Your Personal
Data Vault.

A single, encrypted vault for your identity and personal data — secured by industry-standard encryption and anchored on a public blockchain so that every record is independently verifiable and tamper-proof.

Not a password manager. Not a cloud backup. Your vault is also your personal identity provider — share verified credentials with businesses on your terms, without ever handing over raw documents.

Encrypted on your device
Blockchain-anchored consent
Zero-Knowledge Key Model
Personal Data Vault
Encrypted · Blockchain-anchored
Secured
Encrypted
Identity
9 fields
Encrypted
Financial
7 fields
Encrypted
Contact
7 fields
Encrypted
Health
4 fields
Encrypted
Travel
5 fields
Encrypted
Documents
6 types
Blockchain Anchor
Last anchored · just now
Verified
0x4a3f2c1e8b7d9f0a5c6e3d2b1a8f7e4c3b2a1d0e9f8c7b6a5d4e3f2a1b0c9d8e
Cryptographic fingerprint only · no personal data on-chain
Your vault is your personal identity provider — share verified data, never raw documents
256-bit
AES-GCM Encryption
100%
User Controlled
5
Encrypted Vault Categories
15
Identity Verification Checks
Public
Blockchain Network
0
Data Sold to Third Parties
Consent-First Identity Authority
Encrypted on your device
Blockchain-Anchored Consent Proofs
Zero-PII Verification API
CCPA + GLBA Architecture
No Data Brokerage · Ever
Zero-Knowledge Key Model
User-Sovereign Vault
Sentinel Intelligence
Blockchain-anchored
GDPR Compliant
Verified Claim Links
Encrypted Document Vault
Privacy by Design — Not Retrofit
Consent-First Identity Authority
Encrypted on your device
Blockchain-Anchored Consent Proofs
Zero-PII Verification API
CCPA + GLBA Architecture
No Data Brokerage · Ever
Zero-Knowledge Key Model
User-Sovereign Vault
Sentinel Intelligence
Blockchain-anchored
GDPR Compliant
Verified Claim Links
Encrypted Document Vault
Privacy by Design — Not Retrofit
The Problem

The data economy is
built against you

Across healthcare, finance, retail, and government — every industry treats your personal data as a commodity to extract, package, and sell. You are not the customer. You are the product.

$YOU ARE THE PRODUCT
4,000+data points sold per person / yr

You are the product

Across every industry, every app

Every time you sign up for a service, visit a doctor, use a loyalty program, or connect an account, your data is packaged and sold. Healthcare, retail, finance, social — it all feeds the same machine.

Avallis fixes this →
$YOUR DATA, THEIR PROFIT
$200Bdata broker industry annually

Aggregators own a copy of your life

You cannot see it. You cannot delete it.

Data aggregators and brokers pull from hundreds of sources — health, banking, shopping, government — and build permanent profiles on you. They monetize it without your knowledge and sell it without your consent.

Avallis fixes this →
HEALTHBANKINGCREDITSOCIALEMPLOYMENTGOV IDINSURANCEEDUCATIONONE BREACH, TOTAL EXPOSURE
1 in 3people hit by breach each year

Fragmented data, total exposure

Hundreds of databases. One breach hits all.

Your identity is scattered across healthcare, banking, credit, employment, government, and insurance systems. When any one is breached, the ripple is total — the pieces fit together into a complete profile of you.

Avallis fixes this →
Consent Illusion — no visibility icon

The Consent Illusion

Every industry

Buried consent checkboxes, 80-page privacy policies, and pre-ticked opt-ins are not consent — they are theater. Across healthcare, finance, retail, and government, you hand over your data to sign up, and lose control the moment you click agree.

79%
of people feel they have
0
real control over their data
The Solution

Your Personal Data Vault
sealed, sovereign, on-chain

The platform replaces the broken model of scattered, sold, surveilled data with a single concept: the Personal Data Vault. Every byte you store is encrypted in your browser with a key only you hold, and every record update is cryptographically anchored on a public blockchain so that tampering is not just difficult — it is provably detectable.

