Back to Home

GDPR Compliance

This page outlines how Vaulternal complies with the General Data Protection Regulation (GDPR) and protects the privacy rights of individuals in the European Union.

1. Your Rights Under GDPR

As an EU/EEA resident, you have the following rights regarding your personal data:

1.1 Right to Information

  • Be informed about how your data is collected and used
  • Understand the legal basis for processing
  • Know how long data will be retained

1.2 Right of Access

  • Request a copy of your personal data
  • Receive information about data processing activities
  • Access data in a commonly used format

1.3 Right to Rectification

  • Correct inaccurate personal data
  • Complete incomplete personal data
  • Update outdated information

1.4 Right to Erasure ("Right to be Forgotten")

  • Request deletion of personal data
  • Withdraw consent for data processing
  • Object to legitimate interest processing

1.5 Right to Restrict Processing

  • Limit how your data is processed
  • Suspend processing during accuracy disputes
  • Maintain data instead of deletion

1.6 Right to Data Portability

  • Receive your data in machine-readable format
  • Transfer data to another service provider
  • Move data without hindrance

1.7 Right to Object

  • Object to processing for legitimate interests
  • Opt-out of direct marketing
  • Stop automated decision-making

2. Legal Basis for Processing

We process personal data based on the following legal grounds:

2.1 Consent

  • Analytics cookies (via our cookie consent banner)
  • Marketing communications (with explicit opt-in)
  • Optional features that require additional data collection

2.2 Contract Performance

  • Providing our digital legacy storage service
  • Account management and support
  • Processing payments and billing (via Stripe)

2.3 Legitimate Interest

  • Fraud prevention and security monitoring
  • Service improvement and performance analytics
  • Business communications related to your account

2.4 Legal Compliance

  • Compliance with financial and tax regulations
  • Response to lawful legal requests
  • Regulatory reporting requirements

3. Data Protection Measures

3.1 Technical Safeguards

  • Client-side AES-256-GCM encryption for all vault data (zero-knowledge architecture)
  • secp256k1-ECIES asymmetric encryption for key exchange
  • Access controls and multi-factor authentication
  • All cryptographic operations performed in isolated Web Workers

3.2 Organizational Measures

  • Privacy by design and by default
  • Data protection impact assessments (DPIAs) for high-risk processing
  • Incident response procedures
  • Regular review of data processing activities

4. International Data Transfers

When transferring personal data outside the European Economic Area (EEA), we ensure adequate protection through:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions by the European Commission (where applicable)
  • Explicit consent for specific transfers (where required)

5. Data Retention

We retain personal data only as long as necessary for the purposes specified in our Privacy Policy, Section 2.2. Specific retention periods:

  • Account data: duration of account + 30 days after deletion
  • Payment records: 7 years (legal obligation)
  • Usage analytics: 12 months rolling
  • Security logs: 90 days

6. Blockchain Considerations

Special considerations for blockchain-stored data:

  • All data is encrypted client-side before any blockchain interaction
  • Personal identifiers are pseudonymized on-chain
  • Where full erasure of on-chain data is technically impossible, we implement erasure through cryptographic key deletion, rendering the data permanently inaccessible
  • This approach is consistent with guidance from European data protection authorities on blockchain and the right to erasure

7. How to Exercise Your Rights

To exercise your GDPR rights, contact us at:

  • Email:
  • Subject: "GDPR Rights Request"
  • Include: Your request type and account information

We will respond to your request within 30 days. We may request additional information to verify your identity. If your request is complex or we receive a high volume of requests, we may extend the response period by a further 60 days, in which case we will notify you.

8. Complaints and Supervisory Authority

If you are not satisfied with our response, you have the right to lodge a complaint with the data protection supervisory authority in your country of residence. A list of EU/EEA supervisory authorities is available on the European Data Protection Board (EDPB) website.

9. EU Representative

As we do not currently have an establishment in the EU, we are in the process of appointing an EU representative pursuant to Article 27 of the GDPR. In the meantime, all data protection inquiries can be directed to:

10. Updates to GDPR Compliance

We regularly review and update our GDPR compliance measures. Material changes will be communicated through our website and direct notifications to affected users.

This document is provided in English. In case of any discrepancy between translated versions and the English original, the English version shall prevail.

Last updated: February 20, 2026