Your Personal
Data Vault.
A single, encrypted vault for your identity and personal data — secured by industry-standard encryption and anchored on a public blockchain so that every record is independently verifiable and tamper-proof.
Not a password manager. Not a cloud backup. Your vault is also your personal identity provider — share verified credentials with businesses on your terms, without ever handing over raw documents.

The data economy is
built against you
Across healthcare, finance, retail, and government — every industry treats your personal data as a commodity to extract, package, and sell. You are not the customer. You are the product.
You are the product
Across every industry, every app
Every time you sign up for a service, visit a doctor, use a loyalty program, or connect an account, your data is packaged and sold. Healthcare, retail, finance, social — it all feeds the same machine.
Aggregators own a copy of your life
You cannot see it. You cannot delete it.
Data aggregators and brokers pull from hundreds of sources — health, banking, shopping, government — and build permanent profiles on you. They monetize it without your knowledge and sell it without your consent.
Fragmented data, total exposure
Hundreds of databases. One breach hits all.
Your identity is scattered across healthcare, banking, credit, employment, government, and insurance systems. When any one is breached, the ripple is total — the pieces fit together into a complete profile of you.
The Consent Illusion
Every industryBuried consent checkboxes, 80-page privacy policies, and pre-ticked opt-ins are not consent — they are theater. Across healthcare, finance, retail, and government, you hand over your data to sign up, and lose control the moment you click agree.

Your Personal Data Vault
sealed, sovereign, on-chain
The platform replaces the broken model of scattered, sold, surveilled data with a single concept: the Personal Data Vault. Every byte you store is encrypted in your browser with a key only you hold, and every record update is cryptographically anchored on a public blockchain so that tampering is not just difficult — it is provably detectable.
Your Personal Data Vault
A single encrypted container for your identity and financial data. One keyholder — you. No backdoors, no master keys, no exceptions.
Blockchain-Verified Integrity
Every change to your vault is cryptographically anchored on a public blockchain. If anything is altered without your consent, the blockchain proves it.
Consent-First Sharing
Grant selective, time-limited access to specific vault fields. Revoke at any time — and the blockchain records every grant and revocation.
Zero Data Sales. Ever.
We do not sell, license, or share your data. This is a structural constraint of the vault model — not just a policy.
Your Vault
256-bit key · your device only
All access controlled by you. Revoke anytime.