Your Personal Data Vault

A single encrypted container for your identity and financial data. One keyholder — you. No backdoors, no master keys, no exceptions.

Blockchain-Verified Integrity

Every change to your vault is cryptographically anchored on a public blockchain. If anything is altered without your consent, the blockchain proves it.

Consent-First Sharing

Grant selective, time-limited access to specific vault fields. Revoke at any time — and the blockchain records every grant and revocation.

Zero Data Sales. Ever.

We do not sell, license, or share your data. This is a structural constraint of the vault model — not just a policy.

Personal Data Vault
On-Chain

Your Vault

256-bit key · your device only

Financial
In Vault
Identity
In Vault
Health
Paused
Commerce
Denied
Location
Paused
Social
Denied
Blockchain Anchor
0x4a3f2c1e8b7d9f0a5c6e3d2b1a8f7e4c…
Anchored

All access controlled by you. Revoke anytime.

Blockchain Security

How blockchain secures
your Personal Data Vault

Most companies promise your data is safe. We make that claim verifiable — cryptographically and independently — through the public blockchain blockchain. Here is exactly how it works, in plain English.

01
industry-standard encryption

You update your vault

When you add or update data in your Personal Data Vault, the information is encrypted in your browser using a key only you hold — before it leaves your device. It then travels over a secure connection as ciphertext. Even if that connection were intercepted, an attacker would see only encrypted data they cannot read. We never receive or store your plaintext.

02
Cryptographic fingerprint

A hash fingerprint is created

The platform generates a cryptographic fingerprint of your encrypted record. This fingerprint uniquely represents your data — change a single character and the fingerprint changes entirely. No personal data is included.

03
public blockchain Network

The hash is anchored on public blockchain

That fingerprint — and only the fingerprint — is written to a smart contract on the public blockchain blockchain. public blockchain is a public, decentralized blockchain network with thousands of independent validators worldwide. No single entity controls it.

04
Integrity Proof

Tampering becomes provably impossible

If anyone — a hacker, a rogue employee, even our own servers — were to alter your stored data, the cryptographic fingerprint would no longer match what is on the blockchain. You can verify the integrity of your vault at any time, independently, without trusting us at all.

GDPR Compliant by Design

Only cryptographic hashes touch the blockchain — never names, addresses, account numbers, or any personal data. The right to erasure applies to your vault data; the on-chain hash proves integrity but reveals nothing.

Zero-Knowledge Key Model

Your 256-bit encryption key is generated in your browser and shown to you once. It is never transmitted, stored, or accessible to us. If we receive a subpoena, there is nothing to hand over — we are structurally incapable of decrypting your vault.

public blockchain: Decentralized & Auditable

public blockchain's smart contract stores your vault hashes. Because the contract is deployed on a public blockchain, anyone can independently query it to verify your data integrity — including you, without our involvement.

Blockchain security — your questions answered

A New Category

The identity authority
built for the post-CCPA world

Identity authority has always been held by institutions — credit bureaus, background check companies, data brokers. They built the infrastructure for themselves, and they hold your data without meaningful consent. That model is under regulatory pressure from every major jurisdiction. Avallis is what replaces it.

User-owned credentials

Every verified fact lives in the user's encrypted vault — not in a corporate database. Users grant access. Users revoke access. The credential travels with the person, not the institution.

Consent on the blockchain

Every data access event is anchored on a public blockchain — creating a tamper-proof, timestamped record of what was shared, with whom, when, and why. Not a log in a database. An immutable proof.

Verification without exposure

The zero-PII API answers business questions — "is this person over 18?", "does their income qualify?" — server-side, without raw data ever leaving the vault. Businesses get certainty. Users keep privacy.

Reusable across institutions

A user verified once by Bank A doesn't re-verify for Bank B. Their Avallis vault carries a timestamped certificate issued by an independent verification engine. Onboarding drops from days to seconds.

