Privacy Policy

This Privacy Policy ("Policy") describes how BidayaX LLC, a Delaware limited liability company ("BidayaX," "Company," "we," "us," or "our"), collects, uses, discloses, and protects information about users ("you" or "User") of the Vaultheir platform, website located at vaultheir.com, and related services (collectively, the "Services").

BY ACCESSING OR USING OUR SERVICES, YOU ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTOOD, AND AGREE TO BE BOUND BY THIS PRIVACY POLICY. IF YOU DO NOT AGREE, PLEASE DO NOT ACCESS OR USE OUR SERVICES.

1. INFORMATION WE COLLECT

1.1 Information You Provide Directly

• Account Information: When you register, we collect your name, email address, phone number (optional), and encrypted password.
• Payment Information: Credit card details, billing address, and transaction history are processed through our PCI-DSS compliant payment processor (Stripe, Inc.) and are not stored on our servers.
• Documents and Content: Files you upload for notarization are encrypted client-side before transmission using AES-256-GCM encryption.
• Communications: Emails, support requests, and feedback you send to us.
• Identity Verification: If required, government-issued identification documents for enhanced verification.

1.2 Information Collected Automatically

• Device Information: IP address, browser type, operating system, device identifiers.
• Usage Data: Pages visited, features used, timestamps, referring URLs.
• Cookies and Tracking: Essential cookies for functionality and analytics cookies (with consent).
• Log Data: Server logs including access times, error reports, and system activity.

1.3 Information from Third Parties

• Identity verification services
• Fraud prevention providers
• Social login providers (if you choose to authenticate via Google, etc.)

2. HOW WE USE YOUR INFORMATION

We process your information for the following purposes:

• Service Delivery: To provide, maintain, and improve our IP notarization services.
• Blockchain Recording: To create cryptographic hashes of your documents and record them on the Hedera Hashgraph distributed ledger.
• Account Management: To create and manage your account, process transactions, and provide customer support.
• Security: To detect, prevent, and respond to fraud, abuse, or security incidents.
• Legal Compliance: To comply with applicable laws, regulations, and legal processes.
• Communications: To send transactional emails, security alerts, and (with consent) marketing communications.
• Analytics: To understand usage patterns and improve our Services.

3. LEGAL BASIS FOR PROCESSING (GDPR)

For users in the European Economic Area (EEA), UK, and Switzerland, we process personal data based on:

• Contract Performance: Processing necessary to provide our Services.
• Legitimate Interests: Security, fraud prevention, service improvement.
• Legal Obligation: Compliance with applicable laws.
• Consent: Where required, such as for marketing communications.

4. DATA SHARING AND DISCLOSURE

We do not sell your personal information.

We may share information with:

• Service Providers: Cloud hosting (AWS/Google Cloud), payment processing (Stripe), email services, analytics providers, under strict confidentiality agreements.
• Blockchain Networks: Cryptographic hashes (not content) are recorded on Hedera Hashgraph for notarization purposes.
• Legal Requirements: When required by law, subpoena, court order, or government request.
• Business Transfers: In connection with merger, acquisition, or sale of assets, with notice to you.
• With Your Consent: When you explicitly authorize disclosure.

5. DATA SECURITY

We implement industry-standard security measures:

• AES-256-GCM encryption for data at rest and in transit
• TLS 1.3 for all communications
• Zero-knowledge architecture for document storage
• Multi-factor authentication options
• Regular security audits and penetration testing
• SOC 2 Type II compliant infrastructure
• Employee access controls and training

No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

6. DATA RETENTION

• Account Data: Retained while your account is active and for 7 years after deletion for legal compliance.
• Notarization Records: Blockchain records are permanent and immutable by design.
• Encrypted Documents: Retained according to your subscription plan; deleted upon request or account termination.
• Log Data: Retained for up to 24 months for security and operational purposes.

7. YOUR RIGHTS AND CHOICES

7.1 All Users

• Access and update your account information
• Delete your account (subject to legal retention requirements)
• Opt-out of marketing communications
• Manage cookie preferences

7.2 EEA, UK, and Swiss Users (GDPR)

• Right of access (Article 15)
• Right to rectification (Article 16)
• Right to erasure ("right to be forgotten") (Article 17)
• Right to restriction of processing (Article 18)
• Right to data portability (Article 20)
• Right to object (Article 21)
• Right to withdraw consent
• Right to lodge a complaint with a supervisory authority

7.3 California Residents (CCPA/CPRA)

• Right to know what personal information is collected
• Right to delete personal information
• Right to opt-out of sale (we do not sell personal information)
• Right to non-discrimination
• Right to correct inaccurate information
• Right to limit use of sensitive personal information

8. INTERNATIONAL DATA TRANSFERS

Your information may be transferred to and processed in the United States and other countries where our service providers operate. For transfers from the EEA, UK, or Switzerland, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data Processing Agreements with appropriate safeguards
• Adequacy decisions where applicable

9. CHILDREN'S PRIVACY

Our Services are not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If we learn that we have collected information from a child under 18, we will delete it promptly. If you believe a child has provided us with personal information, please contact us.

10. THIRD-PARTY LINKS

Our Services may contain links to third-party websites or services. We are not responsible for their privacy practices. We encourage you to review their privacy policies before providing any information.

11. CHANGES TO THIS POLICY

We may update this Privacy Policy periodically. We will notify you of material changes by posting the new policy on our website and updating the "Last Updated" date. For significant changes, we will provide additional notice via email or in-app notification. Your continued use of our Services after changes constitutes acceptance of the updated policy.

12. CONTACT US

For privacy-related inquiries, data subject requests, or complaints:

We will respond to your request within 30 days (or sooner as required by applicable law).