How blockchain secures
your Personal Data Vault
Most companies promise your data is safe. We make that claim verifiable — cryptographically and independently — through the public blockchain blockchain. Here is exactly how it works, in plain English.
You update your vault
When you add or update data in your Personal Data Vault, the information is encrypted in your browser using a key only you hold — before it leaves your device. It then travels over a secure connection as ciphertext. Even if that connection were intercepted, an attacker would see only encrypted data they cannot read. We never receive or store your plaintext.
A hash fingerprint is created
The platform generates a cryptographic fingerprint of your encrypted record. This fingerprint uniquely represents your data — change a single character and the fingerprint changes entirely. No personal data is included.
The hash is anchored on public blockchain
That fingerprint — and only the fingerprint — is written to a smart contract on the public blockchain blockchain. public blockchain is a public, decentralized blockchain network with thousands of independent validators worldwide. No single entity controls it.
Tampering becomes provably impossible
If anyone — a hacker, a rogue employee, even our own servers — were to alter your stored data, the cryptographic fingerprint would no longer match what is on the blockchain. You can verify the integrity of your vault at any time, independently, without trusting us at all.
GDPR Compliant by Design
Only cryptographic hashes touch the blockchain — never names, addresses, account numbers, or any personal data. The right to erasure applies to your vault data; the on-chain hash proves integrity but reveals nothing.
Zero-Knowledge Key Model
Your 256-bit encryption key is generated in your browser and shown to you once. It is never transmitted, stored, or accessible to us. If we receive a subpoena, there is nothing to hand over — we are structurally incapable of decrypting your vault.
public blockchain: Decentralized & Auditable
public blockchain's smart contract stores your vault hashes. Because the contract is deployed on a public blockchain, anyone can independently query it to verify your data integrity — including you, without our involvement.
Blockchain security — your questions answered
The identity authority
built for the post-CCPA world
Identity authority has always been held by institutions — credit bureaus, background check companies, data brokers. They built the infrastructure for themselves, and they hold your data without meaningful consent. That model is under regulatory pressure from every major jurisdiction. Avallis is what replaces it.
User-owned credentials
Every verified fact lives in the user's encrypted vault — not in a corporate database. Users grant access. Users revoke access. The credential travels with the person, not the institution.
Consent on the blockchain
Every data access event is anchored on a public blockchain — creating a tamper-proof, timestamped record of what was shared, with whom, when, and why. Not a log in a database. An immutable proof.
Verification without exposure
The zero-PII API answers business questions — "is this person over 18?", "does their income qualify?" — server-side, without raw data ever leaving the vault. Businesses get certainty. Users keep privacy.
Reusable across institutions
A user verified once by Bank A doesn't re-verify for Bank B. Their Avallis vault carries a timestamped certificate issued by an independent verification engine. Onboarding drops from days to seconds.
The regulatory tailwind
When regulators mandate consent, Avallis is already there
The CCPA, GLBA Safeguards Rule, state biometric laws, and the FTC's ongoing data broker crackdown are all converging on the same conclusion: companies cannot hold and monetize personal data without explicit consent. The legacy data broker model is on borrowed time.
Avallis is built consent-first by architecture — not by policy retrofit. Every access is user-authorized. Every consent is blockchain-anchored. When the regulatory standard requires this, the institutions that integrated Avallis will already be compliant.
CCPA / CPRA
Right to opt out of data sale — we have no data to sell
GLBA Safeguards
Customer data must be protected — vault architecture compliant by design
GDPR Article 7
Consent must be explicit and revocable — blockchain-anchored per request
FTC Data Broker Rule
Registration + opt-out requirements — we are not a data broker
Old model vs. Avallis
| Aspect | Traditional model | Avallis |
|---|---|---|
| Who holds the data | Data brokers and credit bureaus | The individual — in their encrypted vault |
| How consent is captured | Buried in terms of service | Explicit, blockchain-anchored, per-request |
| What businesses receive | Raw PII pulled from broker databases | Verified results only — zero raw data |
| Breach liability | Yours — you hold the PII | Structural zero — you never had the PII |
| Regulatory trajectory | Increasingly hostile (CCPA, GLBA) | Compliant by architecture, not retrofit |
| User relationship | Adversarial — data extracted without consent | Aligned — user controls the credential |
More users → more valuable to businesses
Every user who verifies on Avallis adds to the network. Every business that integrates makes the Avallis credential worth more to users. The flywheel runs in both directions simultaneously.
Verified once, trusted everywhere
A user who completes IVE on Avallis carries that verification to every institution. Bank A's verification becomes valid at Bank B, Landlord C, and Employer D — reducing onboarding cost across the entire network.
User alignment is the competitive moat
Legacy identity authorities extract value from users. Avallis is structurally aligned with users — the product gets better for them the more they use it. That's a moat incumbents cannot replicate without rebuilding from scratch.
The identity infrastructure the post-CCPA world requires already exists. Join the users and businesses building on it.

