Legal

Privacy Policy

Effective date: July 20, 2026

1. Who We Are

GetDocVault, Inc. ("DocVault", "we", "us", or "our") operates the DocVault platform available at getdocvault.com and associated subdomains (the "Service"). We provide a B2B Know-Your-Business (KYB) document collection and compliance workflow platform for sales and compliance teams.

For purposes of the EU General Data Protection Regulation (GDPR) and UK GDPR, GetDocVault, Inc. acts as a data controller with respect to account holder data and as a data processor with respect to personal data uploaded by our customers into compliance rooms.

2. Scope

This Privacy Policy describes how we collect, use, store, and disclose personal data when you visit our website, create an account, or use the Service. It applies to:

  • Customers and their authorized users (verifiers)
  • Third-party business contacts (clients) invited to submit documents through a compliance room
  • Visitors to our marketing website

3. Data We Collect

3.1 Account and Identity Data

When you register or are invited to the Service we collect your name, business email address, company name, job title, and a hashed password. We may also collect your billing address and payment method details (processed by our payment processor; we do not store raw card numbers).

3.2 Compliance Room Data

Our customers upload business documents (e.g., articles of incorporation, ownership certificates, financial statements) and related metadata into compliance rooms. This data is stored in private, encrypted cloud storage. We process this data solely on behalf of our customers and in accordance with their instructions.

3.3 Usage and Log Data

We automatically collect IP addresses, browser type, operating system, referring URLs, pages viewed, timestamps, and session identifiers. This data is used for security monitoring, debugging, and service improvement. Server-side logs are retained for 90 days.

3.4 Communications

If you contact us by email or through in-product messaging, we retain those communications and any information you provide in them.

3.5 Cookies and Similar Technologies

We use strictly necessary session cookies to authenticate logged-in users. We do not use advertising cookies or third-party tracking pixels. You can disable cookies in your browser settings, but doing so will prevent you from logging in.

4. Legal Bases for Processing (GDPR)

Where GDPR applies, we rely on the following legal bases:

Contract performance:Processing necessary to create and manage your account and deliver the Service.
Legitimate interests:Security monitoring, fraud prevention, debugging, and improving the Service, where these interests are not overridden by your rights.
Legal obligation:Complying with applicable laws, court orders, or regulatory requirements.
Consent:Where we ask for your consent (e.g., optional communications), you may withdraw it at any time.

5. How We Use Your Data

  • Providing, operating, and improving the Service
  • Authenticating users and enforcing access controls
  • Sending transactional emails (e.g., room invitations, document request notifications, password resets)
  • Detecting and preventing fraud, abuse, and security incidents
  • Complying with legal obligations
  • Responding to support requests and communicating service updates

We do not sell your personal data. We do not use compliance room documents for training AI models or any purpose other than delivering the Service.

6. Data Sharing and Sub-processors

We share personal data only with trusted sub-processors necessary to operate the Service, each bound by a data processing agreement. These include our hosting and private file storage provider (Vercel), database (Neon), encryption key management (AWS KMS), transactional email (Resend), payment processing (Stripe), realtime messaging (Ably), and monitoring (Sentry and Better Stack).

The complete, current list — with the purpose, data, and location of each sub-processor — is published at getdocvault.com/subprocessors.

We do not disclose personal data to third parties except as described above, or where required by law, to protect rights and safety, or in connection with a merger or acquisition (with advance notice to affected customers).

7. International Data Transfers

Our primary infrastructure is located in the United States. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your personal data will be transferred to and processed in the USA. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the transfer mechanism for such transfers, where required.

8. Data Retention

We retain account data for the duration of your subscription and for up to 12 months after termination to allow for disputes, audits, and legal compliance. Compliance room documents are retained in accordance with our customers' instructions and deleted within 30 days of a verified deletion request. By default, documents in a room are permanently and irreversibly deleted 90 days after the room is approved; the customer controls this schedule and may extend, shorten, or disable it per room. Room records, checklist statuses, and activity logs are retained after document deletion as the customer's record of the verification. Server logs are retained for 90 days.

9. Security

We implement administrative, technical, and physical safeguards built to SOC 2 Type II criteria (we are working toward certification but are not yet SOC 2 certified), including:

  • Encryption in transit (TLS 1.2+) and at rest. Uploaded documents use per-tenant envelope encryption: a unique AES-256-GCM key per document, wrapped by a per-workspace AWS KMS master key.
  • Passwords hashed with bcrypt and optional multi-factor authentication (TOTP)
  • Role-based access control and principle of least privilege
  • An append-only audit trail of security-relevant and document-access events
  • Rate limiting on login and sensitive actions, signed and SSRF-protected webhooks
  • Regular security reviews and vulnerability assessments
  • Incident response procedures with customer notification within 72 hours of a confirmed breach

For a fuller description of our controls, see our Security page.

No method of transmission over the internet is 100% secure. We encourage you to use strong, unique passwords and notify us immediately at privacy@getdocvault.com if you suspect unauthorized access.

10. Your Rights (GDPR / UK GDPR)

If you are in the EEA, UK, or Switzerland, you have the following rights with respect to your personal data:

Access:Request a copy of the personal data we hold about you.
Rectification:Ask us to correct inaccurate or incomplete data.
Erasure:Request deletion of your personal data, subject to legal retention obligations.
Restriction:Ask us to restrict processing in certain circumstances.
Portability:Receive your data in a structured, machine-readable format.
Objection:Object to processing based on legitimate interests.
Withdraw consent:Where processing is based on consent, withdraw it at any time without affecting prior processing.
Lodge a complaint:File a complaint with your local data protection authority (e.g., your EU Member State's DPA or the UK ICO).

To exercise any of these rights, contact us at dpo@getdocvault.com. We will respond within 30 days.

11. California Residents (CCPA / CPRA)

California residents may request to know what personal information we collect, request deletion, and opt out of sale. We do not sell or share personal information for cross-context behavioral advertising. To submit a request, email privacy@getdocvault.com.

12. Children's Privacy

The Service is intended solely for business use by individuals 18 years of age or older. We do not knowingly collect personal data from children under 16.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify account holders of material changes by email at least 14 days before the change takes effect and will update the effective date at the top of this page. Continued use of the Service after the effective date constitutes acceptance of the revised policy.

14. Contact Us

For privacy inquiries or to exercise your rights, contact:

GetDocVault, Inc.
Attn: Privacy / Data Protection
Email: dpo@getdocvault.com
Website: getdocvault.com