The regulatory tailwind

When regulators mandate consent, Avallis is already there

The CCPA, GLBA Safeguards Rule, state biometric laws, and the FTC's ongoing data broker crackdown are all converging on the same conclusion: companies cannot hold and monetize personal data without explicit consent. The legacy data broker model is on borrowed time.

Avallis is built consent-first by architecture — not by policy retrofit. Every access is user-authorized. Every consent is blockchain-anchored. When the regulatory standard requires this, the institutions that integrated Avallis will already be compliant.

Active

CCPA / CPRA

Right to opt out of data sale — we have no data to sell

Active

GLBA Safeguards

Customer data must be protected — vault architecture compliant by design

Active

GDPR Article 7

Consent must be explicit and revocable — blockchain-anchored per request

Incoming

FTC Data Broker Rule

Registration + opt-out requirements — we are not a data broker

Old model vs. Avallis

AspectTraditional modelAvallis
Who holds the dataData brokers and credit bureaus
The individual — in their encrypted vault
How consent is capturedBuried in terms of service
Explicit, blockchain-anchored, per-request
What businesses receiveRaw PII pulled from broker databases
Verified results only — zero raw data
Breach liabilityYours — you hold the PII
Structural zero — you never had the PII
Regulatory trajectoryIncreasingly hostile (CCPA, GLBA)
Compliant by architecture, not retrofit
User relationshipAdversarial — data extracted without consent
Aligned — user controls the credential

More users → more valuable to businesses

Every user who verifies on Avallis adds to the network. Every business that integrates makes the Avallis credential worth more to users. The flywheel runs in both directions simultaneously.

Verified once, trusted everywhere

A user who completes IVE on Avallis carries that verification to every institution. Bank A's verification becomes valid at Bank B, Landlord C, and Employer D — reducing onboarding cost across the entire network.

User alignment is the competitive moat

Legacy identity authorities extract value from users. Avallis is structurally aligned with users — the product gets better for them the more they use it. That's a moat incumbents cannot replicate without rebuilding from scratch.

The identity infrastructure the post-CCPA world requires already exists. Join the users and businesses building on it.

Security Architecture

We don't offer MFA.
We made it obsolete.

Multi-factor authentication is a patch on a broken model — proving you are who you say you are to a company that can still be hacked, subpoenaed, or sold. We replaced the model entirely.

Traditional security

Password + MFA + hope the company holds up

Passwords

Phished, reused, breached — billions stolen every year

MFA / TOTP

SIM-swapped, intercepted mid-login, a band-aid over broken auth

Server-side storage

Your data sits in cleartext databases that can be breached, sold, or subpoenaed

Trust the company

"We protect your data" is a promise with no proof — until the breach announcement

Avallis security

Cryptographic proof — no trust required

Your encryption key

Replaces passwords

A 256-bit key generated in your browser — never transmitted. Even if our servers vanish overnight, your key still unlocks your data.

Key signature

Replaces MFA

Signing with a private key proves identity without sending a password. Nothing to phish, intercept, or SIM-swap — cryptographic proof at the protocol level.

Client-side encryption

Replaces server trust

Your data is encrypted in your browser before it reaches our servers. We store ciphertext — mathematically unreadable without your key. A breach of our infrastructure exposes nothing.

Blockchain integrity proof

Replaces trust in us

Every vault update anchors a cryptographic fingerprint on the blockchain. Tamper detection is public, permanent, and independent — no company promise required.

The math is the security.

The encryption is mathematically unbreakable. Blockchain anchoring means no silent tampering — ever. This is not a feature list. It is physics.

2²⁵⁶
Key space
Possible keys
100%
On-chain proofs
Tamper-evident
100+
Validators
Blockchain nodes

About the MetaMask signature request

When you sign in, MetaMask asks you to sign a short message — not a transaction. This proves you own your Sovereign Key without moving any funds or granting any spending permissions. Here is why it is safe:

Identity only

No transaction, no funds moved. MetaMask shows it as a Signature Request, never a transaction.

