Privacy-first. On-device only. No accounts needed.

Privacy Verification

We do not ask you to take our word for it. Here are our privacy claims, how to verify them yourself, and a full breakdown of every permission the app requests.

Our privacy claims

Zero trackers

No analytics SDKs, no advertising libraries, no tracking pixels inside the app.

No network calls

The app makes zero outbound connections during normal use. It works fully offline.

On-device only

All documents, scans, and data stay on your phone. There is no cloud, no server, no backend.

AES-256-GCM encryption

Every document is encrypted before it touches your device's storage.

Verify it yourself

You do not need to trust us. You can confirm every claim above with free, public tools.

1. Network traffic test

Install a network monitor such as mitmproxy (free, open source), Charles Proxy, or Wireshark. Open Travel Document Vault, scan a document, browse your vault, and set a reminder. You will see zero outbound requests. The only exception is if you have opted into Sentry crash reporting in Settings, which sends data only when the app crashes.

2. iOS App Privacy Report

On iPhone, go to Settings > Privacy & Security > App Privacy Report. This built-in Apple feature shows which apps have contacted network domains. Travel Document Vault will show no network activity during normal use.

3. App Store and Play Store privacy labels

Both Apple and Google require developers to declare what data their app collects. Check the App Store or Google Play listing for Travel Document Vault. Our declaration: no data collected.

Every permission explained

Android apps declare permissions in their manifest. Some are requested by the app directly, and some are inherited from libraries the app depends on. Here is a transparent breakdown of every permission, grouped by purpose.

Permissions the app uses directly

Camera

iOS + Android

Why we ask: To scan your passport, visa, or travel document pages directly from the app.

What we never do: Photos are saved locally on your device. They are never uploaded, transmitted, or sent anywhere.

Photo Library / Photos / Storage

iOS + Android

Why we ask: So you can import an existing photo of a document, and so the app can export ZIP backup archives when you request them. On older Android versions, READ_EXTERNAL_STORAGE and WRITE_EXTERNAL_STORAGE are required for this. On Android 13+, READ_MEDIA_IMAGES is used instead.

What we never do: The app reads only the image you select. It never scans, indexes, or browses your photo library or file system.

Face ID / Touch ID / Biometric unlock

iOS + Android

Why we ask: To lock and unlock the app so only you can access your documents. On Android 6–8, USE_FINGERPRINT is used. On Android 9+, USE_BIOMETRIC is used instead.

What we never do: Your biometric data never leaves your device. The operating system handles authentication and returns only a pass/fail result to the app.

Notifications, Vibration, Boot Completed, Wake Lock

Android

Why we ask: To deliver on-device expiry reminders that you set yourself. RECEIVE_BOOT_COMPLETED re-schedules your reminders after a device restart. WAKE_LOCK ensures reminders fire reliably even when the phone is asleep. VIBRATE accompanies notification delivery.

What we never do: No marketing, promotional, or third-party notifications are ever sent. Reminders are scheduled entirely on your device.

Internet, Network State, Wi-Fi State

Android

Why these appear: These are required by two features: Sentry crash reporting (opt-in, disabled by default) and Google Play billing for the Pro upgrade purchase. ACCESS_NETWORK_STATE and ACCESS_WIFI_STATE let these libraries check whether a connection is available before attempting to send.

What we never do: The app itself makes zero network calls during normal use. It works fully offline. You can verify this with a network monitor. The only outbound traffic occurs if you have opted into crash reporting (when a crash happens) or when restoring a Pro purchase.

Permissions inherited from libraries (not used by the app)

Android apps include third-party libraries for features like in-app purchases, crash reporting, and notifications. These libraries declare permissions in their own manifests, which get merged into the final app. The permissions below are declared by dependencies, not by our code. The app never calls the APIs behind them.

Record Audio

Inherited, never used

Why it appears: This permission is declared by a third-party library included in the build (commonly the camera or media plugin). It appears in the Android manifest but is never triggered by our code. The app does not record audio or video under any circumstances.

How you can confirm: The app will never prompt you for microphone access. If you check your device's permission manager, you will see that audio recording is not granted to Travel Document Vault.

System Alert Window

Inherited

Declared by the Flutter framework for development and debugging overlays. This permission is not used in the release build of the app and has no effect on your privacy.

Detect Screen Capture

Inherited

Declared by a framework dependency. The app does not detect, block, or respond to screenshots. This permission has no effect on your usage.

Badge count permissions

Inherited

READ_APP_BADGE, UPDATE_BADGE, BADGE_COUNT_READ, BADGE_COUNT_WRITE, READ_SETTINGS, WRITE_SETTINGS, UPDATE_COUNT, CHANGE_BADGE, BROADCAST_BADGE, and PROVIDER_INSERT_BADGE are declared by the notification library to display unread badge counts on your home screen icon across different Android manufacturers (Samsung, Huawei, Xiaomi, etc.). They only affect the number shown on the app icon.

Billing, Check License, Install Referrer

Google Play

Declared by the Google Play Billing library (for the Pro upgrade purchase) and the Play Install Referrer library. These are standard Google Play Store requirements and do not access any personal data.

Download Without Notification

Inherited

Declared by a framework dependency. The app does not download files in the background.

Permissions we do not request

These are common permissions that many apps ask for. We do not request any of them, and they do not appear in our manifest.

Location — no GPS, no geofencing, no tracking
Contacts — no access to your address book
Bluetooth — no local network or device scanning
Calendar — reminders are handled on-device, not via your calendar

Still have questions? Read our full Privacy Policy or check the FAQ.