Two card types
Manage business cards and loyalty cards side by side, switchable per record.
First Cryptiqo product
CardVault
A private, offline wallet for your business cards and loyalty cards — captured, encrypted and searched entirely on your device, with keys only you control.
- Android 10+
- Works offline
- Zero-knowledge encryption
CardVault is at foundation stage. The architecture, security design and documentation are complete; some flows are being progressively finished.
Overview
Digitize the cards you carry — without giving up your privacy
Everything that matters — OCR, barcode decoding, image processing and encryption — happens on your device. No analytics, no advertising SDKs, no cloud OCR, no telemetry. The only network activity is an optional, explicitly user-initiated encrypted backup.
Screenshots
A clean, modern Material 3 interface
Real screens from CardVault, shown in light mode.
Features
What CardVault does
Every capability below is documented in the CardVault repository.
Capture or type
Scan with the camera — edge detection, perspective correction, crop and enhancement — or enter details manually.
On-device OCR
ML Kit text recognition extracts names, company, title, email, phone, website, address and free text — entirely on your device.
On-device barcodes
Decode QR, EAN-13/8, Code 128/39, UPC-A/E, PDF417, Data Matrix and Aztec codes locally, and regenerate them on screen at the till.
Fast local search
Case-insensitive, partial-match search across the relevant fields, running entirely on your device.
Zero-knowledge encryption
AES-256-GCM with passphrase-derived keys (Argon2id), an Android Keystore-wrapped database key and a SQLCipher-encrypted database.
Biometric unlock
Unlock with fingerprint or face, with your passphrase kept as the recovery mechanism and a configurable auto-lock.
Encrypted backups
Local archive or optional Google Drive, OneDrive and WebDAV/Nextcloud backup — ciphertext only, validated by checksum on restore.
Architecture
Clean, modular and testable
CardVault follows Clean Architecture with MVVM in the presentation layer and the Repository pattern for data access, wired together with Hilt dependency injection across a multi-module Gradle project.
- Pure-Kotlin domain models with no Android dependency.
- Feature modules depend on core modules, never on each other.
- Data layer uses Room over SQLCipher with on-device ML Kit capture.
- Deliberate dependency minimization across the build.
Presentation Compose screens · ViewModels (StateFlow)
Domain Pure-Kotlin models · repository interfaces
Data Room + SQLCipher · ML Kit · crypto · datastore
Privacy model
Your data stays on your device
CardVault has no backend servers, no user accounts and no operator who can access your content. Card metadata, images and barcode values are stored only on your device, encrypted with keys derived from your passphrase.
- No cloud OCR or cloud AI — recognition runs on-device.
- No telemetry, analytics or advertising SDKs.
- No user tracking or profiling.
- Camera only when scanning; network only for optional backup.
Offline-first design
Useful without a connection
Capture, OCR, barcode decoding, search and encryption all run locally. You can use CardVault indefinitely without ever enabling cloud backup.
The only network activity is an optional, user-initiated encrypted backup to Google Drive, OneDrive or WebDAV/Nextcloud — and only ciphertext is ever uploaded.
Security considerations
Encryption you don’t have to think about
CardVault is designed so the developer and provider can never read your data.
Keys from your passphrase
A symmetric key is derived from your passphrase with Argon2id (PBKDF2-HMAC-SHA256 fallback) and held only in memory for the session.
Encrypted at rest
The database is SQLCipher-encrypted; images and backups use AES-256-GCM authenticated encryption. The database key is wrapped by the hardware-backed Android Keystore.
Biometric & recovery
Unlock with fingerprint or face, with your passphrase as the recovery mechanism and a one-time recovery passphrase so you’re never locked out.
Who it’s for
Built for people who value their privacy
Privacy-conscious individuals
Keep the cards you carry digital and searchable without handing your contacts and habits to an advertising network.
Security-focused professionals
A clear, documented threat model and zero-knowledge design that you can audit against your own requirements.
Frequent networkers
Capture business cards on the spot, extract the details on-device, and find anyone again with fast local search.
Everyday loyalty users
Replace a wallet full of plastic loyalty cards and show a scannable barcode or QR code on screen when you check out.
Questions
CardVault FAQ
Where is my data stored?
Only on your device, in an encrypted SQLCipher database with images and backups sealed using AES-256-GCM. CardVault has no backend servers and no user accounts.
What happens if I forget my passphrase?
During setup CardVault generates a one-time recovery passphrase and shows it once. Store it safely offline. Without your passphrase or recovery passphrase, your data cannot be decrypted — by design.
How does cloud backup stay private?
Backups are encrypted on your device before any upload. Cloud providers (Google Drive, OneDrive, WebDAV/Nextcloud) only ever receive ciphertext; your passphrase never leaves the device.
Which barcodes can CardVault read and show?
QR, EAN-13/8, Code 128/39, UPC-A/E, PDF417, Data Matrix and Aztec. Decoding uses on-device ML Kit; regeneration on screen uses the ZXing library locally.
What permissions does the app need?
Camera, only when you choose to scan a card, and network access only for an optional cloud backup you explicitly start.
Which languages and Android versions are supported?
English first, with structure for Italian, French, German and Spanish. CardVault targets Android 10 (API 29) and newer.
Ready to keep your cards private?
CardVault shows what privacy-first, offline-first software looks like in practice.