One canonical copy
Every fact about you — name, address, phone, identity, work history — lives in one place: the vault on your device.
addr
phone
name
Your personal data, owned by you.
Name, address, phone, identity, work history — structured in your vault. Apps you've connected read live under per-field consent; the next time something changes, every connected app finds out within seconds.
Live propagation
Per-field consent
Portable did:web identity
Connected apps borrow live
Update once; every app you've granted access to gets a webhook within seconds. No more updating twenty profiles after a move.
amazon
spotify
Webhooks · 1.8s
Family. Friends. Colleagues.
Share per item, per connection. Your partner sees your home address; your colleague doesn't. Family vaults for the things you really do co-own.
family
friend
3 categories shared
Update once. Propagate everywhere.
Twenty connected apps hold twenty stale copies of your address. BoxOwl flips it: the vault is the truth, every connected app borrows live, and a propagation receipt lands in your audit log every time.
Structured vault, 20+ categories
Addresses, emails, phones, identity, payment methods, work history, education, social links, cultural interests, dietary, lifestyle, vehicles, documents, travel docs, loyalty programs, pets — modeled, not free-form text.
Live propagation via webhook
The PDaaS framework fires customer.vault.user-updated to every connected app within seconds of a change. Apps render views over your vault; nobody keeps a writable copy.
Address book with relationships
Tag each address by relationship — self · household · family · friend · colleague · gift-recipient · one-time — with optional recipient name, validity window, and per-address opt-in for merchant attestation.
Per item. Per person. Bidirectional and asymmetric.
Real relationships are mutual; what you share inside them isn't symmetric. Your partner sees your home address; your colleague sees your work email; your gift-shopper sees one shipping address for one weekend. You authorize each grant.
Per-item visibility
Each row carries its own flag: private, public, or shared with specific connections. Long-press an item to override its default for any one person. Every change audit-logged.
Connection tiers
Restricted · standard · trusted · intimate, plus group memberships (family · friends · household · colleagues). Each tier sees only what its level and any per-item override allows — bidirectional, each side controls their own sharing.
Family vaults
Shared addresses, household notes, the things you really do co-own. Plans start at $6/mo for 5 members, scaling to $12/mo for 12. Every member gets Premium.
Data-clones map
Every saved login is a ghost of you somewhere.
BoxOwl shows you the map. Amazon has your home address; your dentist has your phone; that gym from 2018 still has your email. Per-site detail panel surfaces four actions: update profile (Chrome custom-tab deep-link), update via autofill (extension hint), request data deletion (DSAR email with the right statute), or request data export. Move? An "I've moved" wizard walks you through every site that needs the new address.
Shipping on Android, the web app, and the browser extension. DSAR templates cover CCPA + GDPR + CO/VA/CT/UT — counsel review pending before public release.
One handle. Three surfaces. Your call.
The public-facing edge of your vault — a profile page, a tappable business card with vCard + QR, and an opt-in resume. Each rendered from the same canonical fields you already maintain.
Public profile
Your page at boxowl.me/u/{handle} — bio, tagline, links, cultural interests, lifestyle. Verified by a portable did:web identity. Every field private until you publish it.
Business card
A tappable card at /u/{handle}/card/{slug} — HTML for the browser, vCard for the address book, JSON for everything else. Stable QR. Same field selection across them all.
Resume Early access
An opt-in public resume at /u/{handle}/resume, assembled from your work history, education, and identity. HTML for humans, JSON for machines. Recruiter API and skill chips rolling out post-launch.
Profile identity
Bio. Tagline. Interests. Lifestyle.
The richness of a social profile, without the social-network surveillance machine. Bio, tagline, zodiac (opt-in toggle), cultural interests, lifestyle facts, relationship status, work history — all in your vault, all under per-field visibility, all surfaced through the public profile only when you flip the flag.
Data side shipped on Android; rendering on the public profile honors per-field visibility honoring across all 20+ categories.
For builders
Building a consumer app?
PDaaS is the org-side of this pillar. Read the personal data your users explicitly share — and get a webhook every time it changes. SMRT delivers a signed JWT of opt-in preference signals; PDaaS adds a consented REST API and live propagation across the user's vault categories.
How it compares
BoxOwl is the only vault built around personal data.
Password managers cover Pillar 1. None of them carry structured personal data, propagate it to connected apps, or model interpersonal sharing as a first-class primitive. Pillar 2 is uncontested.
| Feature | BoxOwl | 1Password | Bitwarden | Dashlane |
|---|---|---|---|---|
| Single source of truth for personal data | ✓ | — | — | — |
| Propagation to connected apps (webhooks) | ✓ | — | — | — |
| Per-item visibility control | ✓ | basic | basic | — |
| Per-connection per-item overrides | ✓ | — | — | — |
| Connection tiers (family / friends / colleagues / household) | ✓ | family-only | family-only | family-only |
| Address book with relationship metadata | ✓ | basic | basic | basic |
Public profile (/u/{handle}) |
✓ | — | — | — |
| Business card (vCard + QR) | ✓ | — | — | — |
| Data-clones map | ✓ | — | — | — |
| Portable did:web identity | ✓ | — | — | — |
✓ shipped · — not offered · "basic" delivers a watered-down version of the same job · "family-only" supports household sharing but not the broader connection-tier model. Comparisons reflect public offerings as of mid-2026. For the full Pillar 1 vs Pillar 2 picture across all of BoxOwl, see the broader comparison.
Privacy primitives, made auditable.
The architecture in four lines. Click each for the depth.
Per-field visibility
Every row carries an explicit flag — private, public, or shared with specific connections. The flag is the API; nothing reads what isn't marked readable.
Per-connection audit log
Every read, write, share, and revoke is recorded — actor, IP, scope, key. View it on Settings → Activity; export it as a signed Open Audit receipt under CC0.
Scope-gated PDaaS reads
App reads dispatch through a registered scope grammar (address.primary, contact.phone, …). No scope, no read; revoke a scope and the next read returns nothing.
Propagation receipts
Every customer.vault.user-updated webhook delivery is logged with the app, the category, the timestamp, and the delivery status. Outstanding deliveries surfaced on a single dashboard.
Read the full architecture in trust.html, or the PDaaS framework source under Apache 2.0 at /docs.
Free for the personal-data vault.
Premium adds family sharing, attachments (rolling out), the full NightWatch dashboard, and AI-agent connections. Free · $3/mo Premium · $24/yr annual · Family from $6/mo.
Carry your personal data with you.
BoxOwl is in private beta. Get the Android app, install the browser extension, and join the waitlist for a registration token.