Política de privacidad
Vawlt Technologies, S.A.
Last updated: 24 June 2026
| Fecha | Purpose | Owner |
|---|---|---|
| 15 January 2020 | Initial version | Vawlt |
| 24 June 2026 | Full revision | Vawlt |
Vawlt Technologies, S.A. (“Vawlt”, “we”, “us” or “our”) is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains what personal data we process, how and why we use it, who we share it with, and the rights you have. If you have any questions, contact us at privacy@vawlt.io.
1. Scope
This Privacy Policy applies to personal data we process through our website at https://vawlt.io and our management platform at https://platform.vawlt.io (together, the “Site”), and in connection with providing our services to our customers.
This Privacy Policy does not apply to the data that customers store using the Vawlt service. Because the service uses a zero-knowledge, end-to-end encryption design, we have no technical means to access that data in an intelligible form. The processing of customer-stored data is governed by our Condiciones de Uso and our Data Processing Agreement (DPA).
For information about cookies and similar technologies, please also read our Política de Cookies.
2. Who we are and the role we play
Vawlt Technologies, S.A. has its registered office at Rua António Champalimaud, Lote 1, 1600-514 Lisboa, Portugal. You can reach our privacy contact at privacy@vawlt.io.
Depending on the activity, Vawlt acts either as a controller or as a processor:
- As a controller, we determine the purposes and means of processing. This applies to data we process for our own purposes, such as managing our website, administering accounts, billing and invoicing, communicating with you, preventing fraud, and securing our platform.
- As a processor, we process personal data on behalf of our customers and on their documented instructions, in connection with the provision of the service. Those terms are set out in our DPA, and our customers are the controllers of the data they manage through the service.
We refer to the account and administration data we process within the platform — such as user names, email addresses, company name and authentication metadata — as “control-plane data”. We never have access to the content stored by customers, which remains encrypted at all times.
3. Personal data we collect
We may process the following categories of personal data:
- Identification and contact data: name, username and email address of our customers' administrators and users.
- Account and authentication data: authentication and access metadata used to access the platform. We never have access to, and do not store, your account password or your encryption keys.
- Billing and tax data: where a customer purchases directly from us, the company and tax information needed to process payment and issue invoices in accordance with Portuguese law. Customers who purchase through our partners or distributors are billed by those partners; in those cases we process only account and administration data.
- Device and usage data: device name, operative system, and IP address of the devices used to log in to the Vawlt software.
- Website data: IP address, browser and device characteristics, and information collected through cookies and similar technologies when you visit our website.
- Communications data: information you provide when you contact us for support, request a demo, use the website chat, or otherwise communicate with us.
We do not intentionally collect special categories of personal data through the Site, and we ask that you do not provide them to us.
4. How and why we use your personal data
We use personal data for the purposes and on the legal bases set out below.
| Purpose | Description | Legal basis |
|---|---|---|
| Providing the service and account administration | Creating and managing accounts, authenticating users, enabling platform functionality and delivering the contracted service. | Performance of a contract. |
| Billing, invoicing and tax compliance | Processing payments for customers who purchase directly, issuing invoices and meeting related tax and accounting obligations. | Compliance with a legal obligation; performance of a contract. |
| Responding to enquiries, demo and contact requests | Responding to demo requests, sales enquiries, website chat and other messages you send us. | Legitimate interests; steps taken at your request prior to entering into a contract. |
| Customer support | Responding to questions, requests and support tickets from customers. | Performance of a contract; legitimate interests. |
| Service and security communications | Notifying you of service changes, security matters and updates to our terms and policies. | Legitimate interests; legal obligation. |
| Website analytics and advertising | Understanding how the website is used, and measuring and personalising advertising, through cookies and similar technologies. | Consent. |
| Fraud prevention and platform security | Protecting the Site, our customers and Vawlt against fraud, abuse and security threats (including website-form anti-spam). | Legitimate interests. |
| Legal compliance and requests | Complying with legal obligations and responding to lawful requests from authorities or in legal proceedings. | Legal obligation; legitimate interests. |
| Business transfers | Evaluating or carrying out a merger, acquisition, financing or sale of assets. | Legitimate interests. |
5. Cookies and similar technologies
Our website uses cookies and similar technologies for essential, functional, analytics and advertising purposes. You can manage your preferences at any time through the cookie settings on our website. For details of the specific cookies we use, their purposes and durations, please see our Política de Cookies.
