP39 phrase that can decrypt the vault if you forget your PIN.

  • 3

    Auto-Lock

    Vault automatically locks after inactivity or when the app is closed.

Data Flow

Understand exactly what leaves your device and what stays local.

File OpenedLocal only

Your file is opened locally. Binary content (images, formatting) stays on your device.

Text ExtractedLocal only

Text content is extracted locally from PDF, DOCX, XLSX, or other formats.

Text Sent for AnalysisText only

Only the plain text is sent over TLS 1.3 to our EU servers for PII analysis.

PII Detected & AnonymizedServer processing

Our Presidio-based engine detects PII and applies your chosen anonymization method.

Anonymized Text ReturnedLocal only

The anonymized text is returned to the app. Your original file is never uploaded.

Document ReconstructedLocal only

The app reconstructs the output file with anonymized text, preserving formatting.

Your original file content is never uploaded. Only extracted plain text is processed server-side.

What We Store

We NEVER store

  • Document content

    Neither the original nor anonymized text is stored on our servers.

  • Your files

    Files are processed in memory and immediately discarded after anonymization.

  • Encryption key values

    Encryption keys are zero-knowledge — wrapped with your KEK and unreadable to us.

  • Your vault PIN or phrase

    Vault credentials are derived locally and never transmitted.

We DO store

  • Account metadata

    Your email, plan, and account preferences — needed to run your account.

  • Preset configurations

    Preset names, entity lists, and settings — so they sync across devices.

  • Encryption key metadata

    Key names and encrypted key blobs (KEK-wrapped) for sync. We cannot decrypt them.

Recovery Phrase

Critical: Your recovery phrase cannot be recovered

If you lose your 24-word recovery phrase AND forget your PIN, your vault and all its contents are permanently lost. We have no backdoor.

Best Practices

  • Write it on paper — not in a digital file
  • Store it in a safe or locked drawer
  • Make 2 copies and keep them in different locations
  • Test recovery in a fresh install before relying on it

Never Do This

  • Store the phrase in the same app it protects
  • Take a photo of it (syncs to cloud)
  • Email it to yourself
  • Share it with anyone, including anonym.legal support

Reset Vault

If you no longer have access to your PIN or recovery phrase, you can reset the vault. This is irreversible.

Warning: Resetting the vault deletes all locally stored encryption keys, presets, and history. Your account and server-side data are unaffected.

Continue Reading

Features & Workflow

Learn about presets, encryption keys, and the full workflow.

Troubleshooting & FAQ

Find solutions to common issues and error messages.