Privacy Architecture
This is not a privacy policy. A policy is a promise. This is an architecture description: a record of what VuAppStore is capable of seeing, which is the only privacy disclosure that matters.
VuAppStore is operated by VuLabs Inc from Florida, USA. The marketplace is a static SvelteKit site deployed to Cloudflare Pages, with a small set of edge functions that exist only to anonymously sign licenses, verify cryptocurrency payments, and answer cryptographic auth challenges. The applications you install from VuAppStore run on your own device and store their data there.
The short version
Your account fingerprint, your local vault, and your installed apps' data live on your device. Our edge endpoints see only what they need to see: a payment proof, a blinded license to sign, or a public-key challenge response. We have no database that links a person to their licenses, and we have no ability to recover encrypted local data if you lose access to it.
This is not a marketing position. It is a description of the source code in this repository. You can read the relevant files yourself — they are listed below by name.
What we cannot collect
We cannot collect things the application never sends to us. Specifically:
- Your real name. No field on the storefront asks for it. Account identity is a locally-generated keypair (ECDSA P-384) with a 12-character VU fingerprint.
- Your phone number. No field, no SMS verification, no recovery flow that needs one.
- Your usage patterns inside installed apps. The apps you download from VuAppStore keep their data in your browser; they do not phone home to us.
- Behavioural analytics. No Google Analytics, Mixpanel, Hotjar, Segment,
PostHog, Amplitude, FullStory, or LogRocket is installed. The only client-side script
watching the page is our own
PrivacyInspector, which runs locally to show you what the page is doing. - Advertising identifiers. No advertiser SDKs are loaded. No third-party tracking pixels are present.
- Your contents. Files, notes, messages, and other data created by VU applications are encrypted on your device with keys derived from your password. The keys never leave your device.
What lives where
| Data | Where it lives | Who can read it |
|---|---|---|
| Your sovereign identity keypair (ECDSA P-384) | Your browser, IndexedDB, AES-GCM-encrypted at rest | You only, after unlock |
| Your anonymous app licenses | Your browser, IndexedDB | You only |
| Your theme preference | Your browser, localStorage | You only |
| Static site assets | Cloudflare Pages CDN | Public |
| Per-request edge logs | Cloudflare, short-retention | Cloudflare for abuse defence |
The relevant source files are src/lib/auth/crypto.ts, src/lib/auth/storage.ts, and src/lib/stores/license.ts.
Cryptography in this codebase
We list what the source actually uses, not aspirational primitives. Anything we add later will appear here before it ships, not after.
- Identity signing: ECDSA P-384 with SHA-384, generated client-side via the WebCrypto API.
- Local-vault encryption: AES-GCM with a 256-bit key.
- Key derivation: PBKDF2 with SHA-256 and 310,000 iterations (OWASP 2023 baseline). Our roadmap to migrate to Argon2id is tracked publicly; we will not claim Argon2id here until the code uses it.
- Anonymous licensing: RSA blind signatures. Your device generates a 512-bit license seed, blinds it with a random factor, sends the blinded value to our signing endpoint, and unblinds the result locally. The signing endpoint sees only the blinded value and a Monero payment proof.
- Auth challenges: The challenge/verify endpoints exchange ECDSA-signed nonces. The server never sees a password or a private key.
Network activity, by endpoint
These are the only origins this site talks to from your browser, and what each of them learns.
- Cloudflare Pages serves static HTML, CSS, and JavaScript. Cloudflare logs IP addresses for DDoS mitigation; we do not have access to those logs in any user-attributable form.
- POST
/api/license/signreceives a blinded license value and a Monero transaction ID. We verify the transaction via Monero Wallet RPC, sign the blinded value, and return the signature. We do not learn what we signed. - POST
/api/payment/addressreturns a one-time payment address for the current order. We do not store identifying data alongside it. - POST
/api/auth/challengeand/api/auth/verifyimplement an ECDSA challenge-response login. We see your public key and a signed nonce; we do not see your private key.
No third-party origins are contacted from any page on this site.
Cookies
VuAppStore does not set tracking cookies. The site uses localStorage for theme preference
and IndexedDB for encrypted local state; neither is a cookie. The on-page PrivacyInspector reads document.cookie only to show you what
cookies (if any) are present in your browser session — it does not transmit that information.
Third parties
We use only these third parties, and only for the purposes listed:
- Cloudflare Pages for static asset hosting and DDoS protection.
- Monero, Lightning, Bitcoin, and Ethereum networks to verify on-chain or channel-level proof of payment for anonymous licenses.
- GitHub as the canonical home of our public source repositories. Only people who choose to visit the repo are observed by GitHub.
We do not use:
- Google Analytics, Plausible, Mixpanel, Amplitude, PostHog, or Segment.
- Sentry, LogRocket, FullStory, or Hotjar.
- Intercom, Zendesk, or Drift.
- Any advertising network, retargeting pixel, or A/B-testing service.
- Third-party fonts loaded from a CDN.
Your rights under GDPR, CCPA, and similar laws
These laws give you rights against entities that process your personal data. We process almost none, so most of these rights are trivially satisfied. For completeness:
- Right to access: Your data lives in your browser. The in-app export button gives you the full payload at any time.
- Right to rectification: Edit your data inside the relevant app.
- Right to erasure: Clear site data in your browser, or use each app's delete function. Because we have no copy, deletion on your device is total.
- Right to portability: Same as access — the export feature is the portability mechanism.
- Right to object to processing: Stop using the site.
- Right to lodge a complaint: With your local data protection authority.
Children
We do not knowingly process data of anyone — adult or child — beyond what is described above. The site has no concept of a user identity to distinguish between users, so age-based processing is structurally impossible.
Changes to this document
We update this document when the architecture changes. The change history is in git. There is no scenario in which we change this document to increase the data we can see, because that would require fundamental rewriting of the application, not a policy update.
Contact
For privacy architecture questions: [email protected]. For security disclosures: [email protected]. See /contact for all available channels and our policy on unsolicited contact forms.