Privacy Policy

Overview

We are committed to being transparent about our data practices and to giving you meaningful control over your personal information. We do not sell your personal data to third parties — full stop.

This policy applies to all Vaultstone products and services, including our website, mobile applications, and any financial services offered under the Vaultstone brand. It does not apply to third-party websites or services that may be linked to from our platforms.

Information We Collect

We collect information you provide directly, information generated through your use of our services, and information from third-party sources as permitted by law.

Information You Provide

• Identity Information: Name, date of birth, government-issued ID number, taxpayer identification number (SSN/EIN), and photo for identity verification.
• Contact Information: Email address, phone number, mailing address, and emergency contacts you choose to provide.
• Financial Information: Bank account and routing numbers, income, employment details, investment experience, and financial goals.
• Authentication Credentials: Username, password (stored as irreversible hash), security questions, biometric templates (stored locally on your device, never transmitted to us).
• Communications: Messages, emails, and call recordings when you contact our support team.

Information We Collect Automatically

• Transaction Data: Amount, date, time, merchant, location, and category of every transaction on your Vaultstone accounts.
• Device & Technical Data: IP address, device type, operating system, browser, unique device identifiers, and crash reports.
• Usage Data: Pages visited, features used, time spent, and navigation patterns within our apps and website.
• Location Data: Approximate location derived from IP address; precise GPS location only if you explicitly grant permission in our mobile app.

Information from Third Parties

• Credit bureaus (Experian, TransUnion, Equifax) for credit assessments
• Identity verification partners for KYC/AML compliance
• External accounts you choose to link via Plaid or similar services
• Publicly available records for compliance screening

How We Use Your Data

We use your personal information only for legitimate purposes directly related to providing and improving our financial services:

• Account Management: Opening, maintaining, and closing your accounts; processing transactions; and providing account statements.
• Identity Verification: Verifying your identity as required by federal law (Bank Secrecy Act, USA PATRIOT Act).
• Fraud Prevention & Security: Detecting and preventing unauthorized access, fraud, money laundering, and other illegal activity.
• Legal & Regulatory Compliance: Meeting our obligations under banking regulations, tax law, and court orders.
• Service Improvement: Analyzing aggregate usage patterns to improve our products, fix bugs, and develop new features.
• Personalization: Delivering relevant account insights, product recommendations, and financial tips based on your usage patterns.
• Communications: Sending account alerts, service updates, and — only with your explicit consent — marketing materials.
• Credit Decisions: Evaluating applications for credit products using both traditional and alternative data sources.

Sharing Your Data

We do not sell, rent, or trade your personal information. We share it only in the following limited circumstances:

Service Providers

We engage third-party vendors who process data on our behalf under strict contractual obligations: cloud infrastructure providers, payment processors, identity verification services, fraud detection systems, and customer support platforms. These vendors may not use your data for any purpose other than providing services to Vaultstone.

Legal & Regulatory Requirements

We disclose information as required by applicable law, including to regulatory bodies (OCC, FDIC, FinCEN), law enforcement agencies pursuant to valid legal process, and in connection with OFAC sanctions screening.

Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your personal data becomes subject to a different privacy policy.

With Your Consent

We share data with third-party financial apps and services only when you explicitly authorize us to do so (e.g., connecting a budgeting app via our API). You may revoke this consent at any time from your account settings.

Data Retention

We retain your personal information for as long as necessary to provide services, comply with legal obligations, and resolve disputes:

• Active accounts: For the duration of the account relationship plus 7 years after account closure (required by federal banking regulations).
• Transaction records: 7 years from the date of each transaction.
• Identity verification records: 5 years from account closure, or longer if required by law.
• Support communications: 3 years from the date of each interaction.
• Marketing consent records: Until you withdraw consent, plus 3 years for compliance documentation.

When retention periods expire, we securely delete or anonymize your data using NIST 800-88-compliant methods.

Security

We implement industry-leading technical and organizational security measures to protect your personal information against unauthorized access, loss, or alteration. Key measures include:

• AES-256 encryption for all data at rest and TLS 1.3 for data in transit
• Hardware Security Modules (HSMs) for cryptographic key management
• Zero-trust network architecture with least-privilege access controls
• SOC 2 Type II and ISO 27001 certified security management program
• Continuous penetration testing and vulnerability disclosure program
• 24/7 Security Operations Center monitoring for anomalous activity

No system is 100% secure. In the event of a data breach affecting your personal information, we will notify you within 72 hours of confirmed discovery, as required by applicable law. See our Security Center for more information.

Cookies & Tracking

We use cookies and similar technologies to operate our services and improve your experience. We do not serve behavioral advertising or third-party tracking pixels on our banking platform.

Types of Cookies We Use

• Strictly Necessary: Required for core functions such as authentication, session management, and fraud prevention. Cannot be disabled.
• Functional: Remember your preferences (language, currency, notification settings). Can be disabled, though this may affect service quality.
• Analytics: First-party analytics to understand how users interact with our products. Data is aggregated and anonymized. Can be disabled.

You can manage cookie preferences through your browser settings or our in-app privacy controls. Note that disabling strictly necessary cookies will prevent you from accessing your account.

Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete information.
• Deletion: Request deletion of your personal data, subject to legal retention obligations.
• Portability: Receive your data in a structured, machine-readable format.
• Restriction: Request that we restrict processing of your data in certain circumstances.
• Objection: Object to processing based on legitimate interests, including for direct marketing.
• Withdrawal of Consent: Withdraw consent for processing at any time, without affecting prior lawful processing.
• Non-Discrimination: We will not discriminate against you for exercising any of these rights.

Residents of California have additional rights under the CCPA/CPRA. EU/UK residents have rights under GDPR/UK GDPR. To exercise any right, submit a request via your account settings or contact our Privacy Team at the address below. We respond within 30 days (45 days if complexity requires, with advance notice).

Children's Privacy

Vaultstone's services are not directed to individuals under 18 years of age. We do not knowingly collect personal information from minors. If we learn that we have inadvertently collected data from someone under 18, we will promptly delete it and close the associated account. If you believe your child's information has been collected, please contact us immediately at support@vaultstoneholding.com.

International Data Transfers

Vaultstone operates globally. Your personal information may be transferred to and processed in countries other than your country of residence, including the United States, where our primary data centers are located. These countries may have different data protection laws than your jurisdiction.

For transfers from the European Economic Area, the United Kingdom, or Switzerland, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or other transfer mechanisms as required. You may request copies of applicable safeguards by contacting our Privacy Team.

Policy Changes

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Post the updated policy on this page with a new "Last Updated" date
• Send an in-app notification and email to all registered users
• Provide at least 30 days' notice before material changes take effect
• For significant changes, require renewed consent where legally required

Your continued use of Vaultstone services after the effective date of an updated policy constitutes your acceptance of the changes.

Contact Us

If you have questions, concerns, or requests related to this Privacy Policy or our data practices, please contact our Privacy Team:

If you are an EU/UK resident and believe we have not handled your complaint adequately, you have the right to lodge a complaint with your local data protection authority (e.g., ICO in the UK, or the relevant EU supervisory authority).