Data collected includes identity and account data, profile/professional data, content submissions, communications, usage analytics, first-party web activity events, device/security logs, billing records, discount records, refund-exception audit records, and AI interaction signals where enabled.

Processing purposes include service delivery, trust and safety, content moderation, portal audit trails, personalization, security monitoring, fraud prevention, legal compliance, and product improvement.

GDPR legal bases include consent, performance of contract, legal obligation, and legitimate interests.

We share data with contracted service providers and subprocessors required to run the platform, such as Supabase, Stripe, Vercel, Resend, analytics/security providers, and support tooling where enabled. Stripe processes payment methods, invoices, discounts, chargebacks, and any legally required or admin-approved refund exceptions.

We do not sell personal data. Data sharing is limited to operational and legal purposes described in this policy.

Data may be processed in the United States and other jurisdictions with contractual and technical safeguards for international transfer.

Retention periods are based on service need, legal obligations, dispute handling, billing audits, refund-exception records, chargeback defense, security investigations, and tax/accounting requirements.

Security controls include encryption in transit, access controls, role-based permissions, content-upload controls, moderation logs, and monitoring. No system is guaranteed 100% secure.

You may request access, correction, deletion, export/portability, restriction, or objection rights subject to applicable law.

CCPA/CPRA rights include right to know, delete, and correct, plus non-discrimination for rights exercise.

Cookies and similar technologies support authentication, session continuity, analytics, operational diagnostics, and first-party measurement of page views, clicks, scroll depth, referral source, and session engagement after analytics consent.

Under the DPA scope, The Vaulted may act as processor for certain user-uploaded or enterprise-submitted data and will process only per documented instructions.

Subprocessors are contractually required to protect data with confidentiality and security commitments.

In the event of a qualifying breach, affected users and relevant authorities are notified in accordance with applicable law.

Privacy and DPA contact: legal@the-vaulted.com