Privacy Policy

The data controller is Tom Nsengiyumva (Étudiant-indépendant), 40 Zwarteleertouwersstraat, 8000 Brugge, Belgium. Belgian enterprise number (KBO/BCE): 1022549155. VAT: BE1022549155.

Contact for any privacy-related question or to exercise your rights: contact@vvault.app.

No Data Protection Officer has been appointed — we are not required to have one given our scale of processing under article 37 GDPR.

Account data: email, name, handle, password hash, plan, language, billing identifiers, profile metadata you choose to add.

Content data: audio files, packs, series, campaigns, contacts, notes, and any other material you upload.

Usage data: pages viewed, features used, performance metrics, error reports, IP address, user-agent, language, time of access.

Engagement data on shared content: opens, clicks, plays, downloads and saves of the campaigns and links you send to your contacts.

Device data on the iOS app: APNs push tokens, app version, OS version.

Communication data: support requests, replies to our emails.

Performance of contract (art. 6(1)(b)): account creation, providing the service, processing payments, sending campaigns you ask us to send, customer support.

Legitimate interest (art. 6(1)(f)): security, fraud prevention, anti-abuse, product analytics on aggregated data, debugging, defending legal claims.

Consent (art. 6(1)(a)): non-essential cookies and trackers (analytics, marketing pixels), optional marketing emails. You can withdraw consent at any time via the cookie preferences link in the footer.

Legal obligation (art. 6(1)(c)): tax records, accounting, and any retention period imposed by Belgian law.

Account data: kept for the duration of the account plus 3 years after last activity, then deleted or anonymised.

Content data: kept for the duration of the account; deleted from active storage within 30 days of account closure (90-day soft-delete recovery for accidental cancellation).

Engagement and analytics data: aggregated after 13 months; raw events kept up to 25 months for analytics, then deleted.

Billing and tax records: kept 7 years as required by Belgian Code des sociétés et associations and the VAT Code.

Server access logs: 12 months, then anonymised.

We use the following processors strictly to operate the service. Each is bound by a Data Processing Agreement.

Stripe Payments Europe Ltd. (Ireland, with US affiliates) — payments, subscriptions, invoicing.

Supabase Inc. (US corporate entity, data hosted in eu-west-1 Ireland) — database and authentication.

Vercel Inc. (US) — hosting and CDN. Standard Contractual Clauses cover the EU→US transfer.

Resend (US) — transactional and marketing email delivery. SCC in place.

Google LLC (US) — Google Analytics 4 and Google OAuth (only when you choose to sign in with Google). Loaded only after analytics consent.

Meta Platforms Ireland Ltd. — Meta Pixel for advertising attribution, only when you accept marketing cookies.

Apple Inc. (US) — Apple Push Notification service for the iOS app.

Cloudflare R2 (US/EU) — object storage for uploads. SCC in place.

Some of our subprocessors are located outside the European Economic Area, primarily in the United States. We rely on the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework. Specific SCC copies are available on request at contact@vvault.app.

Strictly necessary cookies are used for authentication and security and cannot be turned off.

Analytics cookies (Google Analytics 4, Vercel Analytics) and marketing pixels (Meta Pixel) are loaded only after you accept the corresponding category in the consent banner. You can revisit your choice at any time via the 'Cookie preferences' link in the footer.

Local storage is used to remember UI preferences (theme, language, dismissed banners, auth tokens).

When a vvault user sends a campaign through our service, the message contains a 1×1 open-tracking pixel and link redirectors that record opens and clicks. The vvault user is the data controller of their own contact list and is responsible for having a lawful basis to email those contacts. We act as a processor for them.

Recipients can opt out of further emails using the unsubscribe link automatically appended to every campaign and the List-Unsubscribe header (RFC 8058).

vvault runs an affiliate program. When a visitor arrives via an affiliate link we set short-lived cookies (vv_aff, vv_aff_ts) so we can attribute eventual signups to the affiliate. These cookies are essential to the affiliate program and contain no personally identifying data.

Under the GDPR you can: access your data; correct inaccurate data; delete your data; restrict or object to processing; export your data in a portable format; lodge a complaint with the Belgian Data Protection Authority (Autorité de protection des données / Gegevensbeschermingsautoriteit) — https://www.autoriteprotectiondonnees.be.

Account deletion is available from Settings → Security. Data export is available from Settings → Account → Download my data, or by emailing contact@vvault.app.

We respond to rights requests within 30 days, extendable by 60 days for complex requests.

vvault is not directed at children under 16. Users between 13 and 16 must have their parent or legal guardian's consent to use the service (Belgian threshold under article 8 GDPR is 13). We will delete an account on request if we are notified that it belongs to a child under 13 or to a 13-16 user without parental consent.

We use HTTPS, hashed passwords, encrypted backups, role-based access controls, and minimum-privilege service accounts. Despite reasonable measures, no system is perfectly secure; if a breach affecting your data occurs we will notify the Belgian DPA within 72 hours and you, where required, without undue delay.

We may update this policy. Material changes will be communicated by email and/or via an in-app banner at least 14 days before they take effect. The 'Last updated' date at the top tracks the most recent revision.

For any privacy-related question or to exercise your rights: contact@vvault.app.