Privacy Policy
Last updated: October 22, 2025
At Veault, your privacy is our foundation. Our Service is built on a zero-knowledge principle. This means that technically, we can never view the contents of your vault.
This statement explains what data we process, why we do so, and how we protect your privacy, in line with the General Data Protection Regulation (GDPR).
1. Data Controller
The party responsible for processing your personal data is:
Leval AS
Asperholen 58A
4329 Sandnes
Norway
Org.number: 935 999 170
For any privacy-related questions or to exercise your rights, you can reach out via: privacy@veault.com
2. What Personal Data Do We Process?
We process different types of data, specified below.
A. Data We CANNOT See (Zero-Knowledge)
The contents of your vault are for your eyes only.
Vault Contents: All personal information, notes, drafts, and documents you choose to store in your vault.
Files and Documents: All files you upload.
Important: All this data is encrypted on your device (client-side) with AES-256 encryption before it reaches our servers. We do not possess your encryption keys and have no technical means to decode or view your vault contents.
B. Personal Data We Do Process (Account and Security Data)
To provide you with the Service, we process the following categories of data:
Identity Data:
Email address (for authentication and communication)
First and Last names
Language preference
Market information
Technical Data:
Authentication tokens (for securely managing your login session)
Subscription status and anonymized billing information (managed via Stripe)
Server and security logs, including IP addresses (for security and fraud prevention)
Anonymous usage analytics (no personal identification; see Section 4)
Marketing Data (after consent):
Cookie identifiers and click IDs (for linking ads to conversions)
Hashed (anonymized) personal data for conversion measurement (Meta API)
3. Why We Process Your Data (Purposes and Legal Basis)
We only process your personal data (category B above) for specific purposes and based on a valid legal basis (in accordance with Article 6 of the GDPR).
We base our processing on the following three grounds:
A. Based on the Performance of the Contract (GDPR Art. 6(1)(b))
Purpose: Providing the secure vault service and managing your account.
Data: Identity data, Technical data.
Purpose: User authentication and account security.
Data: Identity data (email), Technical data.
Purpose: Processing subscriptions and payments.
Data: Identity data, Technical data (subscription status).
Purpose: Providing customer support and service communication.
Data: Identity data.
B. Based on Our Legitimate Interest (GDPR Art. 6(1)(f))
Purpose: Securing the Service, monitoring misuse, and fraud prevention.
Data: Technical data (incl. IP logs).
Purpose: Improving our website and service through anonymous, privacy-friendly analytics.
Data: Anonymous usage analytics (Vemetric).
C. Based on Your Explicit Consent (GDPR Art. 6(1)(a))
Purpose: Sending optional marketing communications (newsletters).
Data: Identity data (email, name).
Purpose: Measuring the effectiveness of ads and conversion attribution.
Data: Marketing data, Technical data.
Purpose: Placing marketing and tracking cookies.
Data: Marketing data (Cookie IDs).
4. Cookies, Analytics, and Tracking
We distinguish between necessary, analytical, and marketing technologies.
4.1. Necessary Cookies
We may use functional cookies that are essential for the operation of the Service (such as managing your login session). No consent is required for these.
4.2. Privacy-Friendly Analysis (Standard)
We use Vemetric for website analytics. This service was specifically chosen because it uses no cookies and does not collect personally identifiable information (PII). It is completely anonymous, GDPR-compliant, and is loaded by default based on our legitimate interest.
4.3. Marketing & Tracking (Only with Consent)
Only if you explicitly give consent (via our cookie banner), will we activate the following scripts and cookies:
Google Tag Manager (GTM): A management system to load other marketing tags.
Meta API Tracking (via Pixelflow): To measure conversions (like purchases) and link them to ads on Meta platforms (Facebook, Instagram).
You can withdraw your consent at any time.
5. Sharing of Data (Recipients)
We never sell your personal data. We only share your account data with the following partners (sub-processors) who are strictly necessary to deliver the Service:
Stripe (Ireland): For processing all payments and managing subscriptions.
Brevo (France): For sending emails (transactional and opt-in marketing).
Amazon Web Services (AWS) (Ireland/Sweden): For hosting our servers and your encrypted data, and for sending support emails.
Vemetric (EU): For collecting anonymous website statistics (does not process personal data).
After your explicit consent we also share data with:
Google (Ireland/US): For ad analysis through Google Tag Manager.
Meta (Ireland/US): For conversion measurement via the Meta API.
6. Data Storage and Transfer (Outside the EU)
Your privacy and data sovereignty are crucial to us.
6.1. Primary Storage within the EEA All data necessary for the core functionality of the Service (your account data, your encrypted vault data) is stored within the European Union. Our primary sub-processors (Stripe, Brevo, AWS) also process this data within the EEA.
6.2. Transfer Outside the EEA (Marketing Data)
If you consent to marketing tracking (Section 4.3), the collected marketing data (such as cookie IDs and hashed data) may be transferred to servers of Google and Meta in the United States. This transfer is legally permitted based on adequate safeguards, such as the European Commission-approved Standard Contractual Clauses and/or the EU-US Data Privacy Framework.
7. Retention Periods
We do not retain your data longer than necessary (data minimization).
Account and Vault Data: This data is retained as long as you have an active account. Upon a request for deletion of your account, all this data (including all encrypted vault content) is permanently deleted from our production systems within 30 days.
Security Logs: Server and security logs (including IP addresses) are kept for a maximum of 90 days.
Invoice and Transaction Data: Data related to your subscription (such as invoices) is retained, even after the deletion of your account, according to statutory (tax) retention periods (typically 7-10 years).
Inactivity Policy: An account is considered 'inactive' if there is no active paid subscription period (monthly/yearly) or no 'Lifetime' access. 30 days after an account reaches the status 'inactive' (for example, 30 days after the end of a trial period or a non-renewed subscription), the account and all associated vault data are permanently deleted.
Marketing Data: This data is retained according to the terms of Google/Meta, or until you withdraw your consent.
8. Your Rights
You have full control over your data. You have the right at any time to:
Access the account data we have about you.
Update your profile data (rectification).
Download your vault data (data portability).
Permanently delete your account and all your data (right to erasure).
Manage your subscription through the self-service portal.
Withdraw your consent for marketing communication and tracking.
Object to processing based on our legitimate interest.
Request restriction of processing.
Lodge a complaint with your local supervisory authority (such as the Dutch Data Protection Authority in the Netherlands) or the Norwegian supervisory authority (Datatilsynet), if you believe we are not handling your data correctly.
You can exercise most of these rights directly through your account settings. For other requests, you can contact privacy@veault.com. We will respond as soon as possible, but within 30 days at the latest.
9. Changes to this Statement
If we significantly change this privacy statement (for example, by adding new trackers or sub-processors), we will notify you via email or a clear notice on our website.