Expires in 5 min

A timestamp is embedded. The server rejects any signature older than 5 minutes — useless if intercepted.

Memory only

Cached for 4 minutes in browser memory to avoid repeated prompts. Never written to disk, localStorage, or any server.

About your Sovereign Key ID

Connecting MetaMask means Avallis can see your public Sovereign Key ID. That is a fair thing to wonder about — here is exactly what it does and does not mean:

Already public

Your Sovereign Key ID is visible on-chain to anyone right now — balance, history, everything. Avallis storing it exposes nothing new.

Your keys, your funds

Only your private key and seed phrase control your Sovereign Key, and those never leave MetaMask. Avallis cannot move funds or access it in any way.

Stored, protected

We keep your Sovereign Key ID only to recognize you on future logins — encrypted at rest, never shared, never linked to your identity outside your own vault.

Privacy built on mathematics,
not policy.

Every claim on this page is verifiable. The encryption is standard. The blockchain is public. The architecture is open.

2²⁵⁶

possible encryption keys

More than atoms in the observable universe. Your vault key is chosen from this space. Guessing it is not a realistic attack surface.

Continuous

tamper monitoring

Every vault record is anchored on the blockchain. Any silent modification is independently detectable — not a promise from Avallis, a cryptographic proof.

Real-time

Sentinel Intelligence

Multiple risk signals — behavioral, geographic, and compliance-based — are evaluated on every access event by AI-powered Sentinel Intelligence.

Zero-knowledge means zero access — for us too.

Data is encrypted in your browser using a key only you hold — before it leaves your device or travels over any connection. Even if traffic were intercepted, an attacker sees only ciphertext meaningless without your key. Here is exactly what each party holds.

What Avallis holds

What you hold

An encrypted blob of bytes

Your name and date of birth

A blockchain fingerprint hash

Your Social Security Number

A consent approval timestamp

Your income and bank balance

An expiration date

Your government ID

A business request ID

Your health insurance details

Identity sharing is broken. Here is what we changed.

Every row below is a decision Avallis made differently — and why.

Where your data lives

Before

Copied into the business's database — indefinitely

Avallis

Stays in your encrypted vault. Businesses receive approved, time-limited access.

Who controls access

Before

The business decides what they keep and for how long

Avallis

You approve every request. You set the time limit. You revoke at any time.

Audit trail

Before

None — you have no visibility into who has your data or what they did with it

Avallis

Every access logged permanently. Your dashboard shows exactly who saw what and when.

Revocation

Before

Practically impossible — no standard mechanism exists

Avallis

One tap. Consent revoked and confirmed. Business webhook notified immediately.

Tamper detection

Before

None — a breach may go undetected for months

Avallis

Every record anchored on the blockchain. Any tampering is detectable immediately — independently verifiable without trusting Avallis.

The math is the security. Not a feature list.

How It Works

From creation to
blockchain-verified sovereignty

Five steps to a Personal Data Vault that no one — not even us — can read, alter, or exploit without your explicit consent.

01
industry-standard encryption
A3F09CB2IN YOUR BROWSER ONLY

Create your Personal Data Vault

A 256-bit AES-GCM encryption key is generated in your browser — your device only, never our servers. Your vault is sealed before a single byte leaves your machine.

02
Encrypted
IDFINMEDindustry-standard encryption

Populate your golden record

Add your identity, financial, and contact data. Everything is encrypted with your key. We store only ciphertext — mathematically unreadable without the key you hold.

02b
Security

Vault is encrypted and blockchain-anchored

Your data is encrypted in your browser using a key only you hold — before it leaves your device. It travels encrypted over a secure connection, so even an intercepted connection exposes only ciphertext that cannot be decrypted without your key. Avallis servers only ever store the encrypted result.

