NotificationVault is a macOS application that captures and archives notification banners in a local SQLite database on your Mac. This Privacy Policy explains what data is collected, where it is stored, what network requests the app makes, and what rights you have.
The core design principle of NotificationVault is local-first, privacy-first: your notification content never leaves your device as part of the app's normal operation.
Summary for the impatient: Your notifications stay on your Mac. The app makes no analytics calls. The only outbound requests are version checks (Sparkle) and, for Pro subscribers, Paddle subscription verification using your email address.
All notification data captured by NotificationVault is stored exclusively in a SQLite database file on your Mac:
~/Library/Application Support/NotificationVault/vault.db
This file is created with POSIX permissions 0600 (readable and writable only by your user account). No other user or system process on the same Mac can read this file without your credentials.
App preferences (retention period, privacy mode settings, excluded app list, appearance setting, launch-at-login preference, EULA acceptance status) are stored in macOS UserDefaults under the app's domain. This data never leaves your device.
If you subscribe to Pro, your licence status (tier, activated email, activation date, last verification date, subscription ID) is stored in the macOS Keychain under the app's service name, protected by your macOS login credentials. This data is never transmitted to any server other than as part of the Paddle verification request described in Section 3.
NotificationVault makes the following outbound network requests:
| Request type | Destination | When | Data sent | Required |
|---|---|---|---|---|
| App update check (Sparkle) | 4191.ch | At app launch, periodically | App version, macOS version, CPU architecture (standard Sparkle headers) | All tiers |
| Subscription verification | api.paddle.com | At activation, every ~7 days | Your email address, Paddle subscription ID | Pro only |
| Paddle checkout | buy.paddle.com | When you click Subscribe | Standard payment checkout flow (handled by Paddle in browser) | Pro only |
Notification content is never transmitted. None of the above requests include any notification titles, bodies, app names from your vault, or any other notification data.
The app uses Sparkle 2.x to check for updates. Sparkle contacts https://4191.ch/appcast.xml and sends standard HTTP request headers that typically include the app version, macOS version, and CPU type. This is standard behaviour for all Sparkle-based macOS apps. No personal identifier, account information, or notification data is included. You can disable automatic update checks in the app's preferences if you prefer to check manually.
When you activate a Pro subscription, and approximately every 7 days thereafter to confirm it remains active, the app contacts Paddle's API (https://api.paddle.com) with your email address and the subscription ID. This is used solely to verify that your subscription is current and to update the locally stored licence status. If Paddle is unreachable, the app operates normally under a 3-day grace period before downgrading to Free tier functionality.
Paddle's privacy policy applies to data processed by Paddle: paddle.com/legal/privacy.
The app requests the macOS Accessibility permission to read notification banner text via the AXObserver API as banners appear on screen. This permission is used only to read the text of notification banners. It is not used to monitor keyboard input, read content in other application windows, record your screen, or observe any user interaction outside the notification banner context.
The app may request Full Disk Access if you want to import past notifications already stored by macOS. NotificationVault works without this permission for normal real-time capture. is outside the default app sandbox, which is why FDA is required. The app opens this file in read-only mode and never modifies it. This enables the app to recover notifications received while the AXObserver layer was inactive (e.g., during system sleep).
The entitlement used is com.apple.security.temporary-exception.files.absolute-path.read-only, scoped to $(HOME)/Library/Group Containers/group.com.apple.usernoted/ โ the minimum path necessary.
The app does not request: camera, microphone, contacts, calendar, location, photos, screen recording, or any other sensitive macOS permission beyond those listed above.
Pro subscriptions are processed by Paddle.com Inc. When you subscribe, you interact with Paddle's hosted checkout. Paddle processes your payment information and issues a subscription. NotificationVault receives from Paddle only a confirmation of subscription status โ it does not receive or store your payment card details.
Paddle's privacy policy: paddle.com/legal/privacy
Update distribution uses the Sparkle framework (version 2.x, MIT licence). Sparkle contacts the appcast feed at https://4191.ch/appcast.xml over HTTPS. All update packages are signed with an Ed25519 key; Sparkle verifies the signature before extracting any file.
The app does not integrate with any analytics service (e.g. Mixpanel, Amplitude, Firebase), crash reporting service (e.g. Sentry, Crashlytics), advertising network, social SDK, or any other third-party network service beyond Paddle and Sparkle.
When you use the Export Data feature, the app writes a file (TXT, CSV, or PDF) to a location you choose. This file contains your notification data in plain text. The app assigns the exported file POSIX permissions 0600 immediately after writing, restricting access to your user account.
You are responsible for the security of exported files. Exported files are unencrypted. Storing them in shared or unencrypted cloud services, emailing them, or placing them in publicly accessible locations may expose your notification data to others. The app displays a warning before every export.
When you use the Export Report (diagnostics) feature:
Vault backups created via Diagnostics โ Create Backup are copies of the raw vault.db SQLite file and contain all stored notification data. The same security considerations apply as to the database file itself.
You control how long notifications are retained. Options available in Preferences โ Storage:
You can delete individual notifications, all notifications from a specific app, all notifications from a specific day, or all notifications at once from within the app.
The OTP Auto-Delete feature (Pro) automatically removes notifications matching OTP/2FA patterns after 1, 4, or 24 hours.
To fully remove all data stored by NotificationVault:
~/Library/Application Support/NotificationVault/vault.dbdefaults delete ch.4191.notificationvault in TerminalNotificationVault is not directed at children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe a child has provided personal data through the app, please contact us at support@4191.ch.
We may update this Privacy Policy from time to time. Material changes will be communicated via an in-app notice or on this website. The "Effective" date at the top of this page reflects the date of the most recent revision. Continued use of the app after a policy update constitutes acceptance of the revised policy.
If you have concerns about any changes, you may contact us before the change takes effect at support@4191.ch.
For privacy-related questions, data deletion requests, or any other inquiry regarding this policy:
Giovanni Caroni
Ticino, Switzerland
Email: support@4191.ch
Website: 4191.ch
We aim to respond to all privacy-related inquiries within 10 business days.