Privacy Policy
Last updated: March 19, 2026
This Privacy Policy describes how Vaulken ("we", "us", "our") collects, uses, and protects your information when you use the Vaulken cloud platform ("Service"). We are committed to protecting your privacy and being transparent about our data practices.
1. Data Controller
Vaulken acts as the data controller for account and service data, and as a data processor for Customer Data stored in your Vaults. For details on our processing obligations as a processor, see our Data Processing Agreement.
Contact: privacy@vaulken.dev
2. Data We Collect
2.1 Account Data
When you create an account, we collect:
- Email address
- Password (stored in hashed form — we never store your password in plaintext)
- Workspace name
If you sign in with Google, we receive your email address and display name from Google. We do not store your Google access token — it is used once during sign-in to retrieve your profile and then discarded. We do not access your Google Drive, Gmail, or any other Google service.
2.2 Vault Configuration Data
When you create a Vault, we store:
- Vault name and type
- Storage connection details (endpoint, region, bucket name)
- Storage credentials (encrypted via a key management service — never stored in plaintext)
- For Managed Storage Vaults: scoped S3 credentials (access key stored in plaintext as an identifier; secret key encrypted via our key management service). These credentials are revoked and deleted when the Vault or account is deleted.
2.3 Search Index Data
When file indexing is enabled, we generate and store:
- Full-text search indexes — derived from your files but irreversible. Your original text cannot be reconstructed from them.
- Semantic search vectors — mathematical representations of your file contents used for meaning-based search. Also irreversible.
- File metadata — file paths, content fingerprints, and modification dates.
We never store the raw text content of your files in our database. Your files remain exclusively in your storage (your own bucket for BYOB, or our managed storage).
2.4 Authentication Data
- Client credentials for MCP access (hashed)
- Session tokens (encrypted cookies)
2.5 Technical Data
We automatically collect:
- IP addresses (for rate limiting and security — not stored long-term)
- Server logs (request paths, status codes, timestamps — retained for 30 days)
We do not use cookies for tracking or analytics. The only cookie used is the encrypted session cookie required for authentication.
3. How We Use Your Data
| Purpose | Data used | Legal basis (GDPR) |
|---|---|---|
| Provide the Service | Account, Vault config, indexes | Contract (Art. 6(1)(b)) |
| Authenticate users | Email, password, sessions | Contract (Art. 6(1)(b)) |
| Generate search indexes | File contents (transient) | Contract (Art. 6(1)(b)) |
| Rate limiting and security | IP addresses | Legitimate interest (Art. 6(1)(f)) |
| Send transactional emails | Email address | Contract (Art. 6(1)(b)) |
4. What We Do NOT Do
- We do not sell, rent, or share your data with third parties for marketing.
- We do not use your Customer Data to train or improve any AI/ML model.
- We do not serve ads or use tracking cookies.
- We do not perform behavioral profiling.
- We do not store your file contents in our database — only irreversible search indexes.
5. Subprocessors
We use the following third-party services to operate the platform:
| Subprocessor | Purpose | Location |
|---|---|---|
| Scaleway | Infrastructure hosting (compute, database, storage, key management) | EU (Paris, France) |
| Scaleway TEM | Transactional email delivery | EU (Paris, France) |
| Mistral AI | Embedding generation for semantic search (file contents are sent transiently and not stored) | EU (Paris, France) |
| Google LLC | Authentication only (OAuth 2.0 sign-in — email and profile name). No Customer Data is shared with Google. | US (Google OAuth servers) |
Google is used solely for authentication. Your email and display name are retrieved once during sign-in. No Customer Data (files, vault contents, search indexes) is ever sent to Google. Google's processing of your data during the OAuth flow is governed by Google's Privacy Policy.
6. Data Storage and Security
- Hosting: EU (Paris, France)
- Encryption at rest: All sensitive data (credentials, tokens) is encrypted via a key management service
- Encryption in transit: TLS 1.2+ for all connections
- Passwords: Hashed using industry-standard algorithms (never stored in plaintext)
- Tokens: Cryptographically hashed before storage
- Tenant isolation: Separate storage per Vault, scoped data access per Workspace
7. Data Retention
| Data | Retention period |
|---|---|
| Account data | Until account deletion |
| Customer Data (files) | Until Vault deletion + 7-day grace period (BYOB: in your bucket; Managed: in our storage). After grace period, data exported as ZIP and sent by email, then permanently deleted. ZIP export retained for 7 additional days. |
| Search indexes | Until Vault deletion |
| Server logs | 30 days |
| Password reset tokens | 1 hour, then deleted |
| Refresh tokens | Until revoked or account deletion |
| S3 credentials (Managed) | Until Vault deletion or credential regeneration |
8. Your Rights (GDPR)
Under the General Data Protection Regulation, you have the right to:
- Access — request a copy of your personal data
- Rectification — correct inaccurate personal data
- Erasure — request deletion of your personal data ("right to be forgotten")
- Portability — receive your data in a structured, machine-readable format
- Restriction — request restricted processing in certain circumstances
- Objection — object to processing based on legitimate interests
To exercise these rights, contact us at privacy@vaulken.dev. We will respond within 30 days.
9. Account Deletion
When you delete your account:
- All Workspaces, Vaults, MCP URLs, and tokens are permanently deleted
- All search indexes are permanently deleted
- Managed storage files are permanently deleted
- BYOB bucket contents remain in your own storage (we lose access)
- Scoped S3 credentials are revoked via our infrastructure provider's API and permanently deleted
- Your email and account data are permanently removed from our database
This action is irreversible.
10. International Data Transfers
All Customer Data and account data is stored and processed within the European Union (Paris, France). The only data transferred outside the EEA is your email address and display name, sent to Google's OAuth servers (US) during sign-in if you choose to use "Sign in with Google". This transfer is covered by Google's Data Processing Terms and Standard Contractual Clauses. You can avoid this transfer entirely by using email/password authentication instead.
11. Children's Privacy
The Service is not intended for individuals under 16 years of age. We do not knowingly collect personal data from children.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the dashboard. The "Last updated" date at the top indicates when the policy was last revised.
13. Contact
For privacy-related questions or to exercise your rights:
- Email: privacy@vaulken.dev
- General inquiries: contact@vaulken.dev