6. Who we share your personal data with
We share personal data only as necessary for the purposes described in this Policy. We share data with:
- Service providers and sub-processors that process data on our behalf and under our instructions (for example, cloud hosting, payment processing, analytics, advertising and customer-communication tools);
- Public authorities, courts or regulators, where required to comply with a legal obligation or a lawful request;
- Third parties in connection with a merger, acquisition, financing or sale of assets, subject to appropriate safeguards.
Infrastructure providers selected and configured by a customer to store their own data are not sub-processors of Vawlt and are not covered by this Policy.
7. International data transfers
Most of the personal data we process is kept within the European Economic Area (EEA); in particular, account (control-plane) data is hosted in the EU regions of our infrastructure providers. Some of the service providers we rely on may process data outside the EEA, including in the United States. Where personal data is transferred outside the EEA, we take steps to ensure it is protected in line with applicable data protection law, on the basis of an adequacy decision or appropriate safeguards such as Standard Contractual Clauses.
8. How long we keep your personal data
We keep personal data only for as long as necessary for the purposes set out in this Policy:
- Account and control-plane data: for as long as the customer maintains an account with us. When an account is deleted, we delete the related account metadata from our active systems; residual copies may remain in backups and logs and are removed in accordance with our backup and log retention schedule.
- Customer-stored data: Data that customers store through the Vawlt service is processed under zero-knowledge, end-to-end encryption and is governed by our Terms of Use, not by this Policy. When a customer deletes this data, it is removed from the cloud storage without undue delay.
- Billing, invoicing and tax data: for the period required by applicable tax and accounting law.
- Website, analytics and advertising data: for the periods described in our Cookie Policy.
- Security and audit logs: for as long as necessary for security, audit and legal purposes.
When we no longer have a legitimate need to process your personal data, we delete or anonymise it.
9. How we protect your personal data
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration or destruction. Account data is stored in encrypted form, and customer-stored data is protected by zero-knowledge, end-to-end encryption. Vawlt maintains an information security management system certified to ISO/IEC 27001.
Aunque siempre haremos todo lo posible para proteger su información personal, la transmisión de información personal hacia y desde nuestro Sitio es bajo su propio riesgo. Solo debe acceder a los servicios dentro de un entorno seguro.
10. Your data protection rights
Subject to applicable law, you have the right to: access your personal data; request its rectification or erasure; restrict or object to its processing; receive it in a portable format; and, where processing is based on consent, withdraw that consent at any time (without affecting processing carried out before the withdrawal).
To exercise your rights, contact us at privacy@vawlt.io. To help us verify your identity, please include your name, the email address associated with your data, and the right you wish to exercise. If an authorised agent submits a request on your behalf, we may require proof of authorisation. We will respond within one month of receiving your request; this period may be extended by up to two further months for particularly complex requests, in which case we will let you know.
If you are in the EEA, you also have the right to lodge a complaint with your local supervisory authority. In Portugal, this is the Comissão Nacional de Proteção de Dados (CNPD).
11. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. The updated version will be indicated by the “Last updated” date above. If we make material changes, we will provide notice by posting the update on our website or, where appropriate, by contacting you directly. We encourage you to review this Policy periodically.
12. Governing law
This Privacy Policy and our processing of personal data are governed by Regulation (EU) 2016/679 (the GDPR) and applicable Portuguese law. The courts of Lisbon, Portugal have jurisdiction over any disputes arising from this Policy, without prejudice to mandatory legal provisions.
13. How to contact us
For any questions about this Policy or about how we handle your personal data, please contact us:
Vawlt Technologies, S.A.
Rua António Champalimaud, Lote 1, 1600-514 Lisboa, Portugal
Email: privacy@vawlt.io