Privacy Policy

Vaultium | Effective date: March 1, 2026 | Last updated: March 30, 2026

1. Data Controller

Webito Future Tech s.r.o. ("Vaultium", "we", "us", "our") is the data controller responsible for your personal data.

Registered address: Prague, Czech Republic

Contact: privacy@vaultium.io

2. Scope

This Privacy Policy applies to the Vaultium mobile application (iOS and Android), the Vaultium website (vaultium.io), and the purchase of Vaultium physical devices.

3. Data Collected by the App

The Vaultium app is designed to operate without collecting or transmitting any personal data. Specifically:

  • The app does not connect to the internet. It has no network permissions in release builds.
  • TOTP secrets and account names are stored locally on your device in an AES-256 encrypted database.
  • The master encryption key is stored exclusively on your physical Vaultium device, not on our servers.
  • No analytics, crash reporting, advertising identifiers, or telemetry of any kind are collected.
  • No user accounts or registration are required to use the app.

4. Camera Permission

The app requests camera access solely for scanning QR codes when adding new 2FA accounts. Camera data is processed locally in real time and is never stored, recorded, or transmitted.

5. NFC Permission

The app uses NFC to communicate with your physical Vaultium device for unlocking the vault and writing encrypted data. NFC communication occurs locally between your phone and the Vaultium device. No data from NFC interactions is transmitted externally.

6. Data Collected by the Website

When you visit vaultium.io or make a purchase, we may collect:

  • Email address — if you contact support or join our waitlist.
  • Shipping information (name, address) — if you purchase Vaultium devices. This data is processed by our payment provider and is not stored on our servers beyond what is necessary to fulfill your order.
  • Payment information — processed entirely by our third-party payment processor. We do not store credit card numbers or payment details.

7. Legal Basis for Processing (GDPR Art. 6)

  • Contract performance — processing shipping and order data to fulfill your purchase.
  • Legitimate interest — responding to support inquiries.
  • Consent — where applicable, such as marketing communications (you may withdraw consent at any time).

8. Data Sharing

We do not sell, rent, or trade your personal data. We share data only with:

  • Payment processors — to process transactions securely.
  • Shipping providers — to deliver physical devices to your address.

All third-party providers are bound by data processing agreements compliant with GDPR.

9. Data Retention

  • Order and shipping data is retained for the duration required by applicable tax and commercial law (typically 5–10 years).
  • Support correspondence is retained for up to 2 years after the last interaction.
  • Waitlist emails are retained until you unsubscribe or request deletion.

10. Your Rights

Under GDPR and applicable data protection laws, you have the right to:

  • Access the personal data we hold about you (Art. 15)
  • Rectify inaccurate data (Art. 16)
  • Request erasure of your data (Art. 17)
  • Restrict processing (Art. 18)
  • Data portability (Art. 20)
  • Object to processing (Art. 21)
  • Withdraw consent at any time without affecting prior processing

To exercise any of these rights, contact privacy@vaultium.io. We will respond within 30 days.

11. Cookies

The Vaultium website uses only essential cookies required for basic site functionality. We do not use tracking cookies, advertising cookies, or third-party analytics.

12. Children's Privacy

Vaultium is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

13. International Data Transfers

Your data is processed within the European Economic Area (EEA). If any data is transferred outside the EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission.

14. Security Measures

We implement appropriate technical and organizational measures to protect your personal data, including encrypted communications (TLS), access controls, and regular security reviews.

15. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated revision date. Continued use of our services after changes constitutes acceptance of the revised policy.

16. Supervisory Authority

You have the right to lodge a complaint with a supervisory authority. Our lead authority is:

Office for Personal Data Protection (ÚOOÚ)

Pplk. Sochora 27, 170 00 Prague 7, Czech Republic

EU residents may also contact their local data protection authority.

17. Contact

Webito Future Tech s.r.o.

Prague, Czech Republic

Email: privacy@vaultium.io