Privacy Policy — JC Laboratories

Effective March 30, 2026 · JC Laboratories / jclabs.tech

    JC Laboratories is built on a simple principle: your data belongs to you. We collect only the information required to operate, secure, and support our services — and we cannot access your encrypted vault contents or private keys under any circumstances, as they are never transmitted in readable form to our servers.
  

Who We Are

JC Laboratories (jclabs.tech) is an independent technology company founded by Justin Czap. We develop security-focused software tools including Aleph Vault, the EGAF Gaffer AI assistant, and CipherPort — a privacy-first public key directory and encrypted messaging board, and gateway to Cryptaverse.

Our research and development division, JC Labs R&D, is responsible for the Entropy-Gated AI Framework (EGAF) — a structured AI governance and orchestration framework — and all products built upon it. Our mission is to put real security tools in the hands of real people, without compromise.

Our Products

Aleph Vault

An offline-first encrypted vault application for Android. Provides secure local storage of notes, passwords, cryptographic key pairs, API keys, and encrypted messaging via the MessageCrypt system. All sensitive data is encrypted on-device using AES-256-GCM. We cannot read your vault contents.

On Free and Individual tiers, your vault data never leaves your device. Vault export files are encrypted with a user-chosen export password before leaving the device — JC Laboratories never receives or has access to these files. On Family, Business, and Enterprise tiers, encrypted cloud backup blobs may be stored on our servers — encrypted on your device before upload. We cannot decrypt them.

EGAF — Entropy-Gated AI Framework

A structured AI governance protocol developed by JC Labs R&D. EGAF defines a three-part vial composition system (OIL_CONTRACT, INVOKER, E_T) for governed, auditable AI task execution. It operates as a Layer 3 governance protocol above standard AI API mechanics.

EGAF is licensed under CC BY-NC 4.0. Commercial implementations require written permission from JC Laboratories.

Gaffer — EGAF AI Assistant

The flagship AI assistant built on the Entropy-Gated AI Framework. Gaffer provides governed AI interactions via web interface (ai.jclabs.tech) and API.

Messages sent through Gaffer are processed by third-party AI providers (Anthropic, Groq, OpenAI) subject to their own privacy policies and retention practices. We do not store conversation logs on our servers. Each session is processed without persistent storage by JC Laboratories.

Third-party providers: Anthropic, Groq, OpenAI.

CipherPort — Public Key Directory & Dead Drop Board

CipherPort is the community gateway of JC Laboratories, accessible at jclabs.tech/community. It is the gateway to Cryptaverse — a privacy-first cryptographic safe harbor where identity is a key and privacy is enforced by mathematics, not policy.

Public Key Directory — A jclabs.tech account is required to create a directory listing. Accounts may be pseudonymous — no real name required, only an email address.

Dead Drop Board — An anonymous encrypted message relay. No account required to post. All content must be encrypted ciphertext before posting. JC Laboratories operates as a blind courier — we cannot read posted messages.

What we store for CipherPort features:

Directory listings: username, public key block, optional bio (account-linked)
Dead drop messages: recipient identifier, sender identifier (optional), encrypted ciphertext, expiry timestamp
We do not store poster IP addresses in our application database. Network-level logs may be retained by infrastructure providers such as Cloudflare under their own policies.

What We Collect — By Product and Tier

Aleph Vault — Data by Tier

Account authentication uses a Cloudflare Worker-based system. Your email address is used for account creation and password reset only. It is not stored as plaintext in our database. Instead, we store a keyed cryptographic representation (HMAC-SHA256) for account lookup. This representation cannot be reversed to recover the original email from the stored value.

Tier	Data Collected	Backup / Recovery
Free	Email (processed for account creation and reset, not stored as plaintext), account tier, key pair counts, reset dates, repo item count, attachment count	None — vault data stays on device only
Individual	Same as Free	Self-managed encrypted file export/import only — vault data stays on device
Family	Same as Free, plus encrypted cloud backup blob and backup metadata	Self-managed export/import + encrypted cloud backup
Small / Medium Business	Same as Family, plus optional recovery blob	Encrypted cloud backup + optional recovery add-on
Enterprise / VIP	Same as Business, plus identity verification records	Cloud backup + recovery included + SLA

For all tiers, we do not collect or store vault contents, private keys, messages, notes, passwords, or API keys in readable form. All vault data is encrypted on your device before any storage or transmission. On Family, Business, and Enterprise tiers, encrypted blobs are stored on our servers for the duration of your subscription and cannot be decrypted by JC Laboratories. Protected vault and relay content is stored only as encrypted data and never in readable form.

