Privacy Policy

1. Who we are

Privacy Vault Technologies LLC ("Privacy Vault", "we", "us", "our") is a Florida limited liability company headquartered in Doral, Florida, USA. We operate the Privacy Vault platform — a privacy-by-architecture customer retention service for e-commerce merchants. This Privacy Policy explains how we collect, process, store, and protect personal data when:

• You visit privacyvault.tech (our public website);
• A merchant uses our platform on their store, and we receive customer signals on the merchant's behalf;
• You install our Shopify Public App, Custom App, or any platform integration we publish (VTEX, Nuvemshop, Tray, etc. — see DEC-045 family).

2. Roles under GDPR / LGPD

3. What data we process

3.1 Public website (privacyvault.tech)

• Cloudflare access logs (IP, user agent, request path, timestamp) — retained 30 days for security;
• Form submissions (name, email, company) when you contact us — used solely to respond;
• Cookies: essential only. We do not use marketing cookies, third-party trackers, or fingerprinting on the public website. We never sell, rent, or share visitor data.

3.2 Platform usage (merchant-side data)

When a merchant installs Privacy Vault, we receive customer signals from their store (Shopify, VTEX, Nuvemshop, etc.) so we can deliver retention messaging. We immediately hash all PII at the entry point. What we actually store:

• Hashes only of email, phone, name, address, tax ID — SHA-256 with a salt unique to each merchant. Hashes cannot be reversed without the merchant's salt, which lives in an envelope-encrypted enclave we cannot decrypt.
• Behavioral signals (cart events, purchases, page views) tied to hashed identifiers, not raw PII;
• Consent state — opt-in/opt-out per channel (email, WhatsApp, push, banner) — versioned and timestamped;
• Operational metadata — store URL, merchant ID, integration tokens (encrypted at rest with AES-256-GCM), webhook IDs.

Channels: Email (via AWS SES), WhatsApp (via Meta Cloud API), Web Push, On-site Banners. We do not use SMS — removed by an internal AI Council decision (DEC-004) because SMS lacks end-to-end encryption.

3.3 Merchant portal data

• Merchant admin name, email, contact phone (hashed for lookup; plaintext only kept for billing and authentication);
• Company information (legal name, tax ID hash, address hash, country);
• Billing data — handled by the platform of installation (Shopify Billing API for Shopify merchants) and our payment processor. We do not store full credit card numbers.

4. Lawful basis (GDPR Art. 6 / LGPD Art. 7)

• Contract — to provide the platform service to merchants who installed it;
• Consent — for a merchant's customers, the merchant collects opt-in at the storefront and transmits the consent state to us (we honor it; we never message anyone whose consent we don't see);
• Legitimate interest — minimal security telemetry (rate limiting, fraud signals);
• Legal obligation — financial records, anti-fraud audit trails when required by Florida or Brazilian law.

5. The Dark Chamber: how zero-knowledge actually works

Privacy Vault implements Zero-Knowledge Vendor Architecture (ZKVA), covered by patent BR 10 2025 022120 9. Three architectural commitments make us materially unable to read merchant customer data:

1. Per-merchant salt isolation. Each merchant's PII hashing uses a salt that exists only inside their tenant-isolated D1 database, encrypted at rest. Cross-merchant lookups are mathematically impossible.
2. Blind Dispatcher. The central router that handles requests has zero database bindings. It cannot read tenant data — verifiable in 30 seconds via Cloudflare's binding inspector.
3. Dark Chamber enclave. Decrypt operations require the merchant's owner-controlled key. The owner "lights the chamber" when explicitly authorizing access. Privacy Vault employees cannot unilaterally decrypt customer data — there is no master key.

What this means for you:

• If a Privacy Vault employee is compromised, they cannot exfiltrate intelligible customer data;
• If we receive a law enforcement subpoena, we cannot produce plaintext we don't have. We will inform the merchant (where legally permitted) and provide ciphertext only.
• If a database is breached, attackers obtain hashes and ciphertext that are useless without the per-merchant salt.

6. Sub-processors

We use the following sub-processors. All have signed DPAs and meet GDPR Art. 28 / LGPD Art. 39 requirements:

A current list is available on request to admin@privacyvault.tech.

7. Retention

• Hashed customer signals: retained per merchant configuration (default 24 months, max 60 months — merchant-controlled);
• Operational logs: hot tier 30 days (D1) → warm tier 90 days (R2 gzip) → cold tier 5 years (R2 zstd). Logs never contain PII (NVA-026 / NVA-034 enforced);
• Merchant admin data: retained while the account is active + 12 months for billing/audit; deleted on request after that period.

8. Your rights (GDPR Art. 15-22 / LGPD Art. 18)

You have the right to access, rectify, erase, restrict processing, port, and object to processing of your personal data, plus the right to lodge a complaint with a supervisory authority (e.g., ANPD in Brazil, your local DPA in the EU).

Two paths to exercise these rights:

1. If you are a customer of a merchant who uses Privacy Vault, contact the merchant directly. They are the controller of your data. Privacy Vault will assist as a processor within 72 hours of receiving the merchant's instruction (Data Subject Access Request handler).
2. If you are a merchant or a website visitor, write to admin@privacyvault.tech. We respond within 30 days (often within 7).

Shopify customers (GDPR webhooks): Privacy Vault honors the three mandatory Shopify GDPR webhooks — customers/data_request, customers/redact, shop/redact. When Shopify forwards a request, we hash-match, retrieve the cipher payload, and deliver/redact within the timelines in Shopify's Privacy Policy.

9. International transfers

Customer data is processed at Cloudflare's nearest edge location to the customer. For EU/UK residents, processing typically happens in EU edge POPs. Cross-border transfers (e.g., to Anthropic in the US for technical decision support, never customer data) rely on Standard Contractual Clauses (SCCs) approved by the European Commission.

10. Cookies on privacyvault.tech

We use only essential cookies on this website (session persistence, security CSRF tokens). No marketing or third-party tracking cookies. We never integrate Google Analytics, Facebook Pixel, or any third-party analytics on the public site.

11. Security

• All transit encrypted with TLS 1.3 (HSTS preload);
• All storage encrypted at rest (AES-256-GCM with HKDF for derived keys);
• Secrets in 1Password vault (humans) + Cloudflare Workers Secrets (machines) — never in source code (DEC-048);
• Multi-factor authentication required for all merchant accounts (TOTP + recovery email);
• Quarterly security review by the AI Council (a multi-model architectural review process);
• Repository visibility lock — Privacy Vault source code is and remains private (NVA-093 / Hook B14).

12. Children

The Privacy Vault platform is not directed to individuals under 16. We do not knowingly process personal data of minors. Merchants using Privacy Vault confirm they comply with applicable child privacy laws (COPPA, GDPR Art. 8) at their storefront.

13. Changes to this Policy

We will notify you of material changes by email (for merchants) and via banner on this site (for visitors), at least 30 days before they take effect. The "Last updated" date at the top reflects the latest revision.