Back to Home

Privacy Policy

Last updated: May 18, 2026

Axiom Data Integrity

Your data is protected by the **Axiom Protocol**. We utilize a zero-trust, high-concurrency architecture that ensures your compliance documents are processed, encrypted, and stored with enterprise-grade precision.

1. Information We Collect

We collect the following categories of information:

  • Account Information: Name and email address.
  • Business Location Data: Business names, trade names, entity/LLC names, physical addresses, and other location-specific information you provide.
  • Permit & Document Data: Information about business permits and licenses you upload, including permit numbers, expiration dates, issuing authorities, and document file contents (PDFs, images).
  • Axiom AI Extraction Data: When you upload a permit document, our **Axiom Engine** (powered by Gemini 2.0 Flash) may automatically extract metadata such as permit numbers, issuing authorities, expiration dates, business names, and addresses directly from the document content.
  • HyperDrive Batch Processing: When using HyperDrive for concurrent batch uploads, we process document metadata in parallel to expedite your ingestion queue.
  • Biometric Metadata (Mobile Only): Our mobile application offers an "AppLock" feature that utilizes your device's native biometrics (Face ID or Fingerprint). Vaulted does not collect, transmit, or store your biometric data. All biometric authentication occurs locally on your device via the operating system's secure enclave.
  • Mobile Device Information: When using the Vaulted mobile application, we may collect device type, operating system version, and app version for crash reporting and compatibility purposes. We do not collect device advertising identifiers or track your location.
  • Usage Data: Information about how you interact with our dashboard, notifications, and editor features.
  • Payment Data: Billing information processed securely through Stripe via the Vaulted website only. We do not store credit card numbers on our servers. No payment data is collected through the mobile application.

2. How We Use Your Information

We use your information strictly to:

  • Provide, maintain, and improve our services, including permit tracking, document management, and renewal workflows.
  • AI-Powered Document Analysis: Automatically extract metadata (permit numbers, dates, authorities, business names, addresses) from uploaded documents using Google Gemini AI to reduce manual data entry and improve accuracy.
  • Intelligent Form Pre-Filling: Use extracted and stored business data to pre-populate government renewal form fields via our Ghost Editor, saving you time during the renewal process.
  • Jurisdictional Research: Conduct automated research on renewal procedures, requirements, and deadlines specific to your permits and issuing authorities.
  • Send you critical notifications about permit expirations (via Email).
  • Process subscription payments via Stripe.
  • Generate audit logs of user actions for security and compliance purposes.
  • Comply with legal obligations and enforce our terms.

3. AI Processing & Third-Party AI Services

Vaulted uses Google Gemini AI (provided by Google DeepMind) to process uploaded documents and perform intelligent field mapping. When you upload a permit document or use the Ghost Editor:

  • The document content (images or PDF data) is transmitted to Google's Gemini API for analysis.
  • Google processes this data to extract structured information (permit numbers, names, addresses, dates) and return it to our platform.
  • Form field names from PDF renewal forms are sent to Google Gemini to determine the best mapping between your business data and form fields.
  • We use Google Gemini's structured output (JSON schema) to ensure data extraction is consistent and accurate.

Important: Google's use of this data is governed by Google's Gemini API Terms of Service. When using the paid Gemini API, Google states that it does not use your data to train its AI models. We recommend reviewing Google's privacy practices for complete information.

4. Data Encryption & Security

We implement multiple layers of security to protect your data:

  • Client-Side Encryption: All uploaded documents are encrypted using AES-256-GCM encryption in your browser before being transmitted to our servers. Encryption keys are derived from your account credentials and are never stored on our servers in plaintext.
  • Encrypted Metadata: Sensitive permit metadata (permit numbers, issuing authorities) is encrypted with unique initialization vectors (IVs) before storage.
  • Zero-Knowledge Architecture: Documents stored in our cloud storage are encrypted at rest. Without the correct decryption keys, the stored data is unintelligible.
  • Transport Security: All data in transit is protected using TLS 1.2+ encryption.
  • Access Controls: Row-level security policies ensure users can only access their own data.

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

5. Information Sharing

We do not sell your personal information. We may share data only with:

  • Google (Gemini AI): Document content and form field data for AI-powered extraction and intelligent mapping, as described in Section 3.
  • Supabase: Our database and storage provider. All stored documents are encrypted before upload.
  • Stripe: Payment processing for subscriptions via the Vaulted website only. We never transmit your permit data to Stripe. No payment data is collected or processed through the mobile application.
  • Resend: Email delivery for notifications and MFA codes. Only email addresses and notification content are shared.
  • Legal Authorities: When required by law, subpoena, or to protect our rights and safety.

