Register

Legal

Privacy Policy

Last Updated: 3 June 2026

This Privacy Policy explains how Vaultody Ltd. ("Vaultody", "Provider", "we", "our", or "us") collects, uses, stores, discloses, and protects personal data when you access our website, register for an account, use our platform, interact with our Services, communicate with us, or otherwise engage with Vaultody.

This Privacy Policy is intended to be read together with our:

  • Digital Wallet as a Service (DWaaS) Software as a Service Agreement;
  • Terms & Conditions;
  • Electronic Signature Consent;
  • Data Security Policy;
  • Data Processing Addendum; 
  • Subscription & Cancellation Policy;
  • Complaints & Dispute Policy.

Vaultody is a technology-only, non-custodial software-as-a-service provider. Vaultody does not take custody, possession, or control of Digital Assets, private keys, seed phrases, recovery phrases, or Client-controlled signing authority.

1. Who We Are

Vaultody Ltd. is a company incorporated under the laws of the Republic of Bulgaria, UIC 207186381, with its registered address at:

Vaultody Ltd.
Sofia, Studentski grad, Doctor Yordan Yosifov str., 1A
Republic of Bulgaria

For the purposes of applicable data protection laws, including the General Data Protection Regulation (GDPR), Vaultody generally acts as the data controller for personal data collected through our website, registration process, onboarding process, account administration, billing, communications, legal acceptance records, and business operations.

Where a Client uses the Services to process personal data relating to its own customers, employees, contractors, users, or other third parties, the Client may act as the data controller and Vaultody may act as a data processor, as set out in Vaultody's Data Processing Addendum.

2. Scope of This Privacy Policy

This Privacy Policy applies to personal data processed in connection with:

(a) visits to the Vaultody website;

(b) account registration and onboarding;

(c) subscription purchases and billing;

(d) use of the Services;

(e) electronic acceptance of legal documents;

(f) communications with Vaultody;

(g) customer support;

(h) marketing and business development activities;

(i) security, fraud prevention, abuse prevention, and compliance activities; and

(j) legal, regulatory, accounting, tax, and administrative obligations.

This Privacy Policy does not apply to third-party websites, applications, blockchain networks, protocols, wallets, smart contracts, infrastructure providers, or services that are not controlled by Vaultody.

3. Personal Data We Collect

We may collect and process the following categories of personal data.

3.1 Account and Onboarding Information

When you register for an account, subscribe to the Services, or complete onboarding, we may collect:

(a) full name;

(b) email address;

(c) company name;

(d) company registration number or company identification number;

(e) VAT number, where applicable;

(f) country of registration, residence, or operation;

(g) role, title, or relationship to the company;

(h) confirmation that you are authorized to act on behalf of and legally bind the company;

(i) account login and authentication information; and

(j) any other information reasonably required to create, administer, verify, or secure your Account.

3.2 Electronic Acceptance and Legal Records

When you accept legal documents electronically, we may collect and retain records including:

(a) accepted document names;

(b) accepted document versions;

(c) checkbox selections;

(d) acceptance timestamps;

(e) IP address;

(f) browser and device information;

(g) user agent information;

(h) account ID;

(i) email address associated with the acceptance;

(j) subscription or purchase context; and

(k) other information reasonably necessary to demonstrate acceptance, authorization, and agreement.

These records may relate to acceptance of the DWaaS Software as a Service Agreement, Terms & Conditions, Electronic Signature Consent, Privacy Policy, Data Security Policy, Subscription & Cancellation Policy, Complaints & Dispute Policy, and other legal or service-related documents.

3.3 Subscription, Billing, and Payment Information

When you purchase or use a paid subscription, we may collect:

(a) Subscription Plan information;

(b) billing frequency;

(c) invoice information;

(d) billing address;

(e) company billing details;

(f) VAT or tax information;

(g) payment status;

(h) transaction references;

(i) payment method metadata, such as payment provider tokens, card brand, expiry date, or last four digits, where applicable; and

(j) records of renewals, upgrades, downgrades, failed payments, refunds, disputes, and collection activity.

