Sanctum

Privacy Policy — Sanctum

Last updated: 2026-06-15

Effective date: 2026-06-15

1. Overview

Sanctum is an encrypted photo and video vault application for iPhone and iPad, published by Armlab BV (enterprise no. BE0899277201), a company incorporated in Belgium. This privacy policy explains how Sanctum handles your data, what is encrypted, what is visible to Apple’s iCloud infrastructure, and your rights.

Core principle: Sanctum encrypts your photos and videos on-device before they ever leave your device. Your data lives in your own iCloud account, not on Armlab servers. Armlab cannot read your encrypted media or encryption keys.

2. Data Controller and Processor Roles

International data transfers: By using iCloud, your data may be transferred to and processed by Apple in the United States and other jurisdictions where Apple operates iCloud services. See Apple’s iCloud Privacy Overview for details.

3. What Data Exists and Where It Lives

3.1 Your Photos and Videos (Encrypted End-to-End)

What: Imported photos, captured videos, edited copies, and thumbnails in your personal vault and shared albums.

Encryption: AES-256-GCM per-item, with a unique random nonce per item. Encryption happens on-device before the data touches iCloud.

Where: Encrypted blobs stored in your iCloud CloudKit private database (personal vault) and, for shared albums, in each album’s private CloudKit share zone (accessible only to you and the people you invite).

Retention: Photos and videos persist until you delete them from the Sanctum app. When you delete an item, the plaintext copy is erased locally and the encrypted blob is marked for deletion in CloudKit (subject to CloudKit sync timing).

Sanctum’s access: Sanctum cannot read encrypted media bytes without the decryption key (held only in your iCloud Keychain). If you uninstall Sanctum without exporting your recovery phrase, your media remains encrypted in iCloud but unreadable by any new app install (including Sanctum).

3.2 Encryption Keys (End-to-End, in iCloud Keychain)

Vault Master Key: A 256-bit AES key that encrypts all items in your personal vault. Stored in your iOS Keychain, synced to your iCloud Keychain via Apple’s end-to-end encrypted pathway (Apple’s HSMs are designed so that even Apple cannot extract this key).

Per-Album Shared Key: Each shared album has its own AES-256 key. This key is sealed (encrypted) under your vault master key before it touches CloudKit, so the raw key never leaves your device unencrypted. Only members of the album hold a copy of the key (wrapped under their own public key via ECIES).

Identity Public Key: A P-256 elliptic-curve public key identifying your device in shared albums. Stored in your iOS Keychain and synced via iCloud Keychain. Visible to other album members (necessary for them to wrap the shared key to you).

Recovery Phrase: You can export your vault master key as a base64-encoded recovery phrase (44 ASCII characters) from Settings → Show Recovery Phrase. Store this in a password manager or offline. It is the only way to recover your vault if you reinstall the app without iCloud Keychain access.

3.3 Metadata – What Is and Isn’t Visible to Apple

Sanctum end-to-end encrypts (AES-256-GCM) all photo/video content and the following metadata, so Apple cannot read them:

The following remain visible to Apple because they are structural to CloudKit and CloudKit Sharing, and cannot be encrypted away while using them:

Sanctum treats Apple as a potential adversary for content and naming, but cannot hide that sharing occurs or between whom.

3.4 Diagnostics and Logging (Local Only)

CrashLog: A plain-text diagnostic log stored locally in your app’s sandbox, containing: - App lifecycle events (launch, import, sync) - Errors and exception messages - Redacted filenames (SHA-256 fingerprints, not the actual name)

Retention: Capped at the last 200 log lines; old entries are discarded automatically.

Transmission: The CrashLog never leaves your device. You can view and clear it manually from Settings → Diagnostics. It is not uploaded to Armlab, Apple, or any cloud service.

Why logged? Diagnostic breadcrumbs help troubleshoot crashes and sync issues if you report a problem to support.

3.5 What Sanctum Does NOT Collect

4. Shared Albums and Member Visibility

When you create a shared album and invite members:

Honest-client enforcement: Read-only (RO) members are prevented from uploading by client-side checks; a member cannot modify the role via the Sanctum app. However, the role is not enforced at the CloudKit API level—this is a known design trade-off documented in docs/security.md.

