vauzy
Agencies Teams Freelancers Features Pricing
Login
Sign up now

Privacy Policy.

Last updated: 15 September 2025

Controller

Endpoint Esports Ltd (Company No. 10341616), registered office Ash House, 65 Napier Street, Sheffield, S11 8HA, United Kingdom · privacy@vauzy.com

Supervisory authority

UK Information Commissioner's Office (ICO). You may lodge a complaint; we'd appreciate the chance to resolve first.

  1. Scope and roles

    Website & accounts (controller). We control account, billing and communications data as described in this policy.

    Vault contents (processor). For encrypted vault data you store, we act as processor—see Data Processing Addendum (DPA), Sections 1 and 3. Our zero-knowledge design means we cannot read plaintext secrets.

  2. What we collect

    1. Account & billing data: name, business email, organisation, role, plan, billing contact, payment tokens/status (via Stripe; we do not store full card data).
    2. Operational logs: login events, device/browser, IP, audit logs of actions (create/update/share/delete).
    3. Support/communications: messages you send us (email via MailerSend; SMS via Twilio where applicable) and related metadata.
    4. Marketing site analytics: aggregated usage via Google Analytics (marketing site only; not in‑app).
    5. Vault content: end‑to‑end encrypted secrets (passwords, 2FA seeds/codes, API keys, notes, files). We cannot read plaintext.

  3. Why we process data (legal bases)

    1. Provide the Service (contract): account creation, WebAuthn passkey login, sync, sharing, audit logs, support.
    2. Security & fraud prevention (legitimate interests/legal obligation): access controls, logging, incident response.
    3. Billing & compliance (legal obligation/contract): invoicing, VAT, record-keeping.
    4. Product messages (legitimate interests/contract): service notices, security alerts.
    5. Marketing (consent/legitimate interests for B2B): newsletters/updates to business contacts (opt-out any time).
    6. Analytics on marketing site (consent where required).

  4. Sharing and international transfers

    We use vetted processors under contract/confidentiality: AWS (hosting/storage); Stripe (payments); MailerSend (email delivery); Twilio (SMS)—see DPA, Annex B. Data may be accessed from outside the UK/EU under SCCs/UK IDTA with strong encryption.

  5. Retention

    1. Account data: retained while active; deleted/anonymised after closure unless needed for legal obligations.
    2. Vault data: you control deletion. After account closure, a 30‑day recovery window applies, then purged from live systems and backups per normal cycle (see Vauzy Terms of Service, Section 8.4).
    3. Logs/support: retained for security/troubleshooting and legal obligations for a reasonable period.

  6. Your rights (UK/EU GDPR)

    Access, rectification, erasure, portability, restriction, and objection (including to marketing). For vault contents, you can delete/export items self‑service. Requests: privacy@vauzy.com. Verification and coordination with your organisation admin may be required.

  7. Cookies & tracking

    1. App: strictly necessary session cookies only (no analytics/ads cookies).
    2. Marketing site: Google Analytics (consent‑based where required). See Cookie Policy.

  8. Security

    We use end‑to‑end encryption, WebAuthn passkeys‑only login, and comprehensive audit logging. See Vauzy Security Statement, Sections 1–3.

  9. Children

    Not intended for under‑16s; we do not knowingly process children’s data.

  10. Changes & contact

    We’ll post updates here and, for material changes, notify you by email/in‑app with reasonable advance notice. Legal notices by post may be sent to our registered office above.

Back to top