Skip to main content
VaultPAM
00 Privacy Policy

how we collect, use and protect your data.

Effective date: 17 May 2026 · Controller: VaultPAM Security Sp. z o.o.

1. Data Controller

The controller responsible for the processing of your personal data in connection with this website (https://vaultpam.com) and the VaultPAM service is:

VaultPAM Security Sp. z o.o.
ul. Żelazna 51/53, 00-841 Warszawa
E-mail: privacy@vaultpam.com

We act as data controller for the processing activities described in this policy. Where we process personal data on behalf of our customers (e.g., privileged-session logs inside the VaultPAM platform), we act as a data processor and the respective customer is the controller. Those processing activities are governed by the Data Processing Agreement.

2. Personal Data We Collect

We collect the following categories of personal data:

2.1 Website visitors (vaultpam.com)

  • Server logs: IP address, browser user-agent, referrer URL, pages visited, and timestamp. Collected automatically by our hosting infrastructure (Google Cloud Platform: GCS, Cloud CDN, HTTPS Load Balancer).
  • Contact form submissions: name, business e-mail address, company name, and the content of your message.
  • Demo requests: name, business e-mail, company, role, and optional notes.

2.2 Trial and registered users

  • Account credentials (e-mail address and hashed password).
  • Profile information you optionally provide (name, job title, phone).
  • Billing information collected and stored by our payment processor (Stripe). We do not store full card numbers.
  • Usage telemetry: feature usage events, API call counts, error reports. No session content is included in telemetry.

2.3 PAM product session and access logs

  • Session recordings: privileged-access session keystroke logs, screen recordings, and file-transfer metadata collected inside the VaultPAM platform on behalf of customers. Processed as a data processor under the customer's instructions and the Data Processing Agreement.
  • Access logs: authentication events, session start/end times, target host identifiers, and MFA challenge results. Retained for audit purposes.

2.4 Data we do NOT collect or sell

We do not sell personal data to any third party. Analytics and advertising measurement data (see section 3) is processed only with your explicit consent and is never used to build individual advertising profiles outside Google's own platforms.

3. Cookies

This website uses essential cookies required for secure operation, and — with your consent — analytics and advertising measurement cookies:

Cookie name Purpose Duration Party Requires consent
vp_session Authenticated user session token (app only) Session / 30 days if “remember me” VaultPAM No — essential
_ga, _ga_* Google Analytics 4 — distinguishes unique visitors, measures page views and session behaviour 2 years Google LLC Yes — analytics consent
_gcl_au Google Ads — conversion linker, attributes ad clicks to form submissions 90 days Google LLC Yes — analytics consent

Analytics and advertising cookies are only placed after you click “Accept analytics” in the consent banner. You may withdraw consent at any time by clicking “Cookie preferences” in the footer — this clears all analytics cookies from your browser. Legal basis: Art. 6(1)(a) GDPR (consent). Google processes data under its own privacy policy and standard contractual clauses for EU data transfers.

4. Legal Basis for Processing (GDPR Art. 6)

Processing activity Legal basis (GDPR Art. 6)
Responding to contact / demo requests Art. 6(1)(b) — contract / pre-contractual steps
Account registration and service delivery Art. 6(1)(b) — performance of contract
Billing and invoicing Art. 6(1)(c) — legal obligation (VAT, accounting law)
Server log processing (security, uptime) Art. 6(1)(f) — legitimate interests (IT security)
Service improvement via usage telemetry Art. 6(1)(f) — legitimate interests (product development)
Website analytics (Google Analytics 4) and ad conversion measurement (Google Ads) Art. 6(1)(a) — consent (opt-in via cookie banner)
Marketing communications (with opt-in) Art. 6(1)(a) — consent

Where we rely on legitimate interests (Art. 6(1)(f)), we have conducted a balancing test and concluded that our interests do not override your rights and freedoms, given the limited scope of data processed and the security purpose served.