5. User Rights and Data Access

5.1 Right to Access Your Data

You have the right to access your encrypted data. In Sanctum:

Armlab is not able to fulfill access requests for encrypted content because Armlab does not have the encryption keys and cannot decrypt your media.

5.2 Right to Deletion (Erasure)

In-app delete: Delete individual photos/videos from the Sanctum app. Items are marked for deletion in CloudKit and removed from view; the encrypted blob is scheduled for deletion by CloudKit.

Erase all data: Go to Settings → Account → Erase All Data (or Settings → Erase Vault). This: - Deletes your local vault database and encrypted blob files - Deletes your identity key (used for shared albums) - Triggers deletion of your CloudKit records (personal vault items, shared-album memberships) - Does NOT erase shared-album content that other members still hold (they control their own copies)

Residual copies: Comments, reactions, and media you’ve already shared with other album members remain in their devices unless they also delete. You can request that members delete specific items, but Sanctum does not enforce it.

Uninstall: Uninstalling Sanctum does not delete your CloudKit data; it only removes the app from your device. Your encrypted data remains in iCloud until you erase it via the in-app function or via iCloud settings.

CloudKit deletion timeline: CloudKit may retain deleted records in transaction logs or backups for a limited period (typically 30 days). Armlab has no control over this.

5.3 Right to Portability

You can export your data as plaintext:

There is no automated bulk-export function to download all your data in a standard format (e.g. ZIP). If you want a full backup, you can export via the system share sheet and iOS Files app, or use iCloud’s native backup.

5.4 Right to Rectification and Objection

Sanctum does not profile or make automated decisions about you, so these rights have limited applicability. If you have concerns about how Apple processes your iCloud metadata, contact Apple directly.

6. Security Measures

6.1 Encryption

6.2 Device Access Controls

6.3 Threat Model and Known Limitations

Defends against: - Apple insiders or network observers (ciphertext only, no keys) - Stolen device (file protection + lock screen) - Malicious shared-album members (future content is re-keyed on their removal)

Does not defend against: - Forward secrecy: all personal-vault items use one master key; compromise reveals past and future items. - Identity rotation: identity keypairs are static for the app install lifetime. - Metadata leaks: CloudKit record identifiers, approximate upload times, encrypted-blob sizes, and the sharing graph are visible to Apple and, where applicable, album members. - Previously downloaded content: a revoked member keeps anything they downloaded before removal. - Honest-client enforcement: read-only members are prevented by the app, not the protocol.

See docs/security.md for a detailed threat analysis.

7. Children’s Privacy (COPPA)

Sanctum is not directed at children under 13. If a parent or guardian discovers that a child under 13 has created a vault in Sanctum, the parent can:

  1. Use parental controls on the device to restrict the app.
  2. Delete the app and the local vault.
  3. Use the child’s iCloud account to erase data from iCloud.com (iCloud settings).

If you believe a child under 13 is using Sanctum, contact support@sanctum.photos so we can assist.

8. Data Retention and Deletion Policies

Data Type Stored Where Retention Deletion
Photos/videos Your iCloud Until you delete Delete in-app or via iCloud.com
Encryption keys iCloud Keychain Lifetime of iCloud account Delete account or reset Keychain
Vault metadata CloudKit Until you delete In-app Erase All Data or CloudKit dashboard
Shared-album items Shared CloudKit zone Until album deleted or you leave Album owner controls; you can leave
Comments/reactions Shared CloudKit zone Until deleted by poster or owner Poster can delete own; owner can delete album
Diagnostics/CrashLog Local app sandbox Last 200 lines, auto-trimmed Settings → Diagnostics → Clear
iCloud backups Apple iCloud Apple’s backup policy (~30 days+ after deletion) Not in Sanctum’s control

9. Changes to This Policy

Armlab may update this policy to reflect changes to Sanctum’s features, legal requirements, or iCloud policies. We will notify you of material changes by:

  1. Posting the new policy in the app (Settings → Legal → Privacy Policy).
  2. Sending a notification if Sanctum’s privacy posture fundamentally changes.

Your continued use of Sanctum after changes means you accept the updated policy.

10. Contact and Jurisdiction

Privacy inquiries, data requests, and rights exercise: Contact support@sanctum.photos or visit https://sanctum.photos/support.

Data Protection Authority complaints: If you are in the EU, you have the right to lodge a complaint with your national data protection authority (e.g. GDPR supervisory authority).

