Privacy Policy

1. Who We Are

RedactVault is a browser-based document redaction platform designed to allow users to detect, review, and permanently redact sensitive information from documents.

RedactVault is operated from Ireland.

Data protection contact: privacy@redactvault.com

For the purposes of applicable data protection laws, we act as a Data Controller for account and service data described in this policy.

2. Our Core Privacy Principle

RedactVault is built on a simple principle:

Your documents remain under your control.

By default:

• Documents are processed locally in your browser.
• Files are not uploaded to our servers for analysis or redaction.
• We do not read, store, or access the contents of your documents.

If this changes in future features (e.g. optional cloud services), this policy will be updated accordingly with appropriate notice.

3. Information We Collect

We collect different types of information depending on how you use RedactVault.

3.1 Information You Provide

If you create an account, we may collect:

• Name
• Email address
• Company name (if applicable)
• Billing details (handled securely by our payment processor; see Section 9)
• Support communications

We do not collect the contents of your uploaded documents.

3.2 Usage & Technical Data

We may collect limited technical information such as:

• Browser type and version
• Device type
• Operating system
• IP address (for security and fraud prevention)
• Log data (errors, performance metrics)
• Feature usage analytics (e.g. which detection engines are enabled, document format types used)

This data is used strictly to maintain security, improve product performance, fix bugs, and understand feature usage trends. We do not use analytics data to inspect or infer document contents.

3.3 Cookies & Similar Technologies

RedactVault uses cookies and local storage for:

• Strictly necessary cookies: Authentication sessions, security protections (e.g. CSRF tokens), and essential application functionality. These do not require consent under GDPR as they are essential to provide the Service.
• Preference cookies: Remembering your settings and preferences (e.g. theme, detection engine choices).
• Optional analytics cookies: If you opt in, Google Analytics is used for core page measurement so we can improve the Service. We disable automatic pageview collection, do not enable advertising personalization signals, sanitize tracked page paths, and do not include URL query strings or hash fragments in analytics page URLs.

We do not use third-party advertising cookies. Optional analytics cookies are activated only if you accept them, and you can later change that choice using the Cookie preferences control in the product. We do not use cookies or analytics tools to track or access document contents, and we do not send document names, workspace names, email addresses, or raw URL tokens and session identifiers to Google Analytics. You may disable cookies in your browser settings, but some features may not function properly.

4. Document Processing

RedactVault is designed so that:

• Document processing occurs locally in your browser.
• Detection engines (including AI-powered models) operate client-side where technically feasible.
• Redactions are applied within the browser before export.

4.1 AI Model Downloads

Certain detection features (such as face detection and named-entity recognition) require downloading AI models from third-party model repositories (e.g. Hugging Face). These downloads are fetched directly to your browser. No document data is sent to these model repositories. The models run entirely within your browser after download.

4.2 What We Do Not Do

We do not:

• Store your documents on our servers (unless explicitly stated for future optional features).
• Access, read, or inspect document contents.
• Use document data for AI/ML model training.
• Share document data with third parties.
• Use document metadata for profiling or advertising.

You are solely responsible for ensuring that your use of RedactVault complies with applicable data protection regulations in your jurisdiction.

5. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the Service
• Process payments and manage subscriptions
• Communicate with you about your account, support requests, and service updates
• Detect and prevent fraud, abuse, and security incidents
• Comply with legal obligations
• Analyze usage trends to improve features and performance (in aggregate, not linked to document contents)

We do not sell your personal data. We do not use your data for advertising.

6. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process personal data under the following legal bases:

• Contractual necessity – to provide your account, process payments, and deliver the Service you requested.
• Legitimate interests – to improve, secure, and maintain the platform, analyze aggregate usage trends, and prevent fraud. We balance these interests against your rights and freedoms.
• Legal obligations – where required by applicable law (e.g. tax record retention).
• Consent – where explicitly requested (e.g. for optional marketing communications). You may withdraw consent at any time.

7. Data Retention

We retain:

• Account information for as long as your account remains active.
• Billing records for the period required by applicable tax and commercial law (typically 6–7 years in Ireland/EU).
• Security and audit logs for up to 12 months.
• Support correspondence for up to 24 months after resolution.

