Privacy Policy

Effective date: February 2026 • Contact: [email protected]

1) Scope

This policy covers personal information we process when you visit vaultxsec.com, request audit services, or contact us for support.

2) Information We Collect

We do not sell personal information. We collect only what's needed to deliver audit services:

• Contact information: name, email, company name, phone (optional)
• Engagement details: tool names, user counts, cloud spend ranges
• Access credentials: only if you provide them, temporary read-only or least-privilege access to perform audits
• Technical data: IP address, device/browser type, pages viewed, timestamps

Credentials: If you share access credentials, we store them only as long as needed to perform the audit, restrict access to authorized personnel only, and delete them immediately when the engagement ends or upon request (typically within 3 business days).

3) How We Use Information

• Provide audit services (SaaS license audits, cloud cost audits)
• Communicate about your engagement and deliver reports
• Process payments and maintain billing records
• Improve service quality and prevent fraud
• Comply with legal obligations

4) How We Share Information

We share data only with service providers acting on our instructions:

• Payment processing: Stripe (for invoicing and payments)
• Email/calendar: Google Workspace (for communication and scheduling)

We may also share information if required by law or to protect rights and safety. We do not sell or share personal information for advertising purposes.

5) Data Security

We use appropriate technical and organizational measures including encryption in transit, access controls, least-privilege principles, and secure credential storage. No method is 100% secure, and we cannot guarantee absolute security.

6) Data Retention

• Contact and billing records: As required for tax and financial purposes (typically 7 years)
• Audit reports and deliverables: 12 months for quality assurance, unless you request earlier deletion
• Access credentials: Deleted at end of engagement or earlier upon request (within 3 business days)
• Analytics logs: 12 months, then aggregated

7) Your Rights

Depending on your location, you may have rights to:

• Access your personal information
• Request corrections or updates
• Request deletion
• Restrict or object to processing
• Export your data
• Withdraw consent

To exercise any right, email [email protected]. We will verify your identity and respond within 30-45 days.

Canadian residents: You have rights under applicable Canadian privacy laws including PIPEDA.

California/US residents: We act as a service provider to our customers. We do not sell or share your personal information for targeted advertising.

EU/UK residents: You may lodge a complaint with your data protection authority.

8) Cookies & Tracking

We use only essential cookies for website functionality and basic analytics. You can control cookies via your browser settings. We do not use advertising or tracking cookies.

9) International Transfers

We are based in Canada. Your information may be processed by our service providers in other countries. Where required, we rely on appropriate safeguards such as Standard Contractual Clauses.

10) Children

Our services are not directed to anyone under 16. If we learn we collected data from someone under 16, we will delete it.

11) Breach Notification

If we become aware of a security incident affecting your personal information, we will notify you as required by applicable law.

12) Changes to This Policy

We may update this policy from time to time. We'll post the new version with a new effective date. If changes are material, we'll provide more prominent notice.

13) Contact

Privacy questions or requests: [email protected]

For formal legal notices, email is acceptable. A postal address will be provided upon request.