6. Cookies & Tracking Technologies

We use cookies, local storage, and similar technologies to support essential functionality, including:

  • Authentication and Security: Essential cookies and local storage tokens (such as Supabase session keys) to keep you securely signed in and protect your account from unauthorized access.
  • Device Trust and MFA: Local storage flags (like `mfa_trust_`) to securely verify trust for a device over 72 hours (or longer when "Remember me" is selected), reducing repeated MFA prompts.
  • Preferences: Saving user theme preferences (light/dark mode) and remembering registered email addresses for faster sign-in.

You can manage or disable cookies through your browser settings, but doing so may prevent certain security features (like session persistence and MFA trust remembrance) from functioning properly.

7. Data Retention

  • Active Accounts: We retain your data for as long as your account is active and as needed to provide the Service.
  • Deleted Documents: When you delete a document from a permit record, only the document reference and stored file are removed. The permit record itself (name, expiration date, status) is retained unless you explicitly delete it.
  • Account Deletion: Upon account deletion request, we will remove all your personal data, permit records, and uploaded documents within 30 days. Anonymized audit log entries may be retained for security purposes.
  • AI Processing Logs: We do not retain copies of data sent to Google Gemini beyond the duration of the API request. Google's retention policies apply to data processed by their systems.

8. Your Rights & US State Privacy Disclosures

Depending on your jurisdiction (including states like Texas and California), you may have the following statutory privacy rights:

  • Right to Know / Access: Request a copy of the specific pieces of personal data we hold about you.
  • Right to Correction: Request correction of inaccurate or incomplete personal data.
  • Right to Deletion: Request deletion of your personal data, subject to legal exceptions.
  • Right to Portability: Request your data in a structured, machine-readable, and portable format.
  • Right to Opt-Out of Sale or Share: Under California (CCPA/CPRA) and Texas (TDPSA) laws, you have the right to opt-out of the selling or sharing of your personal data. Vaulted does not sell, rent, share, or lease your personal data to third parties, and we do not process your data for targeted advertising.
  • Right to Non-Discriminrimination: We will not deny services, charge different prices, or provide a lower quality of service if you choose to exercise your privacy rights.
  • Right to Appeal (Texas TDPSA): If you are a Texas resident and we decline to take action on your request, you have the right to appeal our decision within 30 days by contacting us at support@vaultedai.app.
  • Opt-Out of AI Processing: You may opt out of automated AI document metadata extraction by using the "Skip AI & Enter Manually" option when uploading permit documents.

To exercise any of these rights, please contact us at support@vaultedai.app.

9. Children's Privacy

Vaulted is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that a child under 18 has provided us with personal information, we will take steps to delete such information.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of the Service after changes are posted constitutes your acceptance of the revised policy.

11. Mobile Application Data Practices

  • No In-App Purchases: The Vaulted mobile application does not process any payments, subscriptions, or in-app purchases. All billing occurs exclusively through the Vaulted website.
  • Camera & Photo Library: We request camera and photo library access solely for document scanning (Snap & Vault). Images are processed for AI extraction and then encrypted before storage. We do not access your camera or photos for any other purpose.
  • No Location Tracking: The Vaulted mobile app does not access or track your device's GPS location.
  • No Advertising: The Vaulted mobile application contains no advertisements, advertising SDKs, or tracking pixels.
  • Local Authentication: Biometric data (Face ID, Touch ID, fingerprint) used for AppLock is processed entirely on-device by the operating system's secure enclave. Vaulted never receives, transmits, or stores biometric templates.

12. Data Processing Agreement (DPA)

Vaulted acts as a data processor on behalf of you (the data controller) when handling your uploaded compliance documents. The following terms constitute our Data Processing Agreement:

  • Purpose Limitation: We process your data solely for the purpose of providing the Vaulted compliance management service as described in these policies. We do not process your data for advertising, profiling, or any secondary purpose.
  • Sub-processors: Our authorized sub-processors are: Google (Gemini AI for document extraction), Supabase (database and storage), Stripe (payment processing via web only), and Resend (email delivery). We will notify you of any changes to sub-processors.
  • Data Localization: Your data is stored in Supabase-managed infrastructure. Encrypted documents are stored in cloud storage with AES-256-GCM encryption at rest.
  • Breach Notification: In the event of a data breach affecting your personal data, we will notify you within 72 hours of becoming aware of the breach, in compliance with GDPR Article 33 and applicable US state breach notification laws.
  • Data Deletion: Upon account termination or deletion request, all personal data, documents, and encrypted files will be permanently deleted within 30 days. Anonymized aggregate data may be retained for service improvement.
  • Audit Rights: You may request documentation of our security practices and data processing activities by contacting support@vaultedai.app.
  • International Transfers: If your data is transferred outside your jurisdiction, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) where required.

13. Contact Us

If you have any questions about this Privacy Policy, please contact us at support@vaultedai.app.

© 2026 Vaulted. All rights reserved.