Privacy notice, drafted under Section 5 of the DPDP Act.

Vault.in is operated by Vault.in Privacy Operations Pvt Ltd, an Indian company with registered office in Mumbai. We act as a Data Fiduciary under the DPDP Act for the personal data we hold about you in your Vault.in account.

On signup: name, email, mobile, city, and the plan you choose. From your scans: the identifiers you ask us to monitor (additional emails, phones, past addresses, aliases), and (Concierge only) photos you upload for face-match. From operations: scan history, exposure records, evidence packs, removal requests, DPB filings, and account audit logs. Billing: name and billing address as required by GST law.

To deliver the service: to scan for exposures, draft Section 12 notices on your behalf, track Rule 14 deadlines, escalate to the Data Protection Board when fiduciaries do not act, and produce monthly reports. We do not use your data for advertising. We do not share it for advertising. We do not profile you for marketing purposes.

Consent under Section 6 of the DPDP Act. You can withdraw consent at any time via Settings → DPDP rights. Withdrawal stops new processing immediately and triggers erasure under our retention policy.

We share data only with the subprocessors named at /trust/subprocessors. We do not sell or rent your data. We do not share it with advertising networks, data brokers (other than for the purpose of submitting Section 12 notices), or any third party not strictly necessary to deliver the service.

Default-deny. Our database resides in Mumbai (Supabase ap-south-1). Limited outbound transfers occur for breach-database lookups (hashed identifiers only), payments (Razorpay, Indian rails), and Concierge-only face-match (hashed embeddings only, opt-in). Each transfer is documented in the privacy notice and in the audit log.

For the lifetime of your account plus thirty days post-cancellation. Evidence packs related to active DPB filings retained for an additional one year to support continuing proceedings. You can configure shorter retention via Settings.

Right of access (Section 11): export your data via Settings → DPDP rights, delivered within twenty-four hours. Right of correction (Section 11): edit anything in Profile or Aliases. Right of erasure (Section 12): one-tap account deletion, completed within thirty days with proof of destruction. Right to nominate (Section 13): designate a person to act on your behalf. Right of grievance (Section 13): contact our Grievance Officer; if not satisfied within thirty days, escalate to the DPB.

For Family-plan members under eighteen, we require verifiable parental consent (Aadhaar OTP for the parent, signed declaration, attested relationship document). We disable tracking-style processing and monetisation pathways by default. Erasure on parental request is honoured within seven days, not thirty.

Encryption at rest with per-user derived keys, TLS 1.3 in transit, audit logs on every read. Breach notification within seventy-two hours per Rule 7. Full security architecture at /trust/security; full breach promise at /trust/breach-promise.

Grievance Officer: [email protected]. Data Protection Officer: same email, mark subject "FAO: DPO". Postal: at the registered office in Mumbai (full address on /grievance).

We version this notice with a date. Material changes are announced in-app at least thirty days before they take effect. The full version history is available on request.