Privacy Policy — JC Laboratories

Effective March 17, 2026 · JC Laboratories / jclabs.tech

    JC Laboratories is built on a simple principle: your data belongs to you. We collect the absolute minimum required to operate our services — and for most tiers, we cannot access your vault contents under any circumstances.
  

Who We Are

JC Laboratories (jclabs.tech) is an independent technology company founded by Justin Czap. We develop security-focused software tools including Aleph Vault, the EGAF Gaffer AI assistant, and the JC Labs Community — a privacy-first public key directory and encrypted messaging board.

Our research and development division, JC Labs R&D, is responsible for the Entropy-Gated AI Framework (EGAF) — a structured AI governance and orchestration framework — and all products built upon it. Our mission is to put real security tools in the hands of real people, without compromise.

Our Products

Aleph Vault

An offline-first encrypted vault application for Android. Provides secure local storage of notes, passwords, cryptographic key pairs, API keys, and encrypted messaging via the MessageCrypt system. All sensitive data is encrypted on-device using AES-256-GCM. We cannot read your vault.

Vault export files are encrypted with a user-chosen export password before leaving the device. JC Laboratories never receives, stores, or has access to exported vault files on standard tiers. Business tier cloud backups are stored as encrypted blobs — we cannot decrypt them.

EGAF — Entropy-Gated AI Framework

A structured AI governance protocol developed by JC Labs R&D. EGAF defines a three-part vial composition system (OIL_CONTRACT, INVOKER, E_T) for governed, auditable AI task execution. It operates as a Layer 3 governance protocol above standard AI API mechanics.

EGAF is licensed under CC BY-NC 4.0. Commercial implementations require written permission from JC Laboratories.

Gaffer — EGAF AI Assistant

The flagship AI assistant built on the Entropy-Gated AI Framework. Gaffer provides governed AI interactions via web interface (ai.jclabs.tech) and API.

Messages sent through Gaffer are processed by third-party AI providers (Anthropic, Groq, OpenAI) subject to their own privacy policies. We do not store conversation logs on our servers. Each session is stateless.

Third-party providers: Anthropic, Groq, OpenAI.

JC Labs Community — Public Key Directory & Dead Drop Board

Public Key Directory — A jclabs.tech account is required to create a directory listing. Accounts may be pseudonymous — no real name required, only an email address. This account requirement exists to protect directory integrity and enable moderation.

Dead Drop Board — An anonymous encrypted message relay. No account required to post. All content must be encrypted ciphertext before posting. JC Laboratories operates as a blind courier — we cannot read posted messages.

What we store for community features:

Directory listings: username, public key block, optional bio (account-linked)
Dead drop messages: recipient identifier, sender identifier (optional), encrypted ciphertext, expiry timestamp
We do not store IP addresses, device identifiers, or any metadata beyond what is listed above

What We Collect — By Product and Tier

Aleph Vault — Data by Tier

Tier	Data Collected	Backup / Recovery
Free	Email address, subscription tier, usage counters	None — vault unrecoverable if password lost
Individual / Family	Email, tier, usage counters	Self-managed encrypted file export/import only
Small / Medium Business	Email, tier, encrypted cloud backup blob, optional recovery blob	Encrypted cloud backup + optional recovery add-on
Enterprise / VIP	Email, tier, encrypted backup blob, recovery blob, identity verification records	Cloud backup + recovery included + SLA

For all tiers, we do not collect, store, or have access to vault contents, private keys, messages, notes, passwords, or API keys. All vault data is encrypted on your device before any storage or transmission.

Gaffer — Data Collected

Conversation content — processed by third-party AI providers in real time, not stored by JC Laboratories
Usage metadata — session timestamps and request counts for rate limiting only

Enterprise Recovery Program

Opt-in only. Available on Business and Enterprise/VIP tiers. Enrollment requires explicit opt-in and a signed Enterprise Recovery Agreement.

When enrolled:

An encrypted recovery blob is generated and stored using Shamir's Secret Sharing across geographically separated secure locations
JC Laboratories cannot access your vault without your participation in the verified recovery process
Recovery requires identity verification — government-issued ID, video call, or other agreed method
Each recovery key is single-use and rotated immediately after use
Full audit logs of all recovery events are maintained and available to you on request
You may opt out at any time — recovery blob deleted within 30 days of opt-out

Dead Drop Board — Blind Courier Policy

    JC Laboratories operates the dead drop board as a blind courier. We transport encrypted ciphertext between users and cannot read its contents. We are not responsible for the content of messages posted to the board. All messages auto-delete at expiry.
  

Law enforcement requests for dead drop message content will be complied with to the extent legally required. However, because all messages are end-to-end encrypted, we can only provide the encrypted ciphertext — which is unreadable without the recipient's private key, which never leaves their device.

How We Use Your Information

To create and manage your account
To enforce subscription tier features and limits
To operate the dead drop board and community directory
To provide Enterprise Recovery services where enrolled
To communicate service updates (opt-in only)
To maintain service security and prevent abuse

We do not sell your data. We do not use your data for advertising. We do not share your data with third parties except as required to operate the services described above or as required by law.

Data Storage and Security

Account data is stored in Firebase (Google Cloud) with industry-standard security controls. Dead drop messages are stored in Firebase Firestore with TTL-based auto-deletion. Business tier encrypted cloud backup blobs are stored in Firebase Firestore — encrypted on device before upload. Enterprise recovery blobs use cryptographic key splitting (Shamir's Secret Sharing) across geographically separated storage.

Data Retention

Account data — retained until account deletion
Dead drop messages — auto-deleted at sender-chosen expiry (1 hour to 30 days)
Community directory listings — retained until user removes them or account deletion
Business cloud backup blobs — retained while subscription is active, deleted 30 days after cancellation
Enterprise recovery blobs — retained for enrollment duration plus 30 days after opt-out

Request deletion at any time: contact@jclabs.tech

Your Rights

Request a copy of data we hold about you
Request deletion of your account and associated data
Remove your listing from the community directory at any time
Opt out of the Enterprise Recovery Program
Request a full audit log of any recovery events
Opt out of non-essential communications

Children

Our services are not directed at children under 13. We do not knowingly collect personal information from children under 13.

Changes to This Policy

Material changes will be communicated via the app or email. Continued use after changes constitutes acceptance.

Contact

contact@jclabs.tech · jclabs.tech