Privacy Policy

Last Updated: March 5, 2026

1. Introduction

Welcome to Vulta ("we," "our," or "us"). We are committed to protecting your personal information and your right to privacy through strict Data Minimization. This policy explains how we collect, use, and safeguard your data when you use our IP Vault, Secure Transfer, and Scanning services.

2. Information We Collect

We collect personal information that you voluntarily provide to us when you register for the Services or make a purchase. This data is collected based on your explicit, granular consent provided during registration, which is logged with a secure timestamp for audit purposes.

  • Identity Data: Email address, name, and profile information (via Google/Supabase Auth).
  • Digital Assets & Attachments: Images you upload to the Vault for protection, as well as temporary project files uploaded for secure client delivery.
  • Client/Recipient Data: Names and email addresses of third parties (your clients) that you input to generate licenses or send secure transfer notifications.
  • Audit & Tracking Data: IP addresses and timestamps when a user or recipient views, signs a digital license, or downloads a secure transfer file.
  • Metadata: Titles, descriptions, and timestamps associated with your assets and transfers.
  • Payment Data: We do not store your credit card numbers. All payment data is handled securely by our third-party processor, Stripe.

3. How We Use Your Data

We use your data solely to provide the IP protection and delivery services offered by Vulta:

  • To generate forensic watermarks, cryptographic hashes, and privacy-protected copies of your images.
  • To facilitate secure file transfers, generate legally binding digital licenses, and send delivery notifications to your clients.
  • To verify ownership of your assets via our public verification endpoints.
  • To process recurring subscription payments and manage your plan limits.
  • To maintain secure account access and authentication.

We do not sell your personal data, uploaded assets, or your clients' contact information to third parties or advertisers.

4. Blockchain & Public Data

To provide immutable proof of ownership, cryptographic hashes (digital fingerprints) of your assets are anchored to the Polygon public blockchain. Please note that data written to a blockchain is permanent and cannot be deleted or altered.

Privacy Protection: The SHA-256 cryptographic hash is mathematically one-way and irreversible. It cannot be used to reconstruct your original file or identify you personally. Therefore, the hash stored on the blockchain is not considered Personal Data under GDPR or global privacy frameworks. We never store your name, email, or visual file on the blockchain.

5. Your Privacy Rights (Right to be Forgotten)

Depending on your location (e.g., under the GDPR, CCPA, or Australian Privacy Principles), you have the right to access, correct, or permanently delete your personal data. You can exercise your "Right to be Forgotten" by deleting your account in your settings or contacting us.

Upon request, we will permanently delete your email identity and original high-resolution artwork from our active servers and third-party sub-processors within 30 days. (Note: The anonymous blockchain transaction hash will remain indefinitely as proof of existence).

6. International Data Transfers

As a global platform, your data may be transferred to and processed in countries outside of your own (e.g., the United States or Australia). We ensure that all international data transfers are protected by strict safeguards, including Data Processing Agreements (DPAs) with our sub-processors and Standard Contractual Clauses where applicable.

7. Data Storage, Retention & Security

We implement industry-standard security measures, including encryption in transit (SSL) and at rest. Your original high-resolution files are stored in private, restricted-access storage buckets.

Temporary Secure Transfers: Files uploaded for client delivery are stored temporarily. These files are accessible only via cryptographically secure URLs and are strictly bound to the auto-expiration timeframe tied to your subscription tier (e.g., 7, 30, 90, or 365 days). Once a transfer expires or is manually revoked, access is immediately terminated, and the files are slated for automated deletion from our servers to minimize data retention.

8. Contact Us

If you have questions about this policy, wish to revoke consent, or want to exercise your data privacy rights, please contact our Data Protection Officer at support@vulta.co.