Privacy Policy

Effective date: April 24, 2026 · Last updated: April 24, 2026

This Privacy Policy describes how Vaultic Back Office ("Vaultic," "we," "us," or "our") collects, uses, shares, and protects information when you use our software-as-a-service platform and related services (the "Service"). We operate from Gallatin, Tennessee, USA.

1. Information We Collect

1.1 Account Information

When you sign up, we collect:

• Email address
• Password (stored hashed with bcrypt; we never see your actual password)
• Store name and location (for display and configuration)

1.2 Payment Information

We never see, store, or process your credit card. All payment data is handled directly by Stripe, our payment processor. We receive only a Stripe customer identifier and subscription status. See Stripe's privacy policy at stripe.com/privacy.

1.3 Point-of-Sale and Operational Data

The Vaultic agent installed at your store uploads transaction data, shift reports, invoices, and inventory data to our servers so you can view analytics and generate reports. This data is encrypted in transit (TLS 1.3) and at rest.

1.4 Technical Information

We collect standard web server logs including IP address, browser user-agent, page URLs visited, timestamps, and error diagnostics. This helps us detect abuse, diagnose bugs, and improve performance.

1.5 Anti-Abuse Fingerprints

When you sign up, we store hashed (SHA-256, one-way) versions of your email and IP address in a "trial fingerprints" table to prevent fraudulent duplicate signups. We cannot reverse these hashes back to the original email or IP.

2. How We Use Your Information

• To provide the Service: process your POS data, generate reports, send operational emails
• To bill you: process subscription payments through Stripe
• To support you: respond to contact form submissions and support requests
• To secure the Service: detect abuse, prevent fraud, investigate security incidents
• To improve the Service: understand aggregated usage patterns (never selling or sharing your specific data)
• To comply with law: respond to valid legal requests when required

3. Sub-Processors and Third-Party Services

To operate the Service, we share specific data with the following sub-processors. Each has its own privacy and security commitments.

We do not share your data with advertisers, data brokers, or analytics companies. We do not use third-party tracking cookies for advertising.

4. What We Never Do

• We never sell your data
• We never use your business data to train AI models for other customers
• We never share your customer transactions with other Vaultic subscribers
• We never use third-party advertising cookies or tracking pixels

5. Data Security

We implement technical and organizational measures to protect your data:

• TLS 1.3 encryption for all data in transit
• Encrypted storage at rest (AES-256)
• Passwords hashed with bcrypt (cost factor 12)
• API keys and install tokens stored only as SHA-256 hashes
• Role-based access control (owner, manager, staff, viewer)
• PCI DSS SAQ-A compliance posture (card data never touches our systems)
• Automatic security patches and dependency monitoring

6. Data Retention

We keep your data as long as your account is active. If you cancel your subscription:

• Your dashboard access ends at the end of your current billing period
• Your data is retained for 90 days in case you reactivate
• After 90 days, data is permanently deleted from active systems
• Encrypted backups may persist for up to 12 months before full deletion
• Audit logs and anti-abuse fingerprints may be retained up to 365 days for fraud prevention

You may request earlier deletion at any time by emailing support@vaulticbackoffice.com.

7. Your Rights

Regardless of jurisdiction, we honor the following rights for every user:

• Access: request a copy of the data we hold about you
• Correction: update inaccurate information
• Deletion: request permanent deletion of your account and data
• Portability: export your transaction data in machine-readable format (CSV/JSON)
• Objection: object to specific uses of your data

To exercise any of these rights, email support@vaulticbackoffice.com. We will respond within 30 days.

California (CCPA/CPRA)

If you are a California resident, you have the right to know what personal information we collect, request deletion, and opt out of any "sale" of personal information. We do not sell personal information.

European Union (GDPR) and UK

If you are in the EU or UK, we process your data based on (a) contract necessity to deliver the Service, (b) legitimate interests in preventing fraud and securing the Service, and (c) your consent where applicable. You may lodge a complaint with your local data protection authority.

8. Cookies and Local Storage

We use a minimal set of cookies and browser storage:

• Session cookies: keep you logged in (essential — cannot be disabled)
• Refresh tokens: HttpOnly, Secure cookies for re-authentication
• LocalStorage: stores your JWT access token for API calls

We do not use third-party advertising, analytics, or tracking cookies.

9. Children

The Service is not intended for anyone under 18. We do not knowingly collect information from children. If you believe a child has provided us with personal information, please contact us and we will delete it.

10. International Transfers

Our servers are located in the United States. If you use the Service from outside the US, your data will be transferred to the US for processing. By using the Service, you consent to this transfer. Brevo (EU-based) may process transactional email in the EU.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be announced by email to your account address at least 30 days before taking effect. We will also post the updated date at the top of this page.

12. Contact

This Privacy Policy is provided in draft form pending legal counsel review. If you require specific compliance documentation (DPA, SOC 2, etc.), please contact us.