Vaultody does not intend to store full payment card numbers where payments are handled by third-party payment processors.

3.4 Service Usage and Technical Information

When you use the Services, we may collect:

(a) login activity;

(b) API usage data;

(c) dashboard activity;

(d) operational logs;

(e) telemetry data;

(f) error logs;

(g) system events;

(h) security logs;

(i) IP addresses;

(j) device information;

(k) browser information;

(l) authentication events;

(m) account configuration information;

(n) wallet infrastructure metadata;

(o) policy and workflow configuration metadata;

(p) blockchain addresses, transaction identifiers, and related operational metadata, where processed through the Services; and

(q) other technical information necessary to provide, secure, monitor, troubleshoot, and improve the Services.

Vaultody does not collect, store, or control Client private keys, seed phrases, recovery phrases, recovery material, or Client-controlled signing components.

3.5 Communications and Support Information

When you contact us, request support, request information, or communicate with us, we may process:

(a) name;

(b) email address;

(c) company information;

(d) communication content;

(e) support tickets;

(f) attachments or files voluntarily provided by you;

(g) meeting notes;

(h) call or demo request details;

(i) feedback; and

(j) records of our responses.

3.6 Website, Cookie, and Analytics Data

When you visit our website, we may collect:

(a) IP address;

(b) browser type;

(c) device type;

(d) operating system;

(e) referral URLs;

(f) pages viewed;

(g) interaction data;

(h) session information;

(i) approximate location derived from IP address;

(j) cookie identifiers; and

(k) analytics and performance information.

Some cookies and similar technologies may be necessary for website operation, while others may be used for analytics, performance, preferences, or marketing where permitted by Applicable Law.

3.7 Marketing and Business Development Data

Where permitted by Applicable Law, we may process:

(a) name;

(b) business email address;

(c) company name;

(d) role or title;

(e) communication preferences;

(f) marketing interactions;

(g) event or campaign participation;

(h) website engagement data; and

(i) information voluntarily provided through forms, surveys, demos, or communications.

3.8 Recruitment Data

If you apply for a position with Vaultody, we may process:

(a) name;

(b) contact details;

(c) CV or resume;

(d) employment history;

(e) education history;

(f) professional qualifications;

(g) references;

(h) interview notes; and

(i) other information you provide as part of the recruitment process.

We do not request special categories of personal data unless legally required or specifically relevant to the recruitment process.

4. Personal Data We Do Not Intentionally Collect

Vaultody does not intentionally collect or require the following as part of standard account registration or ordinary use of the Services:

(a) private keys;

(b) seed phrases;

(c) recovery phrases;

(d) Client-controlled signing material;

(e) biometric data;

(f) government identification documents;

(g) sensitive financial account credentials; or

(h) special categories of personal data, such as health data, religious beliefs, political opinions, or biometric identifiers.

You should not provide such information to Vaultody unless we specifically request it and identify the lawful basis for doing so.

5. How We Collect Personal Data

We may collect personal data:

(a) directly from you when you provide it;

(b) through account registration and onboarding forms;

(c) through the website and Services;

(d) through subscription, checkout, billing, and payment processes;

(e) through electronic acceptance flows;

(f) through support requests and communications;

(g) through cookies, logs, analytics tools, and security systems;

(h) from payment processors, service providers, or business partners;

(i) from publicly available business sources; and

(j) from Clients, where they provide information relating to authorized users or representatives.

6. Why We Process Personal Data

We process personal data for the following purposes.

6.1 Account Creation and Administration

To create, maintain, administer, verify, secure, and manage Accounts.

6.2 Providing the Services

To provide, operate, maintain, support, troubleshoot, improve, and secure the Services.

6.3 Subscription, Billing, and Payment

To process subscription purchases, invoices, renewals, failed payments, taxes, payment records, billing communications, and related financial administration.

6.4 Electronic Acceptance and Legal Evidence

To record and demonstrate acceptance of legal documents, authority to bind a company, subscription commitments, electronic signatures, and legally relevant account activity.