5. Recipients and Third-Party Processors

We use the following sub-processors. Each has been assessed for GDPR adequacy and operates under a data-processing agreement with us:

Processor Role Data transferred Location
Google Cloud Platform (GCP) Cloud hosting — compute, database, storage All platform data Warsaw, Poland (EU)
Google LLC (Google Analytics 4, Google Ads) Website analytics and ad measurement (consent-only) IP address, browsing behaviour, device identifiers USA (SCCs applied — Google Ads DPA)
Google Workspace (SMTP relay) Transactional e-mail delivery E-mail address, message content EU (Google Ireland Ltd.)
SMSAPI Sp. z o.o. SMS OTP delivery for MFA Mobile phone number, OTP content Poland (EU)
SerwerSMS Sp. z o.o. SMS OTP delivery for MFA (alternative provider) Mobile phone number, OTP content Poland (EU)

No personal data is transferred to countries outside the European Economic Area except where Standard Contractual Clauses (SCCs) or equivalent safeguards under GDPR Chapter V are in place.

5.2 Independent Controllers

Stripe Technology Europe Ltd. (Dublin 2, Ireland) processes payment card data as an independent data controller under its own privacy policy — not as a VaultPAM sub-processor. VaultPAM does not store full card numbers. For billing data rights, please consult Stripe's Privacy Policy.

6. Retention Periods

Data category Retention period Reason
Server access logs 90 days Security incident investigation
PAM session / access logs (customer data) 90 days (default); configurable per customer contract Audit trail; customer instruction
Contact / demo request data 24 months from last contact Legitimate interests — sales follow-up
Trial account data 90 days after trial expiry Grace period for data export
Active subscription account data Duration of contract + 5 years Accounting / tax legal obligation
Billing records and invoices 5 years from invoice date Polish Accounting Act obligation
Marketing consent records Until withdrawal + 3 years Proof of consent (GDPR Art. 7(1))

7. Your Rights Under GDPR (Art. 15–22)

If you are located in the European Economic Area or the United Kingdom, you have the following rights regarding your personal data:

  • Right of access (Art. 15): request a copy of the personal data we hold about you and information about how we process it.
  • Right to rectification (Art. 16): request correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17): request deletion of your data where there is no overriding legal ground for us to continue processing.
  • Right to restriction (Art. 18): request that we restrict processing while a dispute over accuracy or legal basis is resolved.
  • Right to data portability (Art. 20): receive your data in a structured, machine-readable format and transfer it to another controller.
  • Right to object (Art. 21): object to processing based on legitimate interests at any time. We will cease processing unless we can demonstrate compelling legitimate grounds.
  • Right to withdraw consent (Art. 7(3)): withdraw any previously given consent (e.g., for marketing e-mails) at any time without affecting the lawfulness of processing before withdrawal.
  • Right not to be subject to automated decision-making (Art. 22): we do not make solely automated decisions that produce legal or similarly significant effects.

To exercise any of the above rights, contact us at privacy@vaultpam.com. We will respond within 30 days. If you believe we have not respected your rights, you may lodge a complaint with the Polish supervisory authority:

Urząd Ochrony Danych Osobowych (UODO)
ul. Stanisława Moniuszki 1A, 00-014 Warszawa
uodo.gov.pl

8. Children (Minors)

We recognize the importance of protecting children's privacy, especially online. This website is not intended for or directed at children. Under no circumstances do we permit children to use our services. We do not intentionally collect personal information from children.

9. California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have the right to know what personal information we collect, request deletion, opt out of the sale of personal information (we do not sell personal information), and not be discriminated against for exercising your rights. To exercise these rights, contact us at privacy@vaultpam.com.

10. Security Measures

We implement technical and organisational measures appropriate to the risk level, including:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256).
  • Role-based access control and principle of least privilege.
  • Annual penetration testing and continuous vulnerability scanning.
  • SOC 2 Type II controls programme (in progress for 2026 certification).
  • All production data stored exclusively in GCP Warsaw, Poland (EU).

11. Changes to This Policy

We may update this Privacy Policy to reflect changes in our data practices or applicable law. When we make material changes, we will update the effective date at the top of this page and, where required by law, notify you by e-mail or in-product notice. We encourage you to review this page periodically.

12. Contact

For any privacy-related questions or data subject requests, please contact:

Privacy Team — VaultPAM Security Sp. z o.o.
ul. Żelazna 51/53, 00-841 Warszawa
E-mail: privacy@vaultpam.com

Questions about this policy? Contact us at privacy@vaultpam.com. See also: Data Processing Agreement · Terms of Service.
Also available in: Polski · Deutsch · Français