shield Vaultraq

Hard Questions Deserve Honest Answers

calendar_today April 9, 2026 schedule 6 min read person Vaultraq Team
privacy security encryption transparency local mode

Hard Questions Deserve Honest Answers

We recently received some pointed, skeptical feedback from people in the gun community — people who care deeply about data privacy, distrust cloud services, and aren't interested in marketing spin. Good. That's exactly the kind of audience we built Vaultraq for.

Let's go through the concerns one by one.

"Cloud-based things are bad for sensitive data — so why are you pitching one?"

Fair point, and we don't fully disagree with the premise.

That's precisely why Vaultraq offers a local-only mode. You can run Vaultraq entirely on your own machine, with no account, no server, no third party, and no cloud storage. Your vault is encrypted locally using AES-256-GCM — an industry-standard authenticated encryption algorithm — and it never leaves your device unless you choose to sync it somewhere.

We offer a cloud option for users who want convenience — multi-device access, backup, and so on. But we're not here to tell you cloud storage is always the right answer. If you don't trust cloud storage for sensitive data, use local mode. It exists specifically for you.

"If it were client-side encrypted, you'd say so. So it probably isn't."

We are saying so, right here: the vault is encrypted client-side.

Your master password never leaves your device. The encryption key is derived locally. What gets stored or synced — in either cloud or local mode — is an encrypted blob. We do not have access to your decrypted data. This is a core design principle, not a marketing claim.

We understand skepticism here is warranted. Words are cheap. That's why we intend to open-source the encryption layer so it can be independently audited. We'd rather have the community verify this than ask you to take our word for it.

"Governments and corporations have forced backdoors before. What makes you different?"

They have. This is a documented, historical fact, and anyone who dismisses this concern isn't being serious.

Our answer: the architecture is designed so that even we cannot comply with a backdoor request in any meaningful way. If we don't hold your decryption key — and we don't — we have nothing useful to hand over. An encrypted blob without the key is useless to anyone.

For users who want the absolute highest level of assurance: use local mode. A locally encrypted vault on your own hardware is outside our reach entirely. We can't be compelled to expose what we don't have access to.

"Can you guarantee you'll be around in 10 years?"

No. And anyone who tells you they can is lying.

Companies fail. Products get acquired. Founders move on. This is true of every software product, including the ones you already use today.

What we can tell you is that we've designed Vaultraq with this exact scenario in mind:

  • Your data is exportable at any time, in open formats, regardless of your subscription status.
  • Local mode users own their vault files outright. If we disappeared tomorrow, your encrypted file sits on your drive and the decryption specification is documented.
  • We are committed to providing data export access even if a subscription lapses.

"If a subscription lapses, can users export their data?"

Yes. A lapsed subscription does not lock you out of your data. You retain the ability to export your vault records.

"If the company goes away, will you export data for all customers?"

This is a harder question, and we'll be honest: if the company ceases to exist entirely, we cannot make operational guarantees that depend on infrastructure that may no longer be running.

This is why local mode matters. Local mode users have nothing to worry about — they hold their own encrypted vault files. If you are a cloud sync user and this concern weighs on you, we recommend periodically exporting your data as a local backup. We surface that option in the app and encourage its use.

"Are you willing to put that in a legally binding contract with severe penalties?"

We are not lawyers, and we won't pretend a blog post constitutes a legal commitment. What we will say is that our Terms of Service and Privacy Policy — which are being finalized and will be published — will be written in plain language, and will reflect the commitments described here.

But we'll be direct: if you require ironclad legal guarantees before trusting any software with sensitive data, the correct answer — regardless of what any company promises — is local mode with your own backups. No legal clause survives a company going bankrupt or being acquired by a hostile party.

"What makes the data secure? What if someone else can see it?"

We intentionally don't publish a detailed map of our infrastructure — not because there's anything to hide, but because a detailed blueprint of your security architecture is itself a security risk.

What we will say is this: the security of your data does not depend on the security of any server. It depends on the encryption. If infrastructure were ever compromised and someone walked out with a database, they would have a collection of AES-256-GCM encrypted blobs — computationally useless without the keys that only you hold.

The data is what matters, and the data is encrypted. That's the model.

"You need a Privacy Policy and Terms of Use page."

Absolutely correct. These are being finalized and will be published at a dedicated legal page on the site. We are committed to writing them in plain, readable language — not the typical wall of legalese designed to obscure rather than inform.

"This does nothing an offline encrypted spreadsheet wouldn't do — and that's free."

Honestly? For some people, that's true, and it's a perfectly valid choice.

A well-structured, encrypted spreadsheet maintained by a disciplined user is a legitimate approach to record keeping. We're not here to argue otherwise.

Vaultraq offers structure, guided fields for firearm-specific data (serial numbers, NFA stamp tracking, maintenance logs, photos, bills of sale, insurance documentation), and a purpose-built interface that makes consistent record keeping easier — especially for people who aren't comfortable managing encrypted file formats manually. It also handles things like photo attachments, multi-device access, and guided forms that a flat spreadsheet doesn't do particularly well.

If a spreadsheet works better for you, use it. If you want a purpose-built tool that handles the structure and supports both cloud and local modes with strong encryption, Vaultraq is here.

Final Word

We appreciate the hard questions. Skepticism from privacy-conscious gun owners isn't an obstacle to us — it's a quality signal. It keeps us honest and pushes us to build something genuinely trustworthy rather than something that just looks trustworthy.

If you want full control, use local mode. If you want convenience with encryption-backed security, use cloud mode. Either way, your data is encrypted, exportable, and yours.

Questions? Reach out through our support page.

Ready to secure your collection?

Create your free encrypted vault today — no credit card required.

Get Started Free

Vaultraq Blog

Guides, tips, and insights on secure firearm collection management, encryption, and privacy.

Privacy-first collection management

AES-256-GCM encryption. Zero-knowledge architecture. Your data, your control.

Create Your Free Vault