Terms of Service

By using Clavitor, you agree to these terms. If you don't agree, don't use the service.

Clavitor is a credential manager with three layers of encryption. Vault Encryption protects your entire vault at rest. Credential Encryption encrypts each field individually on the server — AI agents can read these via the CLI. Identity Encryption goes further: selected fields are encrypted on your device using your hardware key, and we cannot decrypt them. The math won't let us, even if someone asked us to.

Your encrypted data lives in one of our datacenters around the world. You choose which one.

Clavitor is not a backup service. If you lose access to your hardware key, the only way back to your Identity-encrypted fields is through the recovery process — which requires a recovery code you printed or saved when you set it up. Without that code, the data is mathematically unrecoverable. We can't help, and neither can anyone else. This is by design — it's what makes Identity Encryption trustworthy.

We offer a guided recovery process (video call with identity verification) for situations where you've lost your hardware key but still have your recovery code. Details are at /security.

Each account holds a single plan: Free, Individual, Family, Teams, Mid-Market, or Enterprise. You can't combine plans on one account. You're responsible for your hardware key and your recovery code. We strongly recommend completing the recovery setup as soon as you create your vault — it takes a minute and it's the only safety net that exists.

Don't store illegal content, don't attack our infrastructure, and don't flood our API. If we observe sustained abuse at the network level — rate-limit violations, credential harvesting patterns — we may block the account without warning. We can't inspect your vault contents (and we don't), but we can see traffic patterns.

All billing is handled by Paddle, our Merchant of Record. Paddle calculates and collects applicable taxes (VAT, GST, sales tax) based on your billing address, so you always see the full amount before you pay. Published prices at clavitor.ai/pricing exclude tax.

Individual and Family plans are paid once, done for the year. The full amount is charged at signup and your vault is available immediately. Your plan auto-renews on the anniversary, and we'll remind you 14 days beforehand.

Teams, Mid-Market, and Enterprise plans have no seat counts to choose and no minimum commitment. Create vaults as you need them — invite people, they enroll, and your vault count grows at your own pace.

At signup, a minimum charge is collected to validate your card and cover the first (partial) month. That charge is six times your per-vault rate in your local currency — the equivalent of six vaults for one month.

On the 28th of each month, we look at how many vaults you had on the 1st and how many you have on the 28th. Your invoice is based on the lower of those two numbers, multiplied by your per-vault rate — with the same minimum as a floor. If you're growing, new vaults aren't counted until their first full month. If you're shrinking, you see the savings immediately. All invoices are generated by Paddle and dated within the month they cover.

You can upgrade at any time. Your last payment is refunded in full and the new plan is charged immediately — no pro-rating, no credits, no partial-month calculations.

You can downgrade at any time, but only after reducing your vault count to fit the target plan. Once it fits, the switch is immediate. No refund is issued, but you're on a cheaper plan going forward. We never delete vaults or entries as part of a plan change — you choose what to archive.

The rate you sign up at stays the same for as long as you remain on that plan. We absorb inflation, exchange rate changes, and cost increases. If we raise prices for new customers next year, you still pay what you paid today.

Switching plans resets your rate to the current published price for the new plan. If your account is suspended for non-payment, the lock is forfeited and reactivation uses the rate in effect at that time.

After any charge, you have 14 days to cancel for a full refund — self-service, instant, and no questions asked. The charge is reversed and your account returns to its previous state.

The moment a payment fails, your vaults go into read-only mode. You can still view, copy, and export every credential you have, but you can't add or edit entries. Agent and API responses are delayed, and every read includes a billing warning. Paddle will attempt to recover the payment automatically during this time.

We also send you one email within the first few days explaining exactly what will happen and when.

Day 30 — suspended. If payment still hasn't been recovered, vault access is suspended entirely.

Day 60 — deleted. Vault data is permanently removed.

Day 90 — backups rotated. Compliance backups are destroyed.

Reactivation is available at any point before deletion — pay the outstanding balance and full access comes back within seconds.

Accounts that aren't paying us — Free accounts, and Free-for-Life accounts redeemed with a promo code — are removed when they go unused for 180 days. "Unused" means no successful sign-in to your vault during that window.

We warn you twice before deletion: at 150 days of inactivity, and again at 170 days. Both emails contain a direct link to reactivate — one sign-in resets the clock. On day 180, the vault and its credentials are permanently deleted.

This rule applies only to non-paying accounts. Paid accounts are governed by sections 06 and 10.

We claim no rights to your vault data. You can export it or delete it at any time, on any plan including Free. We will never restrict export, charge a fee for retrieval, or hold your data hostage during a billing dispute.

We aim for high availability but don't guarantee a specific uptime number. Scheduled maintenance is announced in advance, and we're not liable for data loss or downtime beyond making reasonable efforts to maintain the service and our backups.

Our encryption is the best we know how to build. It is not infallible — no system is. We publish our security approach at /security, and if something goes wrong, we'll tell you what we know as soon as we know it.

Cancel anytime from your account settings. Annual plans continue through the end of your paid year, and monthly plans continue through the current billing cycle. You can leave anytime, no penalty.

After your billing period ends, your vaults become read-only for 30 days — you can still view, copy, and export everything. Reactivate during this window at the then-current rate and you're back to normal. After 30 days, vault data is permanently deleted. Compliance backups are destroyed 30 days after that.

If you want your data removed sooner, you can request immediate deletion from your account settings at any time.

If we cancel your account for legal or regulatory reasons (sanctions, export controls), you receive a full refund for the remaining period.

The service is provided as-is. To the maximum extent permitted by applicable law, we are not liable for indirect, incidental, or consequential damages arising from your use of the service.

These terms are governed by the laws of Switzerland. Disputes are resolved in the courts of Zurich.

This is deliberate. Switzerland has some of the strongest privacy and data protection laws in the world — including the Federal Act on Data Protection (FADP), which applies regardless of where you live. Swiss law does not permit bulk surveillance or warrantless access to personal data, and foreign governments cannot compel disclosure without going through Swiss legal process, which has a high bar.

Our core infrastructure — the central hub that manages accounts, billing, and vault coordination — runs in Zurich. One of our Points of Presence is also in Switzerland. The remaining 20+ POPs are distributed globally so your vault is fast wherever you are, but the system of record is Swiss. By choosing Swiss jurisdiction for these terms, we give you the benefit of that framework — and we bind ourselves to it.

We'll email you before making material changes. If you disagree, you can cancel — and the data retention commitments above still apply.

Email legal@clavitor.ai. We read every message and we reply.