Vulu VaultBack to Home

GDPR Compliance

Last updated: February 18, 2026

1. Our Commitment to GDPR

Vulu Vault is committed to complying with the General Data Protection Regulation (GDPR). We act as a Data Processor for the business data you store on our platform, and as a Data Controller for account and usage data we collect to provide our services.

2. Data Controller Information

  • Controller: Vulu Vault
  • Contact: privacy@vuluvault.com
  • Data Protection Officer: privacy@vuluvault.com

3. Legal Basis for Processing

We process personal data under the following legal bases (GDPR Article 6):

  • Contract Performance (Art. 6(1)(b)): Processing necessary to provide our services - account management, authentication, task management, document storage.
  • Consent (Art. 6(1)(a)): Analytics cookies (Sentry error tracking) and marketing communications. You can withdraw consent at any time.
  • Legitimate Interest (Art. 6(1)(f)): Security monitoring, fraud prevention, and platform improvement.
  • Legal Obligation (Art. 6(1)(c)): Audit log retention as required by applicable regulations.

4. Your Rights Under GDPR

Right to Access (Article 15)

You can request a copy of all personal data we hold about you. Use the "Export My Data" feature in your account settings to download your data instantly.

Right to Rectification (Article 16)

You can update your personal information at any time through your profile settings (name, email, phone number, company information).

Right to Erasure (Article 17)

You can request deletion of your account and personal data through your privacy settings. Personal data will be anonymized. Note: business owners must transfer organization ownership before account deletion.

Right to Data Portability (Article 20)

You can export your data in JSON format, including your profile, consent records, files metadata, tasks, and activity history.

Right to Withdraw Consent (Article 7(3))

You can withdraw consent for analytics cookies at any time through the cookie preferences banner or your account privacy settings. Withdrawal does not affect the lawfulness of processing before withdrawal.

5. How to Exercise Your Rights

You can exercise your GDPR rights through:

  • Self-Service: Navigate to Settings → Privacy in your dashboard.
  • Email: Contact privacy@vuluvault.com with your request.

We will respond to all data subject requests within 30 days as required by GDPR.

6. Data Transfers

Our infrastructure providers (Vercel, Cloudflare, Neon) may process data in regions outside the EEA. These transfers are protected by Standard Contractual Clauses (SCCs) and the providers' compliance certifications.

7. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (GDPR Article 33). Affected individuals will be notified without undue delay if the breach is likely to result in a high risk (GDPR Article 34).

8. Complaints

If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. We encourage you to contact us first at privacy@vuluvault.com so we can address your concerns directly.