Privacy Policy

1. Data controller

The data controller is VaultApps S.R.L. (vaultapps.ro), with registered office in România (“we”, “VaultApps”), operator of the olivLaw platform. For any data-protection inquiry, contact us at privacy@vaultapps.ro or our Data Protection Officer (DPO) at dpo@vaultapps.ro.

2. What data we collect

• Account data: email address, password (hash), display name, organization (optional), language and geo preferences (RO/EU/US).
• Authentication data: OTP code sent by email, IP, user-agent, timestamp.
• Usage data: pages visited, clicks on analyses, API queries, session duration (aggregated for telemetry).
• Technical data: IP address, browser/device type, operating system, session identifier (strictly necessary cookie).
• Payment data (subscriptions only): name, billing address, VAT ID; full card data is NOT stored by us — it is processed by Netopia (PCI-DSS-certified PSP).
• Voluntarily submitted content: feedback, contact messages, support tickets.
• Communications data: transactional emails (confirmations, alerts), support correspondence.

3. Processing purposes and legal basis (GDPR Art. 6)

We process personal data only for specific, explicit, and legitimate purposes, on the legal grounds listed below:

• Providing the Platform and your account — Art. 6(1)(b) contract performance.
• Processing payments and issuing invoices — Art. 6(1)(b) contract and Art. 6(1)(c) legal obligation (accounting, tax).
• Security, fraud prevention, audit logs — Art. 6(1)(f) legitimate interest in protecting our infrastructure.
• Transactional communications (alerts, change notifications) — Art. 6(1)(b) contract.
• Marketing communications (newsletter, recommendations) — Art. 6(1)(a) explicit consent, withdrawable at any time.
• Aggregated usage analytics and Platform improvement — Art. 6(1)(f) legitimate interest, with pseudonymization.
• Compliance with legal requests, court orders, authorities — Art. 6(1)(c) legal obligation.

4. Data recipients (processors and third parties)

We do not sell personal data. We share it only with contractual processors (“data processors”) who provide services necessary to operate the Platform, under GDPR Art. 28 clauses:

• Hosting and infrastructure: EU-based cloud providers (primary servers in the EU).
• CDN and DDoS protection: Cloudflare Inc. (transfers via SCCs + DPF where applicable).
• Payment processing: Netopia Payments S.R.L. (independent controller for card data).
• Transactional email: SMTP provider (EU-preferred).
• AI inference providers for editorial assistance (NO personally identifiable data is sent to external LLM models — only aggregated public content or sanitized prompts): Anthropic PBC, OpenAI LLC, OpenRouter Inc.
• Telemetry and monitoring: Grafana, Prometheus (self-hosted).
• Legal/accounting service providers under confidentiality obligations.
• Public authorities, only based on a valid legal request.

5. International transfers

Where a processor is located outside the European Economic Area (EEA), the transfer is made exclusively on the basis of an adequate safeguard provided by the GDPR: Adequacy decisions (e.g., UK, Switzerland, EU-US Data Privacy Framework for certified entities), Standard Contractual Clauses (SCCs 2021/914), or Binding Corporate Rules (BCRs). The current list of processors and transfer mechanisms is available on request at privacy@vaultapps.ro.

6. Retention periods

• Account data: for the duration of the account + 90 days after deletion (for accidental recovery).
• Usage data / logs: 12 months (pseudonymized after 90 days).
• Invoices and accounting documents: 10 years (legal obligation, Romanian Tax Code).
• Marketing emails: until consent is withdrawn.
• Support tickets: 3 years from closure.
• Encrypted backups: 30-day rotation.
• Payment data (aggregated tokens): per Netopia's policy.

7. Your rights (GDPR Art. 15-22)

You have the following rights regarding your personal data, exercisable free of charge at privacy@vaultapps.ro:

• Right of access (Art. 15) — copy of the data we process about you.
• Right to rectification (Art. 16) — correction of inaccurate or incomplete data.
• Right to erasure / “right to be forgotten” (Art. 17) — except where retention is legally required.
• Right to restriction of processing (Art. 18).
• Right to data portability (Art. 20) — export your data in a structured format (JSON/CSV).
• Right to object (Art. 21) — particularly to processing based on legitimate interest or direct marketing.
• Right not to be subject to automated decisions, including profiling (Art. 22) — the Platform does not produce decisions with automatic legal effects; AI content is informational.
• Right to withdraw consent at any time, without affecting the lawfulness of prior processing.
• Right to lodge a complaint with the supervisory authority: ANSPDCP — Romanian National Supervisory Authority for Personal Data Processing (B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, Bucharest; www.dataprotection.ro).

8. Cookies and similar technologies

We use strictly necessary cookies (session, authentication, language preferences) without consent, on the basis of our legitimate interest in providing the Platform. Analytics and marketing cookies are activated only with explicit consent via banner. Full details are in the Cookie Policy.

9. Security

• Encryption in transit (TLS 1.2+) and at rest (AES-256 for databases and backups).
• Password hashing with Argon2id / bcrypt.
• Email-OTP authentication (no permanent passwords for some flows).
• Role-based access control (RBAC) and least-privilege principle.
• Audit logging of administrative actions; log rotation and anomaly monitoring.
• Periodic testing (automated scans, security code review, lucid-security gate).
• Incident response: ANSPDCP notification within 72h and affected users without undue delay, per GDPR Art. 33-34.

10. Children

The Platform is not intended for children under 16. If we learn we have collected data from a child below this age without parental consent, we will delete the data without delay. Parents or guardians may request deletion at privacy@vaultapps.ro.

11. Profiling and automated decisions

The Platform uses AI models and probabilistic forecasting, but these do NOT make decisions with legal or similarly significant effects on you. Generated content is informational and reviewed by editorial gates. We do not perform behavioral profiling for third-party targeted advertising.

12. Data collected from public sources

We process data from public sources (news, trade registry, BVB, BPI, data.gov.ro) for journalistic and research purposes, on the basis of legitimate interest (Art. 6(1)(f)) and journalistic exceptions (GDPR Art. 85 + Romanian Law 190/2018 art. 7). Data subjects appearing in published content may request rectification or erasure; we will assess the request against freedom of information.

13. Changes to the Policy

We may update this Policy to reflect legal, technical, or operational changes. Material changes will be announced at least 14 days in advance by email and Platform banner. The current version and revision date are always displayed at the top.

14. Contact

Controller: VaultApps S.R.L. (vaultapps.ro), România. General email: privacy@vaultapps.ro. Data Protection Officer (DPO): dpo@vaultapps.ro. Complaints: ANSPDCP — Romanian National Supervisory Authority for Personal Data Processing (B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, Bucharest; www.dataprotection.ro).