Vaulthat Privacy policy
Create workspace

Privacy policy

How Vaulthat handles account, billing, archive, and security data.

Effective date: 4 April 2026

At a glance

  • Vaulthat is owned and operated by v16 Studios Limited.
  • We collect the account, workspace, billing, archive, and technical information needed to run the service.
  • We currently use essential session and security cookies only, with no analytics or advertising cookies configured in the app codebase.

Contact

v16 Studios Limited

48 College Green
Yeovil, Somerset, BA21 4JU
United Kingdom

[email protected] [email protected]

Who we are

Vaulthat is owned and operated by v16 Studios Limited. In this policy, "Vaulthat", "we", "us", and "our" mean v16 Studios Limited, 48 College Green, Yeovil, Somerset, BA21 4JU, United Kingdom.

You can contact us about privacy or data protection matters at [email protected] or [email protected].

What personal data we collect

The data we process depends on how you use Vaulthat. The current application and database store account, workspace, billing, archive, restore, and security information so the service can operate.

  • Account and identity data such as your name, email address, password hash, email-verification status, two-factor authentication secrets and recovery codes, and your current workspace selection.
  • Workspace and collaboration data such as workspace names, user roles, invitations, membership history, and activity records linked to users, projects, and assets.
  • Archive and project data such as project names, descriptions, folder paths, file names, MIME types, checksums, file sizes, archive manifests, upload sessions, restore requests, restore windows, and download events.
  • Billing and payment data such as Stripe customer IDs, subscription records, invoice and payment references, payment status, payment-method brand and last four digits, and billing reminder history. We do not store full payment card numbers in the app database.
  • Technical and security data such as session records, IP addresses, user-agent strings, timestamps, and service metadata needed for fraud prevention, troubleshooting, and service security.

How we use personal data

  • To create and manage accounts, authenticate users, and secure workspace access.
  • To provide archive upload, storage, restore, download, and billing functionality.
  • To process payments, invoices, subscription access, failed-payment handling, and operational collections workflows.
  • To send transactional emails and service notices, including invitations, billing alerts, restore notices, and account-security messages.
  • To maintain audit trails, investigate misuse, prevent fraud, enforce our terms, and protect the integrity of the service.
  • To comply with legal, tax, accounting, and regulatory obligations.

Our lawful bases

Where UK data protection law applies, we generally rely on the following lawful bases depending on the processing activity.

  • Contract: to provide Vaulthat, administer workspaces, store archive content, process restores, and manage subscriptions and billing.
  • Legitimate interests: to secure the service, maintain operational logs and audit trails, prevent abuse, improve reliability, recover debts, and communicate with workspace users about the service.
  • Legal obligation: where we need to keep records or disclose information to comply with applicable law, taxation, accounting, fraud-prevention, or regulatory duties.
  • Consent: if we introduce non-essential cookies, analytics, or optional communications that require consent, we will ask for it first where required.

Cookies, sessions, and analytics

Vaulthat currently uses essential cookies and similar technologies needed to run sign-in, authenticated sessions, and request-security controls. The current configuration uses Laravel session and security cookies to keep users signed in, maintain workspace state, and protect forms and authenticated requests.

We do not currently use analytics, advertising, or social-media tracking cookies in the live app codebase we operate today. If that changes, we will update this policy and request consent where the law requires it.

Who we share data with

We share personal data only where it is necessary to run Vaulthat, meet legal obligations, or protect the service.

  • Stripe, for subscription management, billing portal access, invoices, payment processing, and payment-failure handling.
  • Amazon Web Services, for archive storage, restore operations, and supporting infrastructure used by the application.
  • Email and application infrastructure providers that help us deliver transactional communications and operate the platform.
  • Professional advisers, law enforcement, courts, regulators, or counterparties where disclosure is reasonably necessary for legal, regulatory, fraud-prevention, or dispute purposes.

International transfers

Vaulthat is operated from the United Kingdom, and some service providers may process data outside the UK. Archive data is stored using the AWS region configured for the service environment with server-side encryption at rest in S3, and billing data is processed through Stripe.

Where personal data is transferred internationally, we expect appropriate safeguards to be used where required by law.

How long we keep data

  • Account and workspace records are kept while your account or workspace remains active and for a reasonable period afterwards where needed for security, dispute resolution, or legitimate business records.
  • Billing, charge, and payment records may be retained for longer periods where needed for accounting, tax, audit, fraud-prevention, or legal purposes.
  • Session and technical security records are retained in line with operational needs and housekeeping processes.
  • Archive content, project metadata, restore records, and related audit trails are retained until deleted by the workspace or removed through service retention and billing-enforcement workflows, including when prepaid storage ends without an active subscription or when failed-payment enforcement requires deletion.

Your responsibilities for uploaded content

Vaulthat may store files and project materials uploaded by workspace users. If that content contains personal data, confidential information, or regulated material, you are responsible for ensuring you have the right to upload it and instruct us to store and process it through the service.

Security of archive data

Archive uploads and downloads are delivered over HTTPS. Stored archive objects are written to AWS S3 with server-side encryption at rest.

Your rights

Depending on the law that applies to you, you may have rights to access, correct, delete, restrict, object to, or request transfer of your personal data, and to complain to the UK Information Commissioner's Office.

To make a request, contact [email protected] or [email protected]. We may need to verify your identity before acting on a request.

Changes to this policy

We may update this privacy policy from time to time. When we do, we will publish the updated version on this page and change the effective date above.

Home Privacy policy Terms of service