03
Blockchain
cryptographic fingerprint0x4a3f…c1e8POLYGON NETWORK

Blockchain anchors your vault

Each update generates a cryptographic fingerprint permanently recorded on the blockchain. No personal data on-chain — only the proof that your vault is intact.

04
Consent-First
REVOKE ANYTIMEON-CHAIN LOGGED

Share on your terms

Grant selective, time-limited consent to apps, lenders, and employers. Every grant and revocation is logged on-chain. Revoke at any time — instantly and permanently.

Privacy should
not be a luxury

Your vault, all sharing, AI fraud protection, blockchain anchoring, enforcement, and Sentinel Intelligence — free. Everything shown below is included at no cost.

Always Free

$0

No credit card. No trial period. No catch.

All 5 encrypted vaultsIdentity, Financial, Contact, Health, Travel
Encrypted Document VaultPassport, bank statements, tax returns
Unlimited data sharingVerified Claims and Claim Links
Sentinel IntelligenceReal-time fraud detection + sanctions screening + AI layer + SMS alerts
Blockchain anchoringAll 5 vault categories
Protection Status Radar8-dimension live dashboard
Consent managementGrant, revoke, audit anytime
Enforcement serviceCCPA/GDPR demand letters
Full audit trailNo expiry
Create Your Vault — Free
Pay-Per-Verification

Identity Verification

Pay-per-verification that upgrades your data to a trusted credential businesses can rely on — verify once per category, share unlimited times.

Identity

Name, DOB, address, SSN · $4.99 re-verify

$9.99

Contact

Phone and email · $2.99 re-verify

$4.99

Financial, Health, Travel — always free

Self-attested and fully shareable at no cost.

Full Pricing Details →

Every vault is free. You control what you share and with whom. You always own your data.

Regulatory Framework

Compliant by architecture.
Not by retrofit.

Every major privacy regulation converges on the same requirement: explicit, revocable, per-purpose consent. Avallis was built to that standard before the regulations existed. Here's how we map to each framework.

CCPA / CPRA

California

Compliant
  • Right to know what data is collected — full audit trail per user
  • Right to delete — vault deletion removes all data, no residual copies
  • Right to opt out of data sale — we have no mechanism to sell data
  • No sharing with third parties for cross-context behavioral advertising

GLBA Safeguards Rule

Federal (Financial)

Compliant
  • Customer financial data encrypted at rest with industry-standard encryption
  • Access controls enforced via cryptographic key ownership
  • Third-party service providers contractually bound
  • Incident response program and audit logging in place

GDPR Article 7

EU / EEA

Compliant
  • Consent freely given, specific, informed, and unambiguous
  • Withdrawal of consent as easy as giving it — one-click revoke
  • Consent timestamped and anchored on blockchain (immutable proof)
  • Data minimization — only data the user explicitly stores is held

HIPAA

Federal (Healthcare)

Architecture ready
  • Health vault encrypted with user-controlled keys — Avallis never holds plaintext
  • PHI never stored in plaintext or transmitted to third parties
  • Business Associate Agreements available for covered entities
  • Full audit trail of every health data access event

FTC Data Broker Rule

Federal (Incoming)

Ahead of regulation
  • Avallis is not a data broker — we hold no aggregated PII databases
  • Users control their own data — opt-out is built into the architecture
  • No buying or selling of consumer data at any layer
  • Consent-first model satisfies the rule's stated intent and more

FCRA

Federal (Credit)

Compatible
  • Permissible purpose required for all financial data verification
  • Verified Claim API returns results only — no consumer report generated
  • Dispute process supported via vault data correction by user
  • No adverse action without user-controlled consent mechanism

Encryption

  • Client-side encryption — data encrypted before it leaves your device
  • Zero-knowledge key model — Avallis cannot read your data
  • No master key held by Avallis
  • Blockchain-anchored integrity checks

Access Control

  • Consent required for every data access
  • Blockchain-anchored consent proofs
  • Instant revocation — cryptographic invalidation
  • Per-purpose, per-recipient authorization

Auditability

  • Complete immutable audit trail per user
  • Blockchain-anchored consent records
  • Every API call logged and attributable
  • User-visible access history at all times

SOC 2 Type II — In Progress

Avallis is currently pursuing SOC 2 Type II certification covering Security, Availability, and Confidentiality trust service criteria. Enterprise customers requiring SOC 2 reports prior to certification can request our current security documentation and architecture review. Contact us at security@avallis.io.

