Privacy Policy
Last updated: March 12, 2026
This Privacy Policy describes how Vaulken ("we", "us", "our") collects, uses, and protects your information when you use the Vaulken cloud platform ("Service"). We are committed to protecting your privacy and being transparent about our data practices.
1. Data Controller
Vaulken acts as the data controller for account and service data, and as a data processor for Customer Data stored in your Vaults. For details on our processing obligations as a processor, see our Data Processing Agreement.
Contact: privacy@vaulken.dev
2. Data We Collect
2.1 Account Data
When you create an account, we collect:
- Email address
- Password (stored in hashed form — we never store your password in plaintext)
- Workspace name
2.2 Vault Configuration Data
When you create a Vault, we store:
- Vault name and type
- Storage connection details (endpoint, region, bucket name)
- Storage credentials (encrypted via a key management service — never stored in plaintext)
2.3 Search Index Data
When file indexing is enabled, we generate and store:
- Full-text search indexes — derived from your files but irreversible. Your original text cannot be reconstructed from them.
- Semantic search vectors — mathematical representations of your file contents used for meaning-based search. Also irreversible.
- File metadata — file paths, content fingerprints, and modification dates.
We never store the raw text content of your files in our database. Your files remain exclusively in your storage (your own bucket for BYOB, or our managed storage).
2.4 Authentication Data
- Client credentials for MCP access (hashed)
- Session tokens (encrypted cookies)
2.5 Technical Data
We automatically collect:
- IP addresses (for rate limiting and security — not stored long-term)
- Server logs (request paths, status codes, timestamps — retained for 30 days)
We do not use cookies for tracking or analytics. The only cookie used is the encrypted session cookie required for authentication.
3. How We Use Your Data
| Purpose | Data used | Legal basis (GDPR) |
|---|---|---|
| Provide the Service | Account, Vault config, indexes | Contract (Art. 6(1)(b)) |
| Authenticate users | Email, password, sessions | Contract (Art. 6(1)(b)) |
| Generate search indexes | File contents (transient) | Contract (Art. 6(1)(b)) |
| Rate limiting and security | IP addresses | Legitimate interest (Art. 6(1)(f)) |
| Send transactional emails | Email address | Contract (Art. 6(1)(b)) |
4. What We Do NOT Do
- We do not sell, rent, or share your data with third parties for marketing.
- We do not use your Customer Data to train or improve any AI/ML model.
- We do not serve ads or use tracking cookies.
- We do not perform behavioral profiling.
- We do not store your file contents in our database — only irreversible search indexes.
5. Subprocessors
We use the following third-party services to operate the platform:
| Subprocessor | Purpose | Location |
|---|---|---|
| Scaleway | Infrastructure hosting (compute, database, storage, key management) | EU (Paris, France) |
| Scaleway TEM | Transactional email delivery | EU (Paris, France) |
| Mistral AI | Embedding generation for semantic search (file contents are sent transiently and not stored) | EU (Paris, France) |
All subprocessors are EU-based. No Customer Data is transferred outside the European Economic Area (EEA).
6. Data Storage and Security
- Hosting: EU (Paris, France)
- Encryption at rest: All sensitive data (credentials, tokens) is encrypted via a key management service
- Encryption in transit: TLS 1.2+ for all connections
- Passwords: Hashed using industry-standard algorithms (never stored in plaintext)
- Tokens: Cryptographically hashed before storage
- Tenant isolation: Separate storage per Vault, scoped data access per Workspace
7. Data Retention
| Data | Retention period |
|---|---|
| Account data | Until account deletion |
| Customer Data (files) | Until Vault deletion (BYOB: in your bucket; Managed: in our storage) |
| Search indexes | Until Vault deletion |
| Server logs | 30 days |
| Password reset tokens | 1 hour, then deleted |
| Refresh tokens | Until revoked or account deletion |
8. Your Rights (GDPR)
Under the General Data Protection Regulation, you have the right to:
- Access — request a copy of your personal data
- Rectification — correct inaccurate personal data
- Erasure — request deletion of your personal data ("right to be forgotten")
- Portability — receive your data in a structured, machine-readable format
- Restriction — request restricted processing in certain circumstances
- Objection — object to processing based on legitimate interests
To exercise these rights, contact us at privacy@vaulken.dev. We will respond within 30 days.
9. Account Deletion
When you delete your account:
- All Workspaces, Vaults, access settings, and tokens are permanently deleted
- All search indexes are permanently deleted
- Managed storage files are permanently deleted
- BYOB bucket contents remain in your own storage (we lose access)
- Your email and account data are permanently removed from our database
This action is irreversible.
10. International Data Transfers
All data is stored and processed within the European Union (Paris, France). We do not transfer personal data outside the EEA. All our subprocessors are EU-based.
11. Children's Privacy
The Service is not intended for individuals under 16 years of age. We do not knowingly collect personal data from children.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the dashboard. The "Last updated" date at the top indicates when the policy was last revised.
13. Contact
For privacy-related questions or to exercise your rights:
- Email: privacy@vaulken.dev
- General inquiries: hello@vaulken.dev