Legal

Privacy Policy

How we process and protect your personal data — and why our zero-knowledge design means we can't read your vault.

Effective 22 May 2026

This Privacy Policy sets out the basis on which we process any Personal Data we may collect about you as a visitor to our website at www.vaultneur.com and as a customer or potential customer using our personal digital vault application and services ("Services"). It also sets out how we protect your privacy and your rights in respect of our use of your Personal Data.

Who is the data controller?

A "data controller" is a person or organization who, alone or jointly, determines the purposes for which, and the manner in which, any personal data is processed. Vaultneur PTY LTD, Pretoria, Gauteng, South Africa ("Vaultneur", "we", "us", "our") is the data controller for the Personal Data described in this policy.

If you have any questions about data protection at Vaultneur, you can reach us by email at info@vaultneur.com.

An important note on our zero-knowledge design

Vaultneur is built so that the contents of your vault are encrypted on your own device before they reach us. We do not hold any key that can decrypt your vault contents, and we cannot read the documents and records you store. This shapes everything in this policy: while we process limited account information and metadata (described below), we do not have access to the actual contents of your vault.

What is personal data?

Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute Personal Data.

What is special category data?

Special category data is Personal Data that needs more protection because it is sensitive. This includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, and data concerning a person's health, sex life or sexual orientation. Where such data is stored in your vault, it is encrypted on your device and we cannot access its contents.

Why do we have a privacy policy?

South Africa's Protection of Personal Information Act (POPIA), the UK Data Protection Act 2018, and the EU's General Data Protection Regulation ("GDPR") govern how your Personal Data is used by us. We are also required to explain which Personal Data we collect from you, what we use it for, when we delete it, and how it is protected.

What are the legal bases for processing personal data?

All Personal Data we obtain from you will only be processed for the purposes described below, within the framework of POPIA, the UK Data Protection Act and the GDPR, and only where at least one of the following applies: (a) you have given your consent; (b) the processing is necessary to perform a contract or take pre-contractual steps; (c) the processing is necessary to comply with a legal obligation; or (d) the processing is necessary for our legitimate interests, provided your interests are not overridden.

What personal data do we collect from you?

Access data and log files

When you visit our website, your browser automatically transmits certain data to our server, which is technically necessary to display the website and ensure its stability and security. This includes: the IP address of the requesting device; date and time of access; the name and URL of the file accessed; the referring website; the browser used and, where applicable, your operating system and access provider. The legal basis is our legitimate interest.

Hosting

Our website is built on WordPress. Our application back-end, authentication, database and encrypted storage are provided by Supabase. Encrypted vault data and limited account information and metadata are stored on this infrastructure. The legal basis is our legitimate interest in providing the website and Services securely and efficiently, together with the performance of our contract with you.

Cookies

For the processing of personal data using cookies and similar technologies on our website, please refer to our Cookie Policy. The legal basis is our legitimate interest or your consent, as explained in that policy.

Economic analyses and market research

For business reasons, we analyze aggregated and anonymized data about website usage and business transactions. These analyses are for our own use and are not disclosed externally. For website analytics we use Google Analytics, as described in our Cookie Policy. The legal basis is our legitimate interest and your consent.

Contact form

If you contact us, we process the data you provide solely to respond to and handle your enquiry — usually your name, email address, the topic and your message. The legal basis is our legitimate interest, the initiation or performance of a contract, and your consent.

Newsletter

If you subscribe to our newsletter, we collect your email address to send you updates and promotional material. The legal basis is your consent.

Registration and using our Services

To register and use our personal digital vault, you provide an email address and a password. Your password is used to derive the key that encrypts your vault; it is never transmitted to us and we never store it. We may also collect basic profile details you choose to provide. This data is used to create and operate your account and to provide the Services.

When you use the vault, you may enter documents and records ("Service Data"), which may include Personal Data and Special Category Data. You own your Service Data. Because of our zero-knowledge design, this content is encrypted on your device before it reaches us, and we cannot read it. We act as your Data Processor in respect of Service Data and process it only to provide the Services, in accordance with our Processing Addendum.

The types of information you may choose to store in your vault include identity, contact, medical, financial, business, login and other personal records, as well as documents and notes. All such content is encrypted on your device. We can see only limited metadata, such as the type of record (for example, "Medical" or "Login"), file sizes, timestamps and system identifiers — never the contents.

Two-factor authentication

Where you enable it, your account may be protected by additional authentication. We currently support app-based and device authentication. We plan to introduce SMS-based two-factor authentication in the future, provided by Twilio; if and when we do, we will update this policy and our Processing Addendum to reflect that Twilio processes your mobile number for that purpose, and we will treat your mobile number accordingly. Until then, no SMS is sent and no mobile number is shared with Twilio.

Support requests

If you contact support, we process the information you provide to handle your request, which may include your name, email address and any details you choose to share. Because of our zero-knowledge design, we cannot access your vault contents in order to assist you; we can only help with matters that do not require reading your encrypted data. The legal basis is the performance of our contract and our legitimate interest in handling your request.

Payment data

Subscriptions to our paid tier are managed in-app through RevenueCat and the relevant app store (Apple App Store or Google Play). Payment card details are handled by those providers and the app stores, not by us; we receive only your subscription and entitlement status. The legal basis is the performance of our contract.

Administration and business operations

We process data in the course of administering and organizing our business and complying with legal obligations such as record-keeping. The legal bases are our legal obligations and our legitimate interest.