We don't offer MFA.
We made it obsolete.
Multi-factor authentication is a patch on a broken model — proving you are who you say you are to a company that can still be hacked, subpoenaed, or sold. We replaced the model entirely.
Traditional security
Password + MFA + hope the company holds up
Passwords
Phished, reused, breached — billions stolen every year
MFA / TOTP
SIM-swapped, intercepted mid-login, a band-aid over broken auth
Server-side storage
Your data sits in cleartext databases that can be breached, sold, or subpoenaed
Trust the company
"We protect your data" is a promise with no proof — until the breach announcement
Avallis security
Cryptographic proof — no trust required
Your encryption key
Replaces passwordsA 256-bit key generated in your browser — never transmitted. Even if our servers vanish overnight, your key still unlocks your data.
Key signature
Replaces MFASigning with a private key proves identity without sending a password. Nothing to phish, intercept, or SIM-swap — cryptographic proof at the protocol level.
Client-side encryption
Replaces server trustYour data is encrypted in your browser before it reaches our servers. We store ciphertext — mathematically unreadable without your key. A breach of our infrastructure exposes nothing.
Blockchain integrity proof
Replaces trust in usEvery vault update anchors a cryptographic fingerprint on the blockchain. Tamper detection is public, permanent, and independent — no company promise required.
The math is the security.
The encryption is mathematically unbreakable. Blockchain anchoring means no silent tampering — ever. This is not a feature list. It is physics.
About the MetaMask signature request
When you sign in, MetaMask asks you to sign a short message — not a transaction. This proves you own your Sovereign Key without moving any funds or granting any spending permissions. Here is why it is safe:
Identity only
No transaction, no funds moved. MetaMask shows it as a Signature Request, never a transaction.
Expires in 5 min
A timestamp is embedded. The server rejects any signature older than 5 minutes — useless if intercepted.
Memory only
Cached for 4 minutes in browser memory to avoid repeated prompts. Never written to disk, localStorage, or any server.
About your Sovereign Key ID
Connecting MetaMask means Avallis can see your public Sovereign Key ID. That is a fair thing to wonder about — here is exactly what it does and does not mean:
Already public
Your Sovereign Key ID is visible on-chain to anyone right now — balance, history, everything. Avallis storing it exposes nothing new.
Your keys, your funds
Only your private key and seed phrase control your Sovereign Key, and those never leave MetaMask. Avallis cannot move funds or access it in any way.
Stored, protected
We keep your Sovereign Key ID only to recognize you on future logins — encrypted at rest, never shared, never linked to your identity outside your own vault.
Privacy built on mathematics,
not policy.
Every claim on this page is verifiable. The encryption is standard. The blockchain is public. The architecture is open.
2²⁵⁶
possible encryption keys
More than atoms in the observable universe. Your vault key is chosen from this space. Guessing it is not a realistic attack surface.
Continuous
tamper monitoring
Every vault record is anchored on the blockchain. Any silent modification is independently detectable — not a promise from Avallis, a cryptographic proof.
Real-time
Sentinel Intelligence
Multiple risk signals — behavioral, geographic, and compliance-based — are evaluated on every access event by AI-powered Sentinel Intelligence.
Zero-knowledge means zero access — for us too.
Data is encrypted in your browser using a key only you hold — before it leaves your device or travels over any connection. Even if traffic were intercepted, an attacker sees only ciphertext meaningless without your key. Here is exactly what each party holds.
What Avallis holds
What you hold
An encrypted blob of bytes
Your name and date of birth
A blockchain fingerprint hash
Your Social Security Number
A consent approval timestamp
Your income and bank balance
An expiration date
Your government ID
A business request ID
Your health insurance details
Identity sharing is broken. Here is what we changed.
Every row below is a decision Avallis made differently — and why.
Where your data lives
Before
Copied into the business's database — indefinitely
Avallis
Stays in your encrypted vault. Businesses receive approved, time-limited access.
Who controls access
Before
The business decides what they keep and for how long
Avallis
You approve every request. You set the time limit. You revoke at any time.
Audit trail
Before
None — you have no visibility into who has your data or what they did with it
Avallis
Every access logged permanently. Your dashboard shows exactly who saw what and when.
Revocation
Before
Practically impossible — no standard mechanism exists
Avallis
One tap. Consent revoked and confirmed. Business webhook notified immediately.
Tamper detection
Before
None — a breach may go undetected for months
Avallis
Every record anchored on the blockchain. Any tampering is detectable immediately — independently verifiable without trusting Avallis.
The math is the security. Not a feature list.

