Vaultsy - Creator Commerce Platform

1. Introduction

This Privacy Policy explains how Vaultsy ("we", "us", "our", "Platform") collects, uses, stores, and protects your personal data when you use our digital marketplace platform at https://vaultsy.io.

We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR), and other applicable data protection laws worldwide.

By using Vaultsy, you consent to the data practices described in this policy. If you do not agree, please do not use the Platform.

2. Data Controller

Vaultsy is the data controller responsible for your personal data. For questions or concerns about your data, contact us at:

Email: [email protected]
Website: vaultsy.io

3. What Data We Collect

3.1 Account Information (Creators)

When you create a Creator account, we collect:

Full name (first and last name)
Email address
Password (encrypted and hashed)
Creator name/display name
Profile picture (optional)
Bio and profile description (optional)
Social media links (optional)

3.2 Purchase Information (Buyers)

When you purchase a digital product, we collect:

Email address (for delivery)
Payment information (processed by Stripe - not stored by us)
Transaction details (product, price, date)
IP address (for fraud prevention)

3.3 Payment and Payout Information

To process payments and payouts, we collect:

Stripe account ID (connected account)
Bank account details (via Stripe - not directly stored by us)
Tax information (if required by law)
Transaction history and payout records

3.4 Identity Verification (KYC)

For regulatory compliance, we collect identity verification data via Veriff:

Government-issued ID (passport, ID card, driver's license)
Selfie photo for facial verification
Date of birth
Nationality and country of residence
Document verification results

KYC data is processed by Veriff and stored securely in encrypted form. We only receive verification status (verified/not verified) and minimum necessary identity information.

3.5 Uploaded Content and Files

When you upload digital products, we store:

Product files (PDFs, videos, images, archives, etc.)
Product metadata (title, description, price, category)
Thumbnails and preview images
File size and storage usage information

3.6 Usage and Analytics Data

We automatically collect technical and usage data:

IP address and location (country/region)
Browser type and version
Device information (type, OS, screen size)
Pages visited and time spent
Referral source (how you found us)
Clickstream data and user interactions
Cookies and similar tracking technologies

3.7 Communications

When you contact us, we collect:

Email correspondence
Support tickets and chat messages
Feedback and survey responses

3.8 Affiliate and Referral Data

For affiliates, we track:

Referral links and affiliate codes
Click and conversion tracking
Commission earnings and payout history

4. How We Use Your Data

4.1 Essential Platform Operations

Account creation and authentication
Processing purchases and delivering digital products
Processing payouts to Creators
Providing customer support
Enforcing our Terms of Service

4.2 Legal and Compliance

KYC/AML (Know Your Customer / Anti-Money Laundering) compliance
Tax reporting and record-keeping
Fraud detection and prevention
Responding to legal requests and court orders

4.3 Platform Improvement

Analyzing usage patterns to improve features
Bug fixes and security enhancements
A/B testing new features
Performance optimization

4.4 Marketing and Communications (with consent)

Sending transactional emails (purchase receipts, payout notifications)
Platform updates and feature announcements
Marketing emails (you can opt-out anytime)
Promotional offers and referral programs

4.5 Loyalty Rewards Program

Calculating 90-day GMV for tier assignment
Determining payout rates (85-89%)
Tracking progress toward higher tiers

5. Legal Basis for Processing (GDPR)

Under GDPR, we process your data based on the following legal grounds:

5.1 Contract Performance

Processing necessary to provide our services (account management, payments, file delivery).

5.2 Legal Obligation

Compliance with laws (KYC/AML, tax reporting, data retention requirements).

5.3 Legitimate Interest

Fraud prevention, security, platform improvement, and analytics (balanced against your rights).

5.4 Consent

Marketing communications and non-essential cookies (you can withdraw consent anytime).

6. Data Sharing and Third Parties

We do NOT sell your personal data to third parties. We only share data with trusted service providers necessary for platform operations:

6.1 Payment Processing

Stripe: Payment gateway for processing transactions and payouts
Data shared: Name, email, payment info, transaction details
Privacy policy: stripe.com/privacy

6.2 Identity Verification

Veriff: KYC/identity verification service
Data shared: Government ID, selfie, personal details
Privacy policy: veriff.com/privacy

6.3 Infrastructure and Hosting

Supabase: Database and authentication services
Cloudflare R2: File storage and content delivery
AWS: Cloud infrastructure
Data shared: All platform data (encrypted at rest and in transit)

6.4 Email Services

Resend: Transactional and marketing emails
Data shared: Email address, name, email content

