This Privacy Policy describes how SafeDatum B.V. ("we", "us", "SafeDatum") collects, uses, and protects your personal data when you use our secure data vault service. We are committed to data minimization and process only what is necessary to operate the service.
Data Controller
The data controller responsible for your personal data is SafeDatum B.V., registered in the Netherlands. For privacy-related inquiries, contact our Data Protection Officer at security@safedatum.com.
Information We Collect
We collect only the minimum data required to provide and secure the Service:
| Category | Examples | Purpose |
|---|---|---|
| Account data | Email address, hashed password | Authentication, account recovery |
| Vault contents | Client-side encrypted blobs | Storage and retrieval (we cannot read these) |
| Technical data | IP address, user agent, request timestamps | Security, abuse prevention, debugging |
| Billing data | Last four digits of card, billing country | Payment processing (paid plans only) |
We do not use third-party analytics, advertising trackers, or social media pixels on our public website or in the application.
Legal Basis for Processing
Under the General Data Protection Regulation (GDPR), we process your personal data under the following legal bases:
- Contract (Art. 6(1)(b)) — to provide the Service you signed up for.
- Legitimate interest (Art. 6(1)(f)) — for security, fraud prevention, and service integrity.
- Legal obligation (Art. 6(1)(c)) — to comply with applicable laws and lawful requests.
- Consent (Art. 6(1)(a)) — where explicitly given for optional features.
How We Protect Your Data
All vault contents are encrypted on your device before being transmitted to our
servers. Encryption keys are derived from your credentials using
Argon2id and never leave your device in plaintext form. We use
AES-256-GCM for data at rest and modern TLS 1.3 ciphers for data in
transit.
Server-side, we apply industry-standard hardening: minimal attack surface, regular security audits, isolated environments, and least-privilege access for personnel. Access to production systems is logged and reviewed.
Data Retention
We retain different categories of data for different periods:
- Account & vault data — for as long as your account is active. Deleted within 14 days after account closure.
- Server access logs — retained for 30 days, then automatically deleted.
- Billing records — retained for 7 years to comply with tax law.
- Backups — encrypted, rotated, and overwritten on a 30-day cycle.
Sharing with Third Parties
We do not sell, rent, or trade personal data. We share data only with carefully selected processors strictly necessary to operate the Service:
- Infrastructure providers — for hosting and storage (within the EU/EEA).
- Payment processors — for billing on paid plans.
- Transactional email provider — for security and account notifications.
All processors are bound by Data Processing Agreements that meet GDPR requirements. A current list is available upon request.
Your Rights
Under GDPR, you have the right to:
- Access the personal data we hold about you.
- Rectify inaccurate or incomplete data.
- Erase your data ("right to be forgotten").
- Restrict or object to certain processing.
- Port your data to another service in a machine-readable format.
- Withdraw consent at any time, where processing is based on consent.
- Lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).
To exercise any of these rights, contact security@safedatum.com. We will respond within thirty (30) days.
International Transfers
All data is stored within the European Economic Area. We do not transfer personal data outside the EU/EEA. In the rare cases where a sub-processor operates outside this area, transfers are protected by Standard Contractual Clauses approved by the European Commission.
Cookies
Our website uses only strictly necessary cookies required for authentication and session management. We do not use tracking, advertising, or analytics cookies. No cookie banner is required because no consent-based cookies are set.
Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be announced at least thirty (30) days before they take effect. The "Effective" date at the top of this document indicates when the current version was published.
Contact
For all inquiries — legal, privacy, or security — contact us at security@safedatum.com.