GDPR & Data Processing
Information for individuals and organizations in the EU, UK, and other jurisdictions with similar data protection laws.
Your Company Ltd is the data controller for personal data processed through the Vault PDF SaaS application (account, billing, team metadata, and operational logs).
Data protection contact: divya@vault-pdf.com
For a broader overview, see our Privacy Policy.
Vault PDF acts as a data controller for account and workspace data. When your agency uses Vault PDF to process client documents locally in the browser, your agency typically remains the controller for client data, Vault PDF does not receive PDF contents for core tools.
Compliance customers may request a Data Processing Agreement (DPA) covering Your Company Ltd's processing of team member and account data. Email divya@vault-pdf.com with your organization name and billing contact.
Teams can also generate a client-facing privacy document from Settings → Compliance to explain browser-only processing to their own customers.
- Identity data: email address, display name
- Account data: organization name, role, team membership
- Billing data: subscription status, payment provider customer ID (card details handled by Dodo Payments)
- Usage metadata: tool ID, file count, timestamps, compression mode (no filenames or PDF content)
- Audit data: administrative actions, hashed IP for security events
- Integration data: optional Slack OAuth tokens (encrypted) when connected by an admin
Core PDF tools run entirely in the end user's browser. We do not receive, store, or process PDF file contents, filenames, or decryption passwords for those tools.
| Processing activity | Legal basis | Retention |
|---|---|---|
| Account creation and authentication | Contract (Art. 6(1)(b)) | While account is active, plus up to 90 days after deletion for security and billing reconciliation |
| Team and subscription management | Contract (Art. 6(1)(b)) | While subscription is active, plus up to 7 years for billing and tax records where required by law |
| Usage and activity metadata | Legitimate interests, service operation, team visibility, and compliance receipts (Art. 6(1)(f)) | Typically 90 days for activity logs; deletion receipt metadata retained while the receipt link remains valid |
| Audit and security logging | Legitimate interests, security, fraud prevention, and accountability (Art. 6(1)(f)) | Typically 90 days; export available to org admins |
| Transactional email | Contract (Art. 6(1)(b)) | Per email provider logs; typically up to 30 days operational retention |
| Optional Slack integration | Consent / contract, enabled only when an admin connects Slack (Art. 6(1)(a)/(b)) | While integration is connected; tokens removed on disconnect |
You may object to processing based on legitimate interests by contacting us. We will assess your request and stop processing unless we demonstrate compelling legitimate grounds that override your interests.
We engage the following sub-processors to deliver the service. A current list is maintained in our Privacy Policy:
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Authentication, database, row-level security | EU / US |
| Dodo Payments | Subscription billing and payment processing | Varies by processor region |
| Resend | Transactional email (invites, receipts, onboarding) | US |
| Hosting provider | Application hosting, CDN, and operational logs | US / EU (region-dependent) |
Personal data may be transferred to sub-processors outside the EEA, including the United States. We implement appropriate safeguards, including EU Standard Contractual Clauses (SCCs) with processors and contractual obligations to protect data to an equivalent standard.
Contact divya@vault-pdf.com to request details of transfer mechanisms relevant to your organization.
We apply technical and organizational measures including encryption in transit (TLS), row-level security in our database, encrypted storage of integration tokens, hashed IP logging for audit events, and browser-only PDF processing for core tools so file bytes are not stored on our servers.
Right of access (Art. 15)
Request a copy of personal data we hold about you.
Right to rectification (Art. 16)
Correct inaccurate account or profile information.
Right to erasure (Art. 17)
Request deletion of your account and associated personal data, subject to legal retention obligations.
Right to restrict processing (Art. 18)
Ask us to limit how we use your data in certain circumstances.
Right to data portability (Art. 20)
Receive account data you provided in a structured, machine-readable format.
Right to object (Art. 21)
Object to processing based on legitimate interests, including security logging where applicable.
Right related to automated decision-making (Art. 22)
Vault PDF does not make solely automated decisions with legal or similarly significant effects.
Right to withdraw consent (Art. 7(3))
Where processing relies on consent (e.g. optional integrations), you may withdraw consent at any time.
To exercise any of these rights, email divya@vault-pdf.com from the address associated with your account. We may need to verify your identity before fulfilling a request.
If you are in the EU or UK and believe we have not handled your personal data appropriately, you have the right to lodge a complaint with your local data protection supervisory authority. We encourage you to contact us first at divya@vault-pdf.com so we can try to resolve your concern.
EU authorities are listed at edpb.europa.eu. UK residents may contact the ICO at ico.org.uk.
GDPR and DPA inquiries: divya@vault-pdf.com
General support: divya@vault-pdf.com
This information is provided for transparency and is not legal advice. Consult qualified counsel for jurisdiction-specific requirements.