GDPR Compliance

Vaultium | Effective date: March 1, 2026 | Last updated: March 30, 2026

1. Our Commitment

Webito Future Tech s.r.o. ("Vaultium") is committed to full compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"). As a company registered in the Czech Republic within the European Union, GDPR applies directly to all our operations.

2. Data Controller

Webito Future Tech s.r.o.

Prague, Czech Republic

Data protection contact: privacy@vaultium.io

3. Privacy by Design and by Default (Art. 25)

Vaultium is architected around the principle of data minimization:

  • The app collects zero personal data. No user accounts, no analytics, no telemetry.
  • All TOTP secrets are encrypted locally using AES-256 (SQLCipher). The encryption key exists only on the physical Vaultium device.
  • The app has no internet permission in release builds, making remote data collection technically impossible.
  • Camera access is used exclusively for QR code scanning. No images are stored or transmitted.
  • NFC communication is local only, between the phone and the Vaultium device.

4. Categories of Personal Data Processed

We process personal data only in the following limited contexts:

a) Device Purchases

  • Name and shipping address — to fulfill orders.
  • Email address — for order confirmation and shipping updates.
  • Payment data — processed by our third-party payment provider. We do not store payment card details.

b) Support Inquiries

  • Email address and message content — to respond to your inquiry.

c) Waitlist

  • Email address — to notify you of product availability.

The Vaultium app itself does not transmit any data to us or any third party.

5. Legal Basis for Processing (Art. 6)

  • Art. 6(1)(b) — Contract performance: processing order and shipping data to fulfill purchases.
  • Art. 6(1)(f) — Legitimate interest: responding to support requests and maintaining service quality.
  • Art. 6(1)(a) — Consent: waitlist registration and optional marketing communications.
  • Art. 6(1)(c) — Legal obligation: retaining financial records as required by tax law.

6. Data Processors and Third Parties

We engage the following categories of processors, all bound by GDPR-compliant Data Processing Agreements:

  • Payment processor — for secure transaction handling.
  • Shipping provider — for physical device delivery.
  • Website hosting — for serving vaultium.io.

We do not sell, rent, or share personal data with third parties for marketing purposes.

7. International Data Transfers

All data processing occurs within the European Economic Area (EEA). In the event that data is transferred outside the EEA, we ensure compliance through Standard Contractual Clauses (SCCs) approved by the European Commission, or other legally recognized transfer mechanisms.

8. Data Retention

  • Order and financial records: retained as required by Czech tax and commercial law (typically 5–10 years).
  • Support correspondence: retained for up to 2 years after the last interaction, then deleted.
  • Waitlist emails: retained until you unsubscribe or request deletion.

9. Your Rights Under GDPR

As a data subject, you have the following rights:

  • Right of access (Art. 15) — obtain a copy of your personal data.
  • Right to rectification (Art. 16) — correct inaccurate personal data.
  • Right to erasure (Art. 17) — request deletion of your personal data.
  • Right to restriction (Art. 18) — restrict processing in certain circumstances.
  • Right to data portability (Art. 20) — receive your data in a structured, machine-readable format.
  • Right to object (Art. 21) — object to processing based on legitimate interest.
  • Right to withdraw consent (Art. 7(3)) — withdraw consent at any time without affecting prior processing.

To exercise any of these rights, contact privacy@vaultium.io. We will respond within 30 days. If the request is complex, we may extend this by an additional 60 days with prior notice.

10. Data Breach Notification (Art. 33–34)

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours. If the breach poses a high risk, we will also notify affected individuals without undue delay.

11. Data Protection Impact Assessment

Given that the Vaultium app processes zero personal data and operates entirely offline, a formal DPIA is not required for the app itself. For website and e-commerce operations, we conduct assessments as appropriate when introducing new processing activities.

12. Cookies

The Vaultium website uses only strictly necessary cookies for basic site functionality. No consent is required for these cookies under GDPR. We do not use tracking, analytics, or advertising cookies.

13. Children

Vaultium is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will delete it promptly.

14. Supervisory Authority

Our lead supervisory authority is:

Office for Personal Data Protection (Úřad pro ochranu osobních údajů — ÚOOÚ)

Pplk. Sochora 27, 170 00 Prague 7, Czech Republic

Website: https://www.uoou.cz

EU residents may also lodge a complaint with their local data protection authority.

15. Changes

We may update this document from time to time. Changes will be posted on this page with an updated revision date.

16. Contact

Webito Future Tech s.r.o.

Prague, Czech Republic

Email: privacy@vaultium.io