Last updated: February 21, 2026
VaultFill is a compliance automation platform. We take data privacy seriously and engineer our systems to minimize data collection while maximizing compliance value.
VaultFill Inc. ("we," "our," or "us"), a Delaware corporation, respects your privacy and is committed to protecting it through compliance with this Privacy Policy. This policy describes the types of information we may collect from you or that you may provide when you access the VaultFill website (vaultfill.com), use our compliance automation platform, interact with our APIs, or engage with any related services (collectively, the "Service"), and our practices for collecting, using, maintaining, protecting, and disclosing that information.
This Privacy Policy applies to information we collect:
This Privacy Policy does not apply to information collected by third parties, including any third-party application or content that may link to or be accessible from the Service. We encourage you to read the privacy policies of every website and service you visit or use.
We collect several categories of information from and about users of our Service:
Name, email address, company name, job title, phone number, billing address, and payment information (processed by our payment processor, Stripe). We also collect authentication data including OAuth tokens and MFA configuration.
When you authorize VaultFill to integrate with your cloud infrastructure (e.g., AWS, GCP, Azure, Microsoft 365), we collect metadata regarding your environment, including:
We explicitly engineer our systems to avoid ingesting underlying user databases, transaction records, customer PII, production data, or application-level content.
Documentation, screenshots, SOC reports, vendor assessments, security policies, incident response plans, and other artifacts you upload into the Evidence Vault for cryptographic signing, cataloging, and storage. All uploaded evidence is SHA-256 hashed and stored in an immutable audit ledger.
Questions and responses from security questionnaire automation, AI-generated policy content, remediation scripts, risk assessments, and confidence scoring metadata. This includes prompts sent to AI models and the resulting outputs.
IP addresses, browser type and version, operating system, device information, referring URLs, page views, click patterns, session duration, feature usage analytics, error logs, and platform interaction data collected via cookies and similar tracking technologies.
We collect information through the following methods:
We use information that we collect about you or that you provide to us for the following purposes:
To provide autonomous compliance capabilities, VaultFill transmits specific metadata and prompts to trusted third-party Large Language Model (LLM) providers via secure, encrypted APIs. Our AI processing architecture is designed with the following safeguards:
We do not sell your personal data.
We may disclose aggregated, anonymized information about our users without restriction. We may disclose personal information that we collect or you provide in the following circumstances:
We have implemented rigorous, enterprise-grade security measures designed to protect your information from accidental loss and from unauthorized access, use, alteration, and disclosure:
The safety and security of your information also depends on you. Where we have given you (or where you have chosen) a password or access token for access to the Service, you are responsible for keeping this information confidential.
We retain your information only for as long as reasonably necessary to provide the Service to you, comply with our legal obligations, resolve disputes, and enforce our agreements:
You may request deletion of your data at any time by contacting privacy@vaultfill.com. We will process deletion requests within 30 days, subject to legal retention obligations.
VaultFill is headquartered in the United States. If you access the Service from outside the United States, your information may be transferred to, stored in, and processed in the United States or other countries where we or our service providers maintain facilities. These countries may have data protection laws that are different from the laws of your country.
Where we transfer personal data from the European Economic Area (EEA), United Kingdom, or Switzerland to countries that have not been deemed to provide an adequate level of data protection, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by additional technical and organizational measures where appropriate. A copy of the SCCs is available upon request at legal@vaultfill.com.
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have certain rights under the General Data Protection Regulation (GDPR) and equivalent local laws. These include the right to:
To exercise any of these rights, submit a Data Subject Access Request (DSAR) to privacy@vaultfill.com. We will respond within 30 days. Our lawful basis for processing your personal data includes: performance of a contract, legitimate interests, compliance with legal obligations, and consent where applicable.
If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with specific rights regarding your personal information. These include:
To submit a request, contact us at privacy@vaultfill.com or call us at the number listed on our website. We will verify your identity before processing your request and respond within 45 days.
We use cookies and similar tracking technologies (including web beacons, pixel tags, and local storage) to collect and track usage information and to improve and analyze the Service. Types of cookies we use include:
You can set your browser to refuse all or some cookies, or to alert you when cookies are being sent. If you disable cookies, some parts of the Service may become inaccessible or not function properly. We do not use advertising or marketing cookies on the VaultFill platform.
The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children under 18. If we learn we have collected or received personal information from a child under 18 without verification of parental consent, we will delete that information. If you believe we might have any information from or about a child under 18, please contact us at privacy@vaultfill.com.
The Service may contain links to third-party websites, services, or applications (e.g., cloud provider consoles, identity providers, compliance databases). These third-party services have their own privacy policies, which we encourage you to review. We have no control over, and assume no responsibility for, the content, privacy policies, or practices of any third-party services. Linking to a third-party site does not constitute an endorsement by VaultFill.
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email to the primary email address associated with your account, through a prominent notice on our Service dashboard, or as otherwise required by applicable law. The date this Privacy Policy was last revised is identified at the top of the page. You are responsible for periodically reviewing this Privacy Policy. Your continued use of the Service after notice of changes constitutes your acceptance of the updated Privacy Policy.
To ask questions or submit requests regarding this Privacy Policy and our privacy practices:
VaultFill Inc.
Data Protection Officer