We do not retain document contents processed locally in your browser.

If you delete your account, we will delete or anonymize your personal data within 30 days, except where legally required to retain it.

8. Data Security

We implement industry-standard technical and organizational safeguards, including:

• Encrypted HTTPS connections (TLS) for all data in transit
• Encryption at rest for stored personal data
• Secure authentication mechanisms
• Role-based access controls
• Infrastructure security best practices
• Monitoring and logging for abuse prevention

No system can guarantee absolute security, but we take data protection extremely seriously and continuously review our security practices.

9. Third-Party Services & Sub-Processors

We use trusted third-party service providers to operate the Service. These providers only receive the minimum data necessary to perform their function and are contractually bound to protect it.

9.1 Current Sub-Processors

We may update this list as our infrastructure evolves. Material changes to sub-processors will be reflected in updates to this Privacy Policy.

We do not sell personal data to any third party.

10. International Data Transfers

RedactVault is operated from Ireland (within the EU/EEA). Some of our third-party service providers are based outside the EEA.

Where data is transferred outside the European Economic Area, we ensure appropriate safeguards are in place, including:

• European Commission adequacy decisions
• Standard Contractual Clauses (SCCs)
• EU-US Data Privacy Framework certification (where applicable)
• Other equivalent lawful transfer mechanisms under GDPR Article 46

11. Your Rights (EU/EEA/UK)

Under GDPR and equivalent UK data protection law, you have the right to:

• Access – request a copy of the personal data we hold about you
• Rectification – correct inaccurate or incomplete data
• Erasure – request deletion of your data (“right to be forgotten”)
• Restriction – restrict how we process your data in certain circumstances
• Objection – object to processing based on legitimate interests
• Data portability – receive your data in a structured, machine-readable format
• Withdraw consent – where processing is based on consent, withdraw it at any time
• Lodge a complaint – with a supervisory authority (see below)

To exercise your rights, contact: privacy@redactvault.com

We will respond to valid requests within one calendar month, as required by GDPR. In complex cases, this may be extended by up to two additional months, and we will notify you of any extension.

If you are located in Ireland, you may contact the Data Protection Commission (DPC) at www.dataprotection.ie.

12. Your Rights (United States)

If you are a resident of a US state with consumer privacy legislation (including California, Virginia, Colorado, Connecticut, and others), you may have additional rights, including:

• Right to know – what personal information we collect, use, and disclose
• Right to delete – request deletion of your personal information
• Right to opt out of sale – we do not sell your personal information
• Right to non-discrimination – we will not discriminate against you for exercising your privacy rights

12.1 California Residents (CCPA/CPRA)

Under the California Consumer Privacy Act (as amended by the CPRA):

• We do not sell or share personal information for cross-context behavioral advertising.
• We do not use or disclose sensitive personal information for purposes beyond what is necessary to provide the Service.
• You may designate an authorized agent to make requests on your behalf.

To exercise your rights, contact: privacy@redactvault.com

13. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms:

• We will notify the relevant supervisory authority (the Irish Data Protection Commission) within 72 hours of becoming aware of the breach, as required by GDPR.
• If the breach is likely to result in a high risk to your rights and freedoms, we will notify affected users without undue delay via email or prominent notice within the Service.
• We maintain incident response procedures to detect, investigate, and remediate security incidents.

14. Children's Privacy

RedactVault is not intended for use by children under 16 years of age (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.

15. Changes to This Policy

We may update this Privacy Policy periodically. If we make material changes, we will:

• Update the “Last Updated” date at the top of this page
• Provide at least 30 days' notice through the Service or via email before material changes take effect
• Where required by law, obtain your consent for material changes to how we process your data

Continued use of RedactVault after changes take effect constitutes acceptance of the updated policy. If you do not agree, you should stop using the Service before the changes take effect.

16. Contact Us

If you have questions about this Privacy Policy, wish to exercise your data protection rights, or have a complaint about how we handle your data, please contact:

Email: privacy@redactvault.com

We aim to resolve all queries and complaints promptly. If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.