6.5 Analytics and Monitoring

Usage analytics tools for platform improvement
Data shared: Anonymized usage data, IP addresses

6.6 Legal Requirements

We may disclose your data if required by law, court order, or to:

Comply with legal processes
Enforce our Terms of Service
Protect rights, property, or safety
Prevent fraud or illegal activities

7. Data Security

We implement industry-standard security measures to protect your data:

7.1 Technical Measures

Encryption: SSL/TLS encryption for data in transit (HTTPS)
Encryption at Rest: Database and file storage encrypted
Password Hashing: Passwords hashed using bcrypt
Secure Authentication: Multi-factor authentication support
Access Controls: Role-based permissions and least privilege

7.2 Organizational Measures

Regular security audits and penetration testing
Employee training on data protection
Incident response and breach notification procedures
Data minimization and purpose limitation

7.3 Limitations

While we take all reasonable precautions, no system is 100% secure. We cannot guarantee absolute security against unauthorized access, hacking, or data breaches. You are responsible for keeping your password secure.

8. Data Retention

We retain your data only as long as necessary for the purposes outlined in this policy:

8.1 Active Accounts

Account data: Retained while account is active
Profile information: Until you delete or update it
Uploaded files: Until you delete them or close your account

8.2 Closed Accounts

Account data: Up to 7 years after closure (legal and tax requirements)
Transaction records: 10 years (tax law and accounting standards)
KYC documents: 5 years after account closure (AML regulations)

8.3 Other Data

Purchase records: 10 years (warranty, refund claims, tax audits)
IP logs and analytics: 90 days (then anonymized or deleted)
Support tickets: 3 years
Marketing email records: Until you unsubscribe + 1 year

8.4 Exceptions

We may retain data longer if required by law, for legal disputes, fraud investigations, or to enforce our Terms of Service.

9. Your Rights Under GDPR

If you are in the EU/EEA, you have the following rights:

9.1 Right of Access

You can request a copy of all personal data we hold about you.

9.2 Right to Rectification

You can correct inaccurate or incomplete data. Update your profile in account settings.

9.3 Right to Erasure ("Right to be Forgotten")

You can request deletion of your data, subject to legal retention requirements (tax, AML, etc.).

9.4 Right to Restriction

You can limit how we process your data in certain circumstances.

9.5 Right to Data Portability

You can receive your data in a structured, machine-readable format (JSON/CSV).

9.6 Right to Object

You can object to processing based on legitimate interests or for marketing purposes.

9.7 Right to Withdraw Consent

You can withdraw consent for marketing emails or non-essential cookies anytime.

9.8 Right to Lodge a Complaint

You can file a complaint with your local data protection authority if you believe your rights have been violated.

How to Exercise Your Rights

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

10. Cookies and Tracking Technologies

10.1 What are Cookies?

Cookies are small text files stored on your device to remember your preferences and track usage.

10.2 Types of Cookies We Use

Essential Cookies: Required for login, authentication, security (cannot be disabled)
Functional Cookies: Remember your preferences and settings
Analytics Cookies: Track usage and performance (can be disabled)
Marketing Cookies: Track conversions and referrals (can be disabled)

10.3 Managing Cookies

You can control cookies through your browser settings. Note that disabling essential cookies may prevent you from using certain features.

11. International Data Transfers

Vaultsy operates globally. Your data may be transferred to and processed in countries outside the EU/EEA, including the United States.

We ensure adequate protection through:

Standard Contractual Clauses (SCCs) approved by the European Commission
Working with service providers that comply with GDPR and privacy frameworks
Implementing technical safeguards (encryption, access controls)

12. Children's Privacy

Vaultsy is not intended for users under 18 years old. We do not knowingly collect personal data from children.

If you believe a child under 18 has created an account, contact us immediately at [email protected], and we will delete the account and data.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last Updated" date.

For material changes, we will notify you via:

Email notification to registered users
Prominent notice on the platform
Pop-up notification on next login

Continued use of the platform after changes constitutes acceptance of the updated policy.

14. Contact Information

14.1 Data Protection Inquiries

For questions about this Privacy Policy or your data:

Email: [email protected]
Website: vaultsy.io

14.2 Supervisory Authority (EU/EEA users)

If you are in the EU/EEA and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection authority. You can find your authority here: https://edpb.europa.eu/about-edpb/board/members_en

⚠️ Legal Notice

This document is provided for informational purposes. While we strive for accuracy and GDPR compliance, you should have a qualified data protection attorney review this privacy policy before relying on it for legal compliance. Privacy laws vary by jurisdiction, and this document may not address all legal requirements applicable to your specific situation.