Applicable law: This policy is governed by the laws of Belgium, without regard to conflicts of law. Disputes shall be resolved in the courts of Belgium.

For GDPR/CCPA compliance: If you are in the EU (GDPR), California (CCPA), or other jurisdictions with data protection laws, your rights under those laws are not limited by this policy. You have the right to lodge a complaint with your supervisory authority if you believe your data is processed unlawfully.

11. Contact Information

Publisher: Armlab BV (enterprise no. BE0899277201), Sint-Hubertusstraat 67, 3730 Bilzen-Hoeselt, Belgium

Support: support@sanctum.photos

Data Protection Officer or Privacy Contact: privacy@sanctum.photos (if applicable under GDPR Article 37 or CCPA regulations)

App Store: Sanctum is published under Bundle ID com.armlab.sanctum on the iOS App Store.

Appendix: App Store Connect Privacy Questionnaire Mapping

The following sections map Sanctum’s actual data practices to Apple’s App Privacy questionnaire. Use these notes when completing the questionnaire in App Store Connect.

Q1: Does your app collect, use, or have capability to collect or use personal data, health data, or other sensitive information?

Answer: Yes (with explanation below).

Note: While Sanctum is end-to-end encrypted and Armlab cannot read the plaintext, the app does interact with CloudKit metadata and user-generated content (comments, reactions). These are disclosed below.

Q2: What personal data does your app collect?

Select: - ✅ Photos — users import photos and videos from Photos library or capture in-camera. - ✅ User IDs (if declaring identity public keys) — shared with album members for ECIES key wrapping. - ✅ Product Interaction — optional: if you log app crashes/diagnostics.

Deselect: - Location, Health, Financial info, Sensitive info (email, phone, etc. unless iCloud sign-in details are considered personal data; Apple typically doesn’t require disclosure for iCloud authentication itself).

Q3: Is this data collected by your company, or shared with a third party?

Answer: Collected by Armlab (but iCloud metadata is visible to Apple as the processor).

Note: - Plaintext media: collected by the app, encrypted on-device, stored encrypted in user’s iCloud (Apple is the processor). - CloudKit and sharing metadata (record identifiers, approximate upload times, encrypted-blob sizes, CKShare participants, member metadata): Apple processes this as part of CloudKit sync and sharing. - No sharing with third parties outside of Apple’s iCloud infrastructure.

Q4: Does your app collect personal data from children?

Answer: No. Sanctum is not directed at children under 13. COPPA applies if a child under 13 is using the app; see parent/guardian contact process in section 7.

Q5: Does your app use or collect data for tracking purposes?

Answer: No. Sanctum uses no analytics, tracking SDKs, or ad networks.

Q6: Is personal data used for third-party advertising or marketing?

Answer: No.

Q7: Do you provide users with access, deletion, and portability rights?

Answer: Yes.

Note: Armlab cannot decrypt encrypted content on behalf of users (no keys), so the “access” right is subject to the user’s ownership of their recovery phrase / iCloud Keychain access. This is by design and should be explained in review notes if questioned.

Q8: Does your app use or integrate with Apple’s App Tracking Transparency (ATT)?

Answer: No. Sanctum does not request user tracking permission; tracking is not used.

Q9: Does your app use any APIs or SDKs that require disclosure?

Answer: Yes (see PrivacyInfo.xcprivacy details).

NSPrivacyAccessedAPITypes: - NSPrivacyAccessedAPICategoryFileTimestamp — reason code C617.1 (file access for user functionality). Used by Sanctum when importing photos and reading locally-stored diagnostic logs.

Q10: Does your app collect data that persists across different apps or websites?

Answer: No (within Apple’s control). The only cross-app data is: - iCloud Keychain (Apple’s system, not Sanctum-specific; used to sync encryption keys to other devices). - Photos library (user imports their own content; the import action itself is not tracked by Sanctum).

Disclaimer

This is a template for informational purposes. Consult with a qualified attorney in your jurisdiction for legal advice specific to your situation, especially regarding GDPR (EU), CCPA (California), LGPD (Brazil), PIPEDA (Canada), and other applicable data protection laws.

Armlab makes no warranty that this policy is complete or fully compliant with all jurisdictions. Update as needed based on your legal counsel’s review and any changes to Sanctum’s features or data handling.

End of Privacy Policy