Privacy Policy

This Policy applies to personal information we process when you visit our site, create or manage an account, use the Service to create or manage links, communicate with us, or otherwise interact with us in connection with the Service.

For personal data covered by this Policy, VaultDrop acts as the controller (within the meaning of the GDPR and similar laws) unless we process data solely as a processor on behalf of a customer organization under a separate agreement, in which case that organization may be the controller for certain processing activities.

If you use the Service on behalf of an organization, that organization may have its own agreement with us and may control certain aspects of your account. This Policy does not override any enterprise-specific terms.

Account and profile data: name, email address, organization name (if provided), password hashes (we do not store plaintext passwords in readable form), and similar account identifiers.

Billing data: billing contact details, payment method information (processed by our payment processors), subscription status, and transaction history.

Service and technical data: IP address, device and browser type, approximate location derived from IP, timestamps, log and diagnostic data, API usage metadata, and similar information needed to operate and secure the Service.

Communications: messages you send to support (including email content) and metadata associated with those communications.

Content metadata: information about the links you create (such as expiration settings, identifiers, and delivery status) as necessary to operate the Service. Depending on how you use the Service, encrypted payloads may be stored in a form we cannot decrypt.

We do not knowingly collect sensitive categories of personal information beyond what you voluntarily submit, and we do not use the Service to request government-issued ID numbers except where required for a specific purpose (e.g., verified billing) and permitted by law.

We use personal information to: provide, maintain, and improve the Service; authenticate users; process payments; send transactional and administrative messages; detect, prevent, and respond to fraud, abuse, and security incidents; comply with legal obligations; enforce our Terms; analyze aggregated or de-identified usage trends; and communicate about updates or changes (where permitted).

Where required by law, we rely on appropriate legal bases (such as performance of a contract, legitimate interests, consent where required, or legal obligation) when processing personal information.

We and our service providers may use cookies, local storage, and similar technologies for authentication, session management, security, preferences, and analytics. You can control cookies through browser settings; disabling certain cookies may affect functionality.

We may disclose personal information to service providers that perform services on our behalf (such as hosting, payment processing, email delivery, analytics, and customer support) subject to confidentiality and processing terms appropriate to the data.

We may disclose information if required by law, regulation, legal process, or governmental request, or if we believe disclosure is necessary to protect the rights, property, or safety of VaultDrop, our users, or the public.

We may disclose information in connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, subject to appropriate confidentiality and use restrictions.

We do not sell personal information for monetary consideration as defined under applicable U.S. state privacy laws, and we do not use or disclose sensitive personal information for purposes that California law prohibits without a right to limit use.

We may process personal information in the United States and other countries where we or our service providers operate. Where required, we implement appropriate safeguards for cross-border transfers (such as standard contractual clauses approved by relevant authorities or other lawful mechanisms).

We retain personal information for as long as necessary to provide the Service, fulfill the purposes described in this Policy, comply with legal obligations, resolve disputes, and enforce agreements. Retention periods vary depending on the nature of the data and legal requirements. Encrypted link payloads and related metadata may be retained only for the period you configure, subject to technical and operational constraints.

We implement administrative, technical, and organizational measures designed to protect personal information against unauthorized access, loss, or alteration. No method of transmission or storage is completely secure; we cannot guarantee absolute security.

Depending on your location, you may have rights to access, correct, delete, or restrict processing of your personal information; to object to certain processing; to data portability; to withdraw consent where processing is consent-based; and to lodge a complaint with a supervisory authority.

Residents of certain U.S. states (including California) may have additional rights regarding access, deletion, correction, and opt-out of certain processing or “sharing” for cross-context behavioral advertising, where applicable. We will not discriminate against you for exercising your rights.

To exercise rights, contact us using the email address below. We may need to verify your identity before responding. You may designate an authorized agent where permitted by law.

The Service is not directed to individuals under sixteen (16) years of age, or the age required by applicable law. We do not knowingly collect personal information from children. If you believe we have collected such information, contact us and we will take appropriate steps to delete it.

We do not use personal information for automated decision-making that produces legal or similarly significant effects solely on an automated basis.

We may update this Privacy Policy from time to time. We will post the updated Policy on this page and indicate the “Last updated” date. If changes are material, we will provide additional notice as required by law.

For privacy-related requests or questions, contact us at the email address shown on this page. If you are in the EEA, UK, or Switzerland, you may also contact your local data protection authority.