Privacy Policy

1. Introduction

Vaulto ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, store, and safeguard your information when you use our services, including our website, application, APIs, and any related tools or documentation (collectively, the "Service"). It also describes your choices regarding your information and how you can exercise your rights.

We design our Service with a zero-knowledge architecture where applicable: sensitive data you store in vaults is encrypted under keys we do not possess, so we cannot access or read that content. This policy covers both the data we do process (such as account and usage information) and how we treat vault metadata and operational data.

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service. We may update this policy from time to time; we will notify you of material changes by posting the updated policy and, where required by law, by additional means.

2. Information we collect

We collect information in several ways: directly from you, automatically when you use the Service, and sometimes from third parties (for example, when you sign in via a third-party identity provider).

2.1 Information you provide

• Account information: When you register, we collect your email address, name (if provided), password (stored in hashed form), and any profile or workspace details you add.
• Content you store in vaults: Data you encrypt and store in vaults is processed according to our zero-knowledge design. We do not have access to decryption keys for vault content; we store ciphertext and associated metadata (e.g. vault name, access policies) necessary to operate the Service.
• Communications: If you contact us (support, sales, or feedback), we keep records of those communications and any information you provide.
• Payment and billing: For paid plans, we collect billing details and payment information. Payment processing may be handled by a third-party provider; we receive only the information necessary to manage subscriptions and invoices.

2.2 Information collected automatically

When you access or use the Service, we automatically collect certain information, including:

• Log data (IP address, browser type, device information, timestamps, and referring URLs)
• Usage data (features used, API calls, frequency of use) to operate, secure, and improve the Service
• Cookies and similar technologies as described in our Cookie Policy

2.3 Information from third parties

If you sign in via a third-party identity provider (e.g. SSO, Google, or another IdP), we receive the identifiers and attributes that the provider shares with us (such as email and name) in accordance with your consent and that provider's policy.

3. How we use your information

We use the information we collect for the following purposes:

• Providing the Service: To create and manage your account, authenticate you, store and serve your encrypted data, enforce access policies, and fulfill API and product functionality.
• Security and integrity: To detect, prevent, and respond to fraud, abuse, security incidents, and to protect the rights and safety of our users and the public.
• Improvement and analytics: To understand how the Service is used, debug issues, and improve performance, usability, and features. Where possible we use aggregated or de-identified data.
• Communications: To send you transactional messages (e.g. password reset, security alerts), respond to your requests, and, with your consent or where permitted by law, send marketing or product updates.
• Legal and compliance: To comply with applicable laws, regulations, legal process, or enforceable governmental requests, and to enforce our terms and policies.

We do not sell your personal information. We do not use vault content (which we cannot decrypt) for advertising or profiling.

4. Data sharing and disclosure

We do not sell, rent, or trade your personal information. We may share your information in the following circumstances:

• Service providers: We work with trusted third parties who assist us in hosting, analytics, payment processing, customer support, and other operations. These providers are contractually bound to use the data only for the purposes we specify and to protect it in line with this policy and applicable law.
• Legal requirements: We may disclose information if required by law, court order, subpoena, or governmental request, or when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others, or to investigate fraud or security issues.
• Business transfers: In the event of a merger, acquisition, sale of assets, or bankruptcy, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have.
• With your consent: We may share information for other purposes when you have given us explicit consent.

5. Data retention

We retain your information for as long as your account is active or as needed to provide the Service and fulfill the purposes described in this policy. After you delete your account or request deletion of personal data, we will delete or anonymize your information within a reasonable period, except where we must retain it to comply with legal obligations, resolve disputes, enforce our agreements, or for legitimate business purposes (e.g. security logs).

Encrypted vault content and associated metadata are deleted according to your account lifecycle and our data retention schedule. Backup copies may persist for a limited period for disaster recovery; they are encrypted and subject to the same access controls.

6. Security measures

We implement technical and organizational measures designed to protect your information against unauthorized access, alteration, disclosure, or destruction. These include encryption in transit (TLS) and at rest (AES-256 where applicable), access controls, regular security assessments, and staff training. Our zero-knowledge design means we do not hold the keys to decrypt your vault content, reducing the risk of exposure of that data even in the event of a breach of our systems.

No method of transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to responding to incidents and notifying affected users and regulators where required by law.

7. International data transfers

We may transfer, store, and process your information in countries other than your country of residence, including the United States and other locations where our service providers operate. Data protection laws in these countries may differ from those in your jurisdiction. When we transfer personal data from the European Economic Area, United Kingdom, or other regions with restrictive transfer requirements, we rely on approved mechanisms such as Standard Contractual Clauses (SCCs) or other adequacy decisions to ensure appropriate safeguards.

8. Children's privacy

The Service is not intended for individuals under the age of 16 (or higher where local law requires). We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information, please contact us and we will take steps to delete such information.

9. Your rights and choices

Depending on your location, you may have the following rights regarding your personal information:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete data.
• Deletion: Request deletion of your personal data, subject to legal and operational retention requirements.
• Portability: Request a portable copy of your data in a machine-readable format where technically feasible.
• Objection and restriction: Object to or request restriction of certain processing (e.g. for direct marketing or where you contest accuracy).
• Withdraw consent: Where processing is based on consent, withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
• Lodge a complaint: Lodge a complaint with a supervisory authority in your country.

To exercise these rights, contact us using the details in the Contact section below or through your account settings. We will respond within the timeframes required by applicable law. In some regions (e.g. California), you may also designate an authorized agent to make requests on your behalf.

10. Region-specific disclosures

10.1 European Economic Area and UK

If you are in the EEA or UK, we process your personal data on the legal bases of: performance of a contract (to provide the Service), consent (where you have given it), legitimate interests (e.g. security, improvement of the Service), and compliance with legal obligations. You have the rights set out in Section 9, including the right to lodge a complaint with your local data protection authority.

10.2 California (CCPA/CPRA)

California residents have the right to know what personal information we collect and how it is used and disclosed, to delete personal information, to correct inaccurate information, to limit use of sensitive personal information, and to not be discriminated against for exercising these rights. We do not sell or share personal information as defined under the CCPA. To submit a request, contact us as indicated below or use our designated request mechanism if we make one available.

10.3 Other regions

We respect applicable data protection laws in other jurisdictions (e.g. Canada, Australia, Brazil, India) and will respond to valid requests in accordance with those laws.

11. Cookies and similar technologies

We use cookies and similar technologies to operate the Service, remember your preferences, and analyze usage. For a detailed description of the cookies we use and how to manage them, please see our Cookie Policy.

12. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or the Service. We will post the updated policy on this page and update the "Last updated" date. For material changes, we will provide additional notice (e.g. by email or a prominent notice in the Service) and, where required by law, obtain your consent. We encourage you to review this policy periodically.