Promotional use of your data

Within the legally permitted scope, we may use your email address to tell you about promotions and offers. This serves our legitimate interest, and you may opt out at any time.

Referral program data

If you sign up via a referral link or select a referring company at checkout, we collect referral-source data (such as the link used or company selected, your IP address and sign-up timestamp) to track referrals for commission purposes. The legal basis is your consent and our legitimate interest in running the program. We may share aggregated or anonymized referral data with referring companies for verification, but will not share your full personal details without your consent. You can withdraw consent by emailing info@vaultneur.com.

Change of purpose

We will only use your Personal Data for the purposes for which it was collected, unless we reasonably believe another purpose is compatible. If we need to use it for an unrelated purpose, we will notify you and explain the legal basis.

Disclosures of your personal data

We will not disclose your Personal Data to third parties unless: (a) it is necessary to perform our Services (including referral-program administration); (b) you have consented; or (c) we are legally obliged to do so, for example by court order or in connection with legal proceedings. Because of our zero-knowledge design, even where we are legally compelled to disclose data, we are technically unable to provide the plaintext contents of your encrypted vault, as we do not hold the keys to decrypt it.

International transfer

We may transfer your Personal Data internationally as necessary for the purposes described in this policy, including to our sub-processors. Where we do so, we put in place appropriate safeguards (such as the Standard Contractual Clauses) and take reasonable technical and organizational measures to protect it. Further detail is set out in our Processing Addendum.

Social media

We maintain a presence on social media based on our legitimate interest. If you interact with us on these platforms, we and the platform provider may be jointly responsible for the resulting data processing. The legal basis is our legitimate interest and your consent.

How long do we keep your personal data?

We delete your Personal Data when we no longer need it — for example, where it is no longer necessary for the purpose for which it was collected, where we believe it is inaccurate, or where you have withdrawn consent on which the processing relied. Where legal or regulatory requirements oblige us to retain data for a set period (including in relation to legal disputes), we will retain it for that period.

You may delete your account at any time. On deletion, your vault data, records, recovery data and account are removed by a single server-side operation. Encrypted copies that exist in routine backups are overwritten in line with our backup cycle. Data cannot be recovered after deletion.

How we secure your personal data

Vaultneur uses a zero-knowledge architecture. The contents of your vault — your documents and records — are encrypted on your own device using AES-256-GCM before they are transmitted to us. The key that encrypts your vault is derived from your password (which never leaves your device, using PBKDF2-SHA256) and is held only in your device's hardware-backed secure storage (the iOS Keychain or Android Keystore), optionally protected by your device biometrics. We do not hold any key capable of decrypting your vault contents.

As a result, our servers only ever store and process encrypted (ciphertext) data, together with limited account information and metadata such as file sizes, timestamps and record types. Data is encrypted in transit using TLS 1.3. Access to our systems is limited on a least-privilege basis, and our database enforces row-level security so that each account can only ever reach its own data. A 24-word recovery passphrase lets you restore your vault if you forget your password; we store only a one-way hash of it for verification and never the passphrase itself.

Please remember that no method of storage or transmission is completely secure, and that you are responsible for your password, your recovery passphrase and access to your device. Because of our design, if you lose both your password and your recovery passphrase, we cannot recover your data for you.

Linked sites

Our website may contain hyperlinks to other websites. We are not responsible for, and this policy does not apply to, the privacy practices of websites we do not own or control. We encourage you to read the privacy policy of each website you visit.

Your rights and privileges

You can exercise the following rights in respect of your Personal Data: the right to access; to rectification; to erasure; to restrict processing; to object to processing; and to data portability. To exercise any of these, or to update your information or withdraw consent, please contact us at info@vaultneur.com.

In the case of a Data Subject Access Request, we will respond as soon as reasonably possible. If we cannot respond within thirty (30) days, we will tell you why and when we expect to respond. Note that, because of our zero-knowledge design, requests that require access to the contents of your vault must be carried out by you through your own account, as we cannot decrypt that content on your behalf.

Complaint to a supervisory authority

The Information Regulator (South Africa) and the Information Commissioner's Office (UK) are the relevant authorities for data protection complaints in South Africa and the UK respectively. If you are in the EU, you can lodge a complaint with the data protection supervisory authority in your member state. We would, however, appreciate the chance to address your concerns first.

What we do not do

  • We do not request Personal Data from minors or children.
  • We do not use automated decision-making or profiling.
  • We do not sell your Personal Data.

USA-specific provisions

For users in the United States, we are committed to adhering to relevant state privacy and consumer data protection laws, such as those in California, Colorado and Virginia, and aim to provide all US users with the rights set out in this policy. California residents may request information about disclosures of Personal Data for direct marketing ("Shine the Light"). We do not knowingly collect Personal Data from children under 13 (COPPA). We comply with the CAN-SPAM Act, and you can unsubscribe from marketing emails at any time. Our website does not currently respond to Do-Not-Track signals, as no uniform standard is finalized.

Canada and Mexico-specific provisions

For users in Canada and Mexico, we apply the same rights and privileges set out in this policy, recognizing the similarities of PIPEDA (Canada) and the LFPDPPP (Mexico) to the GDPR. In case of ambiguity, the most stringent provision applies. The Office of the Privacy Commissioner (www.priv.gc.ca) is Canada's national authority; in Mexico the relevant national authority is INAI.

Help and complaints

If you have any questions about this policy or the information we hold about you, please contact us at info@vaultneur.com.

Changes

This version of the policy is effective from the date stated above and is the current version. Any prior versions are superseded. If we make changes, we will revise the effective date.