Legal
Privacy Policy
Effective date: July 20, 2026
1. Who We Are
GetDocVault, Inc. ("DocVault", "we", "us", or "our") operates the DocVault platform available at getdocvault.com and associated subdomains (the "Service"). We provide a B2B Know-Your-Business (KYB) document collection and compliance workflow platform for sales and compliance teams.
For purposes of the EU General Data Protection Regulation (GDPR) and UK GDPR, GetDocVault, Inc. acts as a data controller with respect to account holder data and as a data processor with respect to personal data uploaded by our customers into compliance rooms.
2. Scope
This Privacy Policy describes how we collect, use, store, and disclose personal data when you visit our website, create an account, or use the Service. It applies to:
- Customers and their authorized users (verifiers)
- Third-party business contacts (clients) invited to submit documents through a compliance room
- Visitors to our marketing website
3. Data We Collect
3.1 Account and Identity Data
When you register or are invited to the Service we collect your name, business email address, company name, job title, and a hashed password. We may also collect your billing address and payment method details (processed by our payment processor; we do not store raw card numbers).
3.2 Compliance Room Data
Our customers upload business documents (e.g., articles of incorporation, ownership certificates, financial statements) and related metadata into compliance rooms. This data is stored in private, encrypted cloud storage. We process this data solely on behalf of our customers and in accordance with their instructions.
3.3 Usage and Log Data
We automatically collect IP addresses, browser type, operating system, referring URLs, pages viewed, timestamps, and session identifiers. This data is used for security monitoring, debugging, and service improvement. Server-side logs are retained for 90 days.
3.4 Communications
If you contact us by email or through in-product messaging, we retain those communications and any information you provide in them.
3.5 Cookies and Similar Technologies
We use strictly necessary session cookies to authenticate logged-in users. We do not use advertising cookies or third-party tracking pixels. You can disable cookies in your browser settings, but doing so will prevent you from logging in.
4. Legal Bases for Processing (GDPR)
Where GDPR applies, we rely on the following legal bases:
5. How We Use Your Data
- Providing, operating, and improving the Service
- Authenticating users and enforcing access controls
- Sending transactional emails (e.g., room invitations, document request notifications, password resets)
- Detecting and preventing fraud, abuse, and security incidents
- Complying with legal obligations
- Responding to support requests and communicating service updates
We do not sell your personal data. We do not use compliance room documents for training AI models or any purpose other than delivering the Service.
6. Data Sharing and Sub-processors
We share personal data only with trusted sub-processors necessary to operate the Service, each bound by a data processing agreement. These include our hosting and private file storage provider (Vercel), database (Neon), encryption key management (AWS KMS), transactional email (Resend), payment processing (Stripe), realtime messaging (Ably), and monitoring (Sentry and Better Stack).
The complete, current list — with the purpose, data, and location of each sub-processor — is published at getdocvault.com/subprocessors.
We do not disclose personal data to third parties except as described above, or where required by law, to protect rights and safety, or in connection with a merger or acquisition (with advance notice to affected customers).
7. International Data Transfers
Our primary infrastructure is located in the United States. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your personal data will be transferred to and processed in the USA. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the transfer mechanism for such transfers, where required.
8. Data Retention
We retain account data for the duration of your subscription and for up to 12 months after termination to allow for disputes, audits, and legal compliance. Compliance room documents are retained in accordance with our customers' instructions and deleted within 30 days of a verified deletion request. By default, documents in a room are permanently and irreversibly deleted 90 days after the room is approved; the customer controls this schedule and may extend, shorten, or disable it per room. Room records, checklist statuses, and activity logs are retained after document deletion as the customer's record of the verification. Server logs are retained for 90 days.
9. Security
We implement administrative, technical, and physical safeguards built to SOC 2 Type II criteria (we are working toward certification but are not yet SOC 2 certified), including:
- Encryption in transit (TLS 1.2+) and at rest. Uploaded documents use per-tenant envelope encryption: a unique AES-256-GCM key per document, wrapped by a per-workspace AWS KMS master key.
- Passwords hashed with bcrypt and optional multi-factor authentication (TOTP)
- Role-based access control and principle of least privilege
- An append-only audit trail of security-relevant and document-access events
- Rate limiting on login and sensitive actions, signed and SSRF-protected webhooks
- Regular security reviews and vulnerability assessments
- Incident response procedures with customer notification within 72 hours of a confirmed breach
For a fuller description of our controls, see our Security page.
No method of transmission over the internet is 100% secure. We encourage you to use strong, unique passwords and notify us immediately at privacy@getdocvault.com if you suspect unauthorized access.
10. Your Rights (GDPR / UK GDPR)
If you are in the EEA, UK, or Switzerland, you have the following rights with respect to your personal data:
To exercise any of these rights, contact us at dpo@getdocvault.com. We will respond within 30 days.
11. California Residents (CCPA / CPRA)
California residents may request to know what personal information we collect, request deletion, and opt out of sale. We do not sell or share personal information for cross-context behavioral advertising. To submit a request, email privacy@getdocvault.com.
12. Children's Privacy
The Service is intended solely for business use by individuals 18 years of age or older. We do not knowingly collect personal data from children under 16.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify account holders of material changes by email at least 14 days before the change takes effect and will update the effective date at the top of this page. Continued use of the Service after the effective date constitutes acceptance of the revised policy.
14. Contact Us
For privacy inquiries or to exercise your rights, contact:
GetDocVault, Inc.Attn: Privacy / Data Protection
Email: dpo@getdocvault.com
Website: getdocvault.com