From creation to
blockchain-verified sovereignty
Five steps to a Personal Data Vault that no one — not even us — can read, alter, or exploit without your explicit consent.
Create your Personal Data Vault
A 256-bit AES-GCM encryption key is generated in your browser — your device only, never our servers. Your vault is sealed before a single byte leaves your machine.
Populate your golden record
Add your identity, financial, and contact data. Everything is encrypted with your key. We store only ciphertext — mathematically unreadable without the key you hold.
Vault is encrypted and blockchain-anchored
Your data is encrypted in your browser using a key only you hold — before it leaves your device. It travels encrypted over a secure connection, so even an intercepted connection exposes only ciphertext that cannot be decrypted without your key. Avallis servers only ever store the encrypted result.
Blockchain anchors your vault
Each update generates a cryptographic fingerprint permanently recorded on the blockchain. No personal data on-chain — only the proof that your vault is intact.
Share on your terms
Grant selective, time-limited consent to apps, lenders, and employers. Every grant and revocation is logged on-chain. Revoke at any time — instantly and permanently.
Privacy should
not be a luxury
Your vault, all sharing, AI fraud protection, blockchain anchoring, enforcement, and Sentinel Intelligence — free. Everything shown below is included at no cost.
$0
No credit card. No trial period. No catch.
Identity Verification
Pay-per-verification that upgrades your data to a trusted credential businesses can rely on — verify once per category, share unlimited times.
Identity
Name, DOB, address, SSN · $4.99 re-verify
$9.99
Contact
Phone and email · $2.99 re-verify
$4.99
Financial, Health, Travel — always free
Self-attested and fully shareable at no cost.
Every vault is free. You control what you share and with whom. You always own your data.
Compliant by architecture.
Not by retrofit.
Every major privacy regulation converges on the same requirement: explicit, revocable, per-purpose consent. Avallis was built to that standard before the regulations existed. Here's how we map to each framework.
CCPA / CPRA
California
- Right to know what data is collected — full audit trail per user
- Right to delete — vault deletion removes all data, no residual copies
- Right to opt out of data sale — we have no mechanism to sell data
- No sharing with third parties for cross-context behavioral advertising
GLBA Safeguards Rule
Federal (Financial)
- Customer financial data encrypted at rest with industry-standard encryption
- Access controls enforced via cryptographic key ownership
- Third-party service providers contractually bound
- Incident response program and audit logging in place
GDPR Article 7
EU / EEA
- Consent freely given, specific, informed, and unambiguous
- Withdrawal of consent as easy as giving it — one-click revoke
- Consent timestamped and anchored on blockchain (immutable proof)
- Data minimization — only data the user explicitly stores is held
HIPAA
Federal (Healthcare)
- Health vault encrypted with user-controlled keys — Avallis never holds plaintext
- PHI never stored in plaintext or transmitted to third parties
- Business Associate Agreements available for covered entities
- Full audit trail of every health data access event
FTC Data Broker Rule
Federal (Incoming)
- Avallis is not a data broker — we hold no aggregated PII databases
- Users control their own data — opt-out is built into the architecture
- No buying or selling of consumer data at any layer
- Consent-first model satisfies the rule's stated intent and more
FCRA
Federal (Credit)
- Permissible purpose required for all financial data verification
- Verified Claim API returns results only — no consumer report generated
- Dispute process supported via vault data correction by user
- No adverse action without user-controlled consent mechanism
Encryption
- Client-side encryption — data encrypted before it leaves your device
- Zero-knowledge key model — Avallis cannot read your data
- No master key held by Avallis
- Blockchain-anchored integrity checks
Access Control
- Consent required for every data access
- Blockchain-anchored consent proofs
- Instant revocation — cryptographic invalidation
- Per-purpose, per-recipient authorization
Auditability
- Complete immutable audit trail per user
- Blockchain-anchored consent records
- Every API call logged and attributable
- User-visible access history at all times
SOC 2 Type II — In Progress
Avallis is currently pursuing SOC 2 Type II certification covering Security, Availability, and Confidentiality trust service criteria. Enterprise customers requiring SOC 2 reports prior to certification can request our current security documentation and architecture review. Contact us at security@avallis.io.
Complete Data Lifecycle
Your data doesn’t disappear
when you share it — until now.
Most platforms give you a way to share data. None give you a way to get it back. Avallis is the first vault where sharing is the beginning of a relationship you control — not the end.
Share on your terms
Approve any business data request with one tap. You see exactly what they're asking for, why, and for how long — before you decide. Every share is encrypted end-to-end to their server. Avallis never sees the data you share.
Loan applications · KYC · Insurance · Rentals · HR onboarding
See who has what
Your audit trail shows every business that received your data — when, what categories, and for what purpose. Blockchain-anchored. Not a log that can be edited. An immutable record that belongs to you.
Vault Saves · Consent Grants · Data Shares · API Verifications
Demand it back
One click sends a formal deletion request under CCPA and GDPR. The business has 30 days to confirm they've deleted your data from their servers. You get an email confirmation — and an immutable audit record — when it's done.
30-day deadline · Legal standing · Email + audit confirmation
New
The first vault where you can
fire a business.
“End Relationship” is a single action that revokes all future access and sends a legally-binding deletion request in one tap. No emails to legal teams. No waiting to see if they comply. A 30-day clock starts immediately, confirmed in writing.
End relationship with First National?
This will take the following actions
Revoke consent
Blocks future API access immediately
Request data deletion
30-day CCPA / GDPR deadline
Build on the
identity authority
The Avallis API gives your application consent-anchored identity verification in one POST request. No PII storage. No compliance surface area. No verification pipeline to maintain.
// 1. Consumer approves your data request in Avallis
// → your webhook receives consentToken + encrypted payload
// 2. Run zero-PII checks against the consent
const result = await fetch('https://api.avallis.io/api/vault-verify', {
method: 'POST',
headers: {
'x-api-key': process.env.AVALLIS_API_KEY,
'Content-Type': 'application/json',
},
body: JSON.stringify({
consentToken: 'cst_abc123',
category: 'identity',
checks: ['age_over_18', 'name_match'],
}),
}).then(r => r.json())
// 3. Act on results — zero PII ever leaves Avallis
if (result.verified) {
approveApplication(user.id)
}API Response — zero PII
{
"livemode": true,
"verified": true,
"category": "identity",
"results": [
{ "check": "age_over_18", "verified": true, "result": "pass" },
{ "check": "name_match", "verified": true, "result": "pass" }
],
"checkedAt": "2026-07-03T10:42:11Z"
}
Create your Personal
Data Vault today
Join thousands reclaiming their data sovereignty. Your vault is free to create, encrypted from day one, and anchored on the blockchain — no credit card required.
Your key. Your data. Your vault.

See
in action
Schedule a personalized walkthrough with our team.

Build on the privacy layer
Integrate our platform into your product to offer users genuine data control. We work with fintechs, health platforms, identity providers, and compliance teams.