6.5 Security, Fraud Prevention, and Abuse Prevention

To detect, prevent, investigate, and respond to unauthorized access, credential compromise, fraud, misuse, attacks, prohibited activity, sanctions concerns, system abuse, and security incidents.

6.6 Compliance and Legal Obligations

To comply with Applicable Law, tax requirements, accounting rules, court orders, regulatory requests, lawful authority requests, and legal obligations.

6.7 Communications

To send account communications, operational notices, security alerts, billing notices, legal notices, policy updates, support responses, and other service-related communications.

6.8 Marketing and Business Development

To send information about Vaultody products, services, updates, events, and business opportunities, subject to Applicable Law and any required consent or opt-out rights.

6.9 Analytics and Improvement

To understand website and Service usage, improve performance, develop features, measure effectiveness, and improve user experience.

6.10 Legal Claims and Protection of Rights

To establish, exercise, defend, or enforce legal rights, agreements, claims, and obligations.

7. Legal Bases for Processing

Where GDPR or similar data protection laws apply, we rely on one or more of the following legal bases.

7.1 Performance of a Contract

We process personal data where necessary to enter into or perform a contract with you or the Client, including account creation, onboarding, subscription management, Service delivery, support, billing, renewals, and legal acceptance records.

7.2 Legal Obligation

We process personal data where necessary to comply with legal obligations, including tax, accounting, regulatory, lawful request, court order, and compliance obligations.

7.3 Legitimate Interests

We process personal data where necessary for our legitimate interests or those of a third party, provided such interests are not overridden by your rights and freedoms.

These interests may include:

(a) operating and improving the website and Services;

(b) securing the Services;

(c) preventing fraud and abuse;

(d) maintaining electronic acceptance records;

(e) enforcing legal agreements;

(f) protecting Vaultody, Clients, users, and third parties;

(g) business administration;

(h) analytics and product improvement;

(i) B2B marketing, where permitted; and

(j) establishing, exercising, or defending legal claims.

7.4 Consent

We rely on consent where required by Applicable Law, including for certain cookies, marketing communications, or other optional processing activities.

You may withdraw consent at any time where processing is based on consent.

Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

8. Electronic Acceptance Records

Vaultody may retain electronic records relating to your acceptance of legal documents, including the identity of the person accepting, company details, checkbox selections, document versions, timestamps, IP addresses, device information, browser information, account identifiers, and related technical evidence.

We process these records to:

(a) demonstrate that legal documents were accepted;

(b) verify electronic signatures;

(c) confirm authority to bind a company;

(d) administer subscriptions and renewals;

(e) resolve disputes;

(f) enforce legal rights; and

(g) comply with legal and accounting obligations.

These records are important to the legal relationship between Vaultody and the Client and may be retained for as long as reasonably necessary to evidence the contractual relationship, comply with Applicable Law, and establish, exercise, or defend legal claims.

9. Providing Personal Data

Certain personal data is necessary to create an Account, complete onboarding, accept legal documents, purchase a subscription, receive the Services, receive support, comply with legal obligations, and maintain account security.

If you do not provide required information, Vaultody may be unable to create or maintain your Account, provide the Services, process payments, verify authority, record legal acceptance, respond to requests, or comply with legal obligations.

Where personal data is optional, we will indicate this where appropriate or you may choose not to provide such information.

10. Client-Controlled Data and End-User Data

Clients are responsible for determining what personal data they provide to or process through the Services.

If a Client uses the Services to process personal data relating to its customers, employees, contractors, users, or other third parties, the Client is responsible for:

(a) providing appropriate privacy notices;

(b) establishing a valid legal basis for processing;

(c) obtaining any required consents;

(d) complying with data protection laws;

(e) responding to data subject requests where applicable; and

(f) ensuring that the processing of such data through the Services is lawful.

Where Vaultody processes such personal data on behalf of a Client, Vaultody will process it in accordance with the Client's lawful instructions, the applicable agreement, and Vaultody's Data Processing Addendum.

