Privacy Policy

Effective date: 17 May 2026 · Controller: OWL Management sp. z o.o.

Note: This policy is a working template. Subject to legal review before final publication. For questions, contact privacy@vaultpam.com.

1. Data Controller

The controller responsible for the processing of your personal data in connection with this website (https://vaultpam.com) and the VaultPAM service is:

OWL Management sp. z o.o.
Warsaw, Poland
E-mail: privacy@vaultpam.com

We act as data controller for the processing activities described in this policy. Where we process personal data on behalf of our customers (e.g., privileged-session logs inside the VaultPAM platform), we act as a data processor and the respective customer is the controller. Those processing activities are governed by the Data Processing Agreement.

2. Personal Data We Collect

We collect the following categories of personal data:

2.1 Website visitors (vaultpam.com)

Server logs: IP address, browser user-agent, referrer URL, pages visited, and timestamp. Collected automatically by our hosting infrastructure (Cloudflare + Google Cloud Platform).
Contact form submissions: name, business e-mail address, company name, and the content of your message.
Demo requests: name, business e-mail, company, role, and optional notes.

2.2 Trial and registered users

Account credentials (e-mail address and hashed password).
Profile information you optionally provide (name, job title, phone).
Billing information collected and stored by our payment processor (Stripe). We do not store full card numbers.
Usage telemetry: feature usage events, API call counts, error reports. No session content is included in telemetry.

2.3 PAM product session and access logs

Session recordings: privileged-access session keystroke logs, screen recordings, and file-transfer metadata collected inside the VaultPAM platform on behalf of customers. Processed as a data processor under the customer's instructions and the Data Processing Agreement.
Access logs: authentication events, session start/end times, target host identifiers, and MFA challenge results. Retained for audit purposes.

2.4 Data we do NOT collect

We do not use Google Analytics or any third-party behavioural tracking scripts on this website. We do not build advertising profiles. We do not sell personal data to any third party.

3. Cookies

This website uses only essential cookies required for secure operation:

Cookie name	Purpose	Duration	Party
`__cf_bm`	Cloudflare bot-management (DDoS protection)	30 minutes	Cloudflare
`cf_clearance`	Cloudflare security challenge result cache	30 minutes	Cloudflare
`vp_session`	Authenticated user session token (app only)	Session / 30 days if "remember me"	VaultPAM

We do not place marketing or analytical cookies. No consent banner is required for strictly necessary cookies under GDPR Recital 47.

4. Legal Basis for Processing (GDPR Art. 6)

Processing activity	Legal basis (GDPR Art. 6)
Responding to contact / demo requests	Art. 6(1)(b) — contract / pre-contractual steps
Account registration and service delivery	Art. 6(1)(b) — performance of contract
Billing and invoicing	Art. 6(1)(c) — legal obligation (VAT, accounting law)
Server log processing (security, uptime)	Art. 6(1)(f) — legitimate interests (IT security)
Service improvement via usage telemetry	Art. 6(1)(f) — legitimate interests (product development)
Marketing communications (with opt-in)	Art. 6(1)(a) — consent

Where we rely on legitimate interests (Art. 6(1)(f)), we have conducted a balancing test and concluded that our interests do not override your rights and freedoms, given the limited scope of data processed and the security purpose served.

5. Recipients and Third-Party Processors

We use the following sub-processors. Each has been assessed for GDPR adequacy and operates under a data-processing agreement with us:

Processor	Role	Data transferred	Location
Google Cloud Platform (GCP)	Cloud hosting — compute, database, storage	All platform data	Warsaw, Poland (EU)
Cloudflare	CDN, DDoS protection, TLS termination	IP address, request headers	EU PoPs (SCCs applied)
Stripe	Payment processing	Billing data, name, e-mail	EU (SCCs applied)
Postmark / SendGrid	Transactional e-mail delivery	E-mail address, message content	EU (SCCs applied)

No personal data is transferred to countries outside the European Economic Area except where Standard Contractual Clauses (SCCs) or equivalent safeguards under GDPR Chapter V are in place.

6. Retention Periods

Data category	Retention period	Reason
Server access logs	90 days	Security incident investigation
PAM session / access logs (customer data)	90 days (default); configurable per customer contract	Audit trail; customer instruction
Contact / demo request data	24 months from last contact	Legitimate interests — sales follow-up
Trial account data	90 days after trial expiry	Grace period for data export
Active subscription account data	Duration of contract + 5 years	Accounting / tax legal obligation
Billing records and invoices	5 years from invoice date	Polish Accounting Act obligation
Marketing consent records	Until withdrawal + 3 years	Proof of consent (GDPR Art. 7(1))

7. Your Rights Under GDPR (Art. 15–22)

If you are located in the European Economic Area or the United Kingdom, you have the following rights regarding your personal data:

Right of access (Art. 15): request a copy of the personal data we hold about you and information about how we process it.
Right to rectification (Art. 16): request correction of inaccurate or incomplete data.
Right to erasure (Art. 17): request deletion of your data where there is no overriding legal ground for us to continue processing.
Right to restriction (Art. 18): request that we restrict processing while a dispute over accuracy or legal basis is resolved.
Right to data portability (Art. 20): receive your data in a structured, machine-readable format and transfer it to another controller.
Right to object (Art. 21): object to processing based on legitimate interests at any time. We will cease processing unless we can demonstrate compelling legitimate grounds.
Right to withdraw consent (Art. 7(3)): withdraw any previously given consent (e.g., for marketing e-mails) at any time without affecting the lawfulness of processing before withdrawal.
Right not to be subject to automated decision-making (Art. 22): we do not make solely automated decisions that produce legal or similarly significant effects.

To exercise any of the above rights, contact us at privacy@vaultpam.com. We will respond within 30 days. If you believe we have not respected your rights, you may lodge a complaint with the Polish supervisory authority:

Urząd Ochrony Danych Osobowych (UODO)
ul. Stawki 2, 00-193 Warszawa
uodo.gov.pl

8. California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have the right to know what personal information we collect, request deletion, opt out of the sale of personal information (we do not sell personal information), and not be discriminated against for exercising your rights. To exercise these rights, contact us at privacy@vaultpam.com.

9. Security Measures

We implement technical and organisational measures appropriate to the risk level, including:

Encryption in transit (TLS 1.2+) and at rest (AES-256).
Role-based access control and principle of least privilege.
Annual penetration testing and continuous vulnerability scanning.
SOC 2 Type II controls programme (in progress for 2026 certification).
All production data stored exclusively in GCP Warsaw, Poland (EU).

10. Changes to This Policy

We may update this Privacy Policy to reflect changes in our data practices or applicable law. When we make material changes, we will update the effective date at the top of this page and, where required by law, notify you by e-mail or in-product notice. We encourage you to review this page periodically.

11. Contact and DPO

For any privacy-related questions, data subject requests, or to reach our Data Protection Officer, please contact:

Privacy Team — OWL Management sp. z o.o.
Warsaw, Poland
E-mail: privacy@vaultpam.com