Gaffer — Data Collected

Conversation content — processed by third-party AI providers in real time, not stored by JC Laboratories
Usage metadata — session timestamps and request counts for rate limiting only

Enterprise Recovery Program

Opt-in only. Available on Business and Enterprise/VIP tiers. Enrollment requires explicit opt-in and a signed Enterprise Recovery Agreement.

An encrypted recovery blob is generated and stored using Shamir's Secret Sharing across geographically separated secure locations
JC Laboratories cannot access your vault without your participation in the verified recovery process
Recovery requires identity verification — government-issued ID, video call, or other agreed method
Each recovery key is single-use and rotated immediately after use
Full audit logs of all recovery events are maintained and available to you on request
You may opt out at any time — recovery blob deleted within 30 days of opt-out

CipherPort Dead Drop Board — Blind Courier Policy

    JC Laboratories operates the CipherPort dead drop board as a blind courier. Encrypted message content is stored temporarily as ciphertext for delivery and automatically deleted at expiry. It may be deleted sooner after successful delivery. We do not store or have access to this content in readable form. We are not responsible for the content of encrypted messages we cannot decrypt.
  

Law enforcement requests for dead drop message content will be complied with to the extent legally required. However, because all messages are encrypted, we can only provide the encrypted ciphertext — which is unreadable without the recipient's private key, which never leaves their device.

How We Use Your Information

To create and manage your account
To enforce subscription tier features and limits
To operate CipherPort and the community directory
To provide Enterprise Recovery services where enrolled
To communicate service updates (opt-in only)
To maintain service security and prevent abuse (including rate limiting by IP address — not stored beyond the rate-limit window)

We do not sell your data. We do not use your data for advertising. We do not share your data with third parties except as required to operate the services described above or as required by law.

Data Storage and Security

Account authentication data is stored in Cloudflare D1 (edge SQL database) and Cloudflare KV (edge key-value store). This infrastructure is operated by Cloudflare, Inc. under their privacy and security policies. Dead drop messages and encrypted relay content are stored with TTL-based auto-deletion. Family, Business, and Enterprise tier encrypted cloud backup blobs are stored on Cloudflare R2 — encrypted on device before upload. Enterprise recovery blobs use cryptographic key splitting (Shamir's Secret Sharing) across geographically separated storage.

Private keys are generated on your device and stored in your device's secure hardware enclave (Android Keystore). They are never transmitted to or stored on our servers.

Data Retention

Account data — retained until account deletion
Dead drop messages — auto-deleted at sender-chosen expiry (1 hour to 30 days)
Community directory listings — retained until user removes them or account deletion
Cloud backup blobs — retained while subscription is active, deleted 30 days after cancellation
Enterprise recovery blobs — retained for enrollment duration plus 30 days after opt-out
Rate-limiting counters — auto-expire within 15 minutes to 24 hours depending on endpoint
Session tokens — expire within 7 days or immediately on logout

Request deletion at any time: contact@jclabs.tech

Your Rights

Request a copy of data we hold about you
Request deletion of your account and associated data
Remove your listing from the community directory at any time
Opt out of the Enterprise Recovery Program
Request a full audit log of any recovery events
Opt out of non-essential communications

Children

Our services are not directed at children under 13, and we do not knowingly collect personal information from children under 13. The Family subscription tier is designed for adults managing privacy tools for their household — it is not a children's product. If you believe a child under 13 has created an account, contact contact@jclabs.tech and we will delete the account promptly.

Changes to This Policy

Material changes will be communicated via the app, website, or email. Continued use after changes constitutes acceptance.

Contact

contact@jclabs.tech · jclabs.tech