11. Non-Custodial Data Clarification

Vaultody is a non-custodial technology provider.

Vaultody does not hold, custody, possess, control, administer, or manage Client Digital Assets.

Vaultody does not store or control Client private keys, seed phrases, recovery phrases, recovery material, or Client-controlled signing components.

Personal data processed by Vaultody generally consists of account information, onboarding information, legal acceptance records, billing information, usage information, support information, technical metadata, security logs, and operational information necessary to provide and secure the Services.

12. Sharing of Personal Data

We may share personal data with the following categories of recipients.

12.1 Personnel and Contractors

We may share personal data with employees, contractors, consultants, and representatives who need access to perform their duties.

12.2 Service Providers

We may share personal data with vendors and service providers that support our operations, including:

(a) cloud hosting providers;

(b) infrastructure providers;

(c) payment processors;

(d) billing and invoicing providers;

(e) customer support tools;

(f) email and communication providers;

(g) analytics providers;

(h) security and monitoring providers;

(i) compliance and fraud prevention providers;

(j) CRM and business administration tools; and

(k) professional service providers.

12.3 Professional Advisors

We may share personal data with lawyers, accountants, auditors, insurers, banks, and other professional advisors where necessary for business, legal, accounting, insurance, or compliance purposes.

12.4 Authorities and Legal Recipients

We may disclose personal data where necessary to comply with Applicable Law, court orders, regulatory requests, lawful authority requests, legal proceedings, or to protect rights, safety, security, or legal interests.

12.5 Business Transactions

We may disclose personal data in connection with a merger, acquisition, financing, restructuring, sale of assets, corporate transaction, insolvency proceeding, or similar business transaction, subject to appropriate safeguards.

12.6 Client-Directed Sharing

We may share or make available personal data where directed, configured, authorized, or requested by the Client through the Services.

We do not sell personal data.

13. International Transfers

Vaultody is based in the Republic of Bulgaria, within the European Union.

Personal data may be processed or stored in countries outside the European Economic Area where our service providers, infrastructure providers, payment processors, communication providers, or other partners operate.

Where personal data is transferred outside the European Economic Area, Vaultody will use appropriate safeguards where required by Applicable Law, such as:

(a) European Commission adequacy decisions;

(b) Standard Contractual Clauses;

(c) contractual safeguards;

(d) technical and organizational safeguards; or

(e) other lawful transfer mechanisms.

14. Data Retention

We retain personal data only for as long as reasonably necessary for the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by Applicable Law.

Retention periods may depend on:

(a) the duration of the contractual relationship;

(b) the type of personal data;

(c) the purpose of processing;

(d) legal, tax, accounting, and audit obligations;

(e) security and fraud prevention needs;

(f) limitation periods for legal claims;

(g) dispute resolution requirements; and

(h) legitimate business needs.

In general:

(a) account and onboarding information may be retained for the duration of the Account and for a reasonable period thereafter;

(b) legal acceptance records may be retained for as long as necessary to evidence acceptance, authority, and contractual obligations;

(c) billing and invoice records may be retained for as long as required by applicable tax, accounting, and legal obligations;

(d) security logs may be retained for as long as necessary for security, fraud prevention, investigation, and audit purposes;

(e) support records may be retained for as long as necessary to provide support, maintain business records, and resolve disputes;

(f) marketing data may be retained until you unsubscribe, withdraw consent, object, or the data is no longer necessary; and

(g) recruitment data may be retained for the recruitment process and a reasonable period thereafter, unless longer retention is required or permitted by law.

When personal data is no longer required, we may delete, anonymize, aggregate, or securely archive it.

15. Security Measures

Vaultody implements commercially reasonable technical, administrative, organizational, and security measures designed to protect personal data against unauthorized access, loss, misuse, alteration, disclosure, or destruction.

Such measures may include:

(a) access controls;

(b) authentication mechanisms;

(c) encryption technologies;

(d) logging and monitoring;

(e) security reviews;

(f) incident response procedures;

(g) least-privilege access practices;

(h) vendor security measures; and

(i) internal confidentiality obligations.