Complete Data Lifecycle

Your data doesn’t disappear
when you share it — until now.

Most platforms give you a way to share data. None give you a way to get it back. Avallis is the first vault where sharing is the beginning of a relationship you control — not the end.

01

Share on your terms

Approve any business data request with one tap. You see exactly what they're asking for, why, and for how long — before you decide. Every share is encrypted end-to-end to their server. Avallis never sees the data you share.

Loan applications · KYC · Insurance · Rentals · HR onboarding

02

See who has what

Your audit trail shows every business that received your data — when, what categories, and for what purpose. Blockchain-anchored. Not a log that can be edited. An immutable record that belongs to you.

Vault Saves · Consent Grants · Data Shares · API Verifications

03

Demand it back

One click sends a formal deletion request under CCPA and GDPR. The business has 30 days to confirm they've deleted your data from their servers. You get an email confirmation — and an immutable audit record — when it's done.

30-day deadline · Legal standing · Email + audit confirmation

New

The first vault where you can
fire a business.

“End Relationship” is a single action that revokes all future access and sends a legally-binding deletion request in one tap. No emails to legal teams. No waiting to see if they comply. A 30-day clock starts immediately, confirmed in writing.

End relationship with First National?

This will take the following actions

Revoke consent

Blocks future API access immediately

Request data deletion

30-day CCPA / GDPR deadline

For Developers

Build on the
identity authority

The Avallis API gives your application consent-anchored identity verification in one POST request. No PII storage. No compliance surface area. No verification pipeline to maintain.

POST/api/data-request/create
POST/api/vault-verify
POST/api/tokenize
GET/api/tokens/:tokenId
GET/api/vault-verify/checks
API key authentication with scoped permissions
Webhook events for real-time consent updates
Batch verification checks in a single request
Consent token lifecycle management
99.9% uptime SLA on Enterprise
avallis-integration.js
// 1. Consumer approves your data request in Avallis
//    → your webhook receives consentToken + encrypted payload

// 2. Run zero-PII checks against the consent
const result = await fetch('https://api.avallis.io/api/vault-verify', {
  method: 'POST',
  headers: {
    'x-api-key': process.env.AVALLIS_API_KEY,
    'Content-Type': 'application/json',
  },
  body: JSON.stringify({
    consentToken: 'cst_abc123',
    category: 'identity',
    checks: ['age_over_18', 'name_match'],
  }),
}).then(r => r.json())

// 3. Act on results — zero PII ever leaves Avallis
if (result.verified) {
  approveApplication(user.id)
}

API Response — zero PII

{
  "livemode": true,
  "verified": true,
  "category": "identity",
  "results": [
    { "check": "age_over_18", "verified": true, "result": "pass" },
    { "check": "name_match",       "verified": true, "result": "pass" }
  ],
  "checkedAt": "2026-07-03T10:42:11Z"
}
Get Started Free

Create your Personal
Data Vault today

Join thousands reclaiming their data sovereignty. Your vault is free to create, encrypted from day one, and anchored on the blockchain — no credit card required.

Your key. Your data. Your vault.

256-bit encrypted
Blockchain anchored
Zero data sales
Request a Demo

SeeAvallisin action

Schedule a personalized walkthrough with our team.

No spam. Your info is used only to schedule your demo.

Partner with Us

Build on the privacy layer

Integrate our platform into your product to offer users genuine data control. We work with fintechs, health platforms, identity providers, and compliance teams.

Your inquiry is sent directly to our partnerships team. No third parties.