EARLY ACCESS·building for the first 100 verified deals·100% stripe-verified metrics·€0 commission fees·NDA-gated deal rooms·STRIPE CONNECTlive·lisbon, PT·
EARLY ACCESS·building for the first 100 verified deals·100% stripe-verified metrics·€0 commission fees·NDA-gated deal rooms·STRIPE CONNECTlive·lisbon, PT·
Vvaulto· terminal v0.1
last updated: may 2026

Privacy Policy

1. Data controller

Vaulto Oy, a company incorporated in Finland, is the data controller for personal data processed through vaulto.sh and related services.

Contact: privacy@vaulto.sh

2. What data we collect

Account data

  • Email address (required for authentication)
  • Name (optional, for display purposes)
  • Company name and role (for business context)
  • Billing information (processed by Stripe)

Listing and deal room data

  • Business information you provide in listings
  • Documents you upload to deal rooms
  • Q&A communications between buyers and sellers
  • NDA signatures (timestamp, IP address, email)

Usage data

  • Pages viewed and features used
  • Device type, browser, and operating system
  • IP address (for security and fraud prevention)

Stripe Connect data

When you connect your Stripe account, we access read-only metrics including MRR, customer counts, and churn rates. We do not access customer payment details, card numbers, or bank account information.

3. How we use your data

  • To provide and improve our services
  • To verify revenue metrics via Stripe Connect
  • To facilitate deal room access and NDA signing
  • To send transactional emails (deal updates, access requests)
  • To prevent fraud and abuse
  • To comply with legal obligations (including DAC7 reporting)

4. Legal basis for processing (GDPR)

  • Contract: Processing necessary to provide our services
  • Legitimate interest: Analytics, security, fraud prevention
  • Legal obligation: Tax reporting (DAC7), AML compliance
  • Consent: Marketing communications (opt-in only)

5. Data sharing and transfers

Service providers

  • Supabase (database hosting) — EU region, GDPR compliant
  • Stripe (payments) — US-based, EU-US Data Privacy Framework certified
  • Vercel (hosting) — US-based, Standard Contractual Clauses in place
  • DocuSeal (NDA signing) — Document processing

International transfers

Where data is transferred outside the EEA, we rely on EU-US Data Privacy Framework adequacy decisions and Standard Contractual Clauses (SCCs) as approved by the European Commission.

DAC7 platform operator reporting

As an EU-based platform facilitating transactions, Vaulto may be required to report seller information (name, address, TIN, transaction amounts) to Finnish tax authorities under the DAC7 directive.

6. Data retention

  • Active accounts: Data retained while account is active
  • Deleted accounts: Personal data deleted within 90 days of account closure
  • Signed NDAs: Retained for 7 years (legal requirement)
  • Access logs: Retained for 13 months (security purposes)
  • Transaction records: Retained for 7 years (tax compliance)

7. Your rights

Under GDPR, you have the right to:

  • Access — Request a copy of your personal data
  • Rectification — Correct inaccurate data
  • Erasure — Request deletion (subject to legal retention)
  • Portability — Export your data in machine-readable format
  • Object — Object to processing based on legitimate interests
  • Withdraw consent — Where processing is based on consent

To exercise these rights, email privacy@vaulto.sh. We will respond within 30 days.

8. Cookies and analytics

Vaulto uses cookieless analytics (Plausible) that do not track individual users or require cookie consent. We do not use advertising cookies or third-party trackers.

Essential cookies are used for authentication and session management only.

For detailed information about our cookie practices, see our Cookie Policy.

9. Security

We implement appropriate technical and organizational measures including:

  • Encryption in transit (TLS 1.3) and at rest
  • Row-level security in our database
  • Regular security reviews
  • Access logging and monitoring

10. Automated decision-making

Vaulto does not use automated decision-making or profiling that produces legal effects or similarly significantly affects you.

Revenue verification through Stripe Connect is automated but serves only to display metrics — it does not make decisions about your access to the Service or affect your rights.

11. Children

Vaulto is not intended for use by individuals under 18 years of age. We do not knowingly collect data from children.

12. Changes to this policy

We may update this policy from time to time. Material changes will be notified via email or in-app notification at least 30 days before taking effect.

13. Contact and complaints

Data Protection Contact: privacy@vaulto.sh

If you are not satisfied with our response, you have the right to lodge a complaint with the Finnish Data Protection Ombudsman (tietosuoja.fi) or your local supervisory authority.