No system, software, network, infrastructure, blockchain, or method of transmission is completely secure. You are responsible for maintaining the confidentiality and security of your credentials, authentication devices, access tokens, API keys, and account access mechanisms.

16. Cookies and Similar Technologies

Vaultody may use cookies, pixels, local storage, analytics tools, and similar technologies to operate the website, remember preferences, improve performance, understand usage, support security, and conduct analytics or marketing where permitted by Applicable Law.

Cookies may include:

(a) strictly necessary cookies;

(b) performance and analytics cookies;

(c) functionality cookies; and

(d) marketing or targeting cookies, where used and permitted.

Where required by Applicable Law, we will request consent before using non-essential cookies.

You may manage cookies through your browser settings or through any cookie management tools made available on our website.

Disabling some cookies may affect website functionality.

17. Marketing Communications

Where permitted by Applicable Law, we may send business, product, service, event, or marketing communications.

You may opt out of marketing communications at any time by using the unsubscribe link in our emails or by contacting us.

Even if you opt out of marketing communications, we may still send service-related, transactional, billing, legal, or security communications.

18. Automated Processing

Vaultody may use automated tools to support security monitoring, fraud detection, abuse prevention, rate limiting, service operation, analytics, and account protection.

Vaultody does not intend to make decisions based solely on automated processing that produce legal or similarly significant effects concerning individuals, unless permitted by Applicable Law and subject to any required safeguards.

19. Your Data Protection Rights

Depending on your location and Applicable Law, you may have rights regarding your personal data, including the right to:

(a) access personal data we hold about you;

(b) request correction of inaccurate or incomplete personal data;

(c) request deletion of personal data;

(d) request restriction of processing;

(e) object to processing;

(f) request data portability;

(g) withdraw consent where processing is based on consent;

(h) object to direct marketing;

(i) request information about our processing activities; and

(j) lodge a complaint with a competent data protection supervisory authority.

These rights may be subject to conditions, limitations, and exceptions under Applicable Law.

If you are located in the European Union, you also have the right to lodge a complaint with your local data protection supervisory authority.

 

Vaultody’s lead supervisory authority in Bulgaria is:

 

Commission for Personal Data Protection

Republic of Bulgaria

Website: https://www.cpdp.bg 

20. How to Exercise Your Rights

To exercise your data protection rights, contact us using the details in Section 25.

We may need to verify your identity before responding to a request.

If your request relates to personal data processed by Vaultody on behalf of a Client, we may refer the request to the relevant Client or act according to the Client's lawful instructions.

We will respond to requests within the timeframe required by Applicable Law.

21. Children's Privacy

The website and Services are intended for business users and are not directed to children.

You must not use the Services if you do not have legal capacity to enter into binding agreements.

We do not knowingly collect personal data from children.

22. Third-Party Websites and Services

The website and Services may contain links to or integrations with third-party websites, applications, services, blockchain networks, protocols, wallets, infrastructure providers, analytics tools, payment processors, or other third-party resources.

Vaultody is not responsible for the privacy practices, content, security, or policies of third parties.

You should review the privacy policies and terms of any third-party services you use.

23. Changes to This Privacy Policy

Vaultody may update this Privacy Policy from time to time.

Updated versions will be published on the website and will become effective on the date specified in the updated version.

Where required by Applicable Law, we will provide additional notice or request consent.

Continued use of the website or Services after the effective date of an updated Privacy Policy means that you acknowledge the updated Privacy Policy.

24. Language

This Privacy Policy is provided in English.

Where translations are made available, the English version shall prevail unless otherwise required by Applicable Law.

25. Contact Information

Questions, requests, or complaints regarding this Privacy Policy or Vaultody's processing of personal data may be directed to:

Vaultody Ltd.
Sofia, Studentski grad, Doctor Yordan Yosifov str., 1A
Republic of Bulgaria

Email: [email protected]