Política de privacidad

Vawlt Technologies, S.A.

Last updated: 24 June 2026

FechaPurposeOwner
15 January 2020Initial versionVawlt
24 June 2026Full revisionVawlt

Vawlt Technologies, S.A. (“Vawlt”, “we”, “us” or “our”) is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains what personal data we process, how and why we use it, who we share it with, and the rights you have. If you have any questions, contact us at privacy@vawlt.io.

1. Scope

This Privacy Policy applies to personal data we process through our website at https://vawlt.io and our management platform at https://platform.vawlt.io (together, the “Site”), and in connection with providing our services to our customers.

This Privacy Policy does not apply to the data that customers store using the Vawlt service. Because the service uses a zero-knowledge, end-to-end encryption design, we have no technical means to access that data in an intelligible form. The processing of customer-stored data is governed by our Condiciones de Uso and our Data Processing Agreement (DPA).

For information about cookies and similar technologies, please also read our Política de Cookies.

2. Who we are and the role we play

Vawlt Technologies, S.A. has its registered office at Rua António Champalimaud, Lote 1, 1600-514 Lisboa, Portugal. You can reach our privacy contact at privacy@vawlt.io.

Depending on the activity, Vawlt acts either as a controller or as a processor:

  • As a controller, we determine the purposes and means of processing. This applies to data we process for our own purposes, such as managing our website, administering accounts, billing and invoicing, communicating with you, preventing fraud, and securing our platform.
  • As a processor, we process personal data on behalf of our customers and on their documented instructions, in connection with the provision of the service. Those terms are set out in our DPA, and our customers are the controllers of the data they manage through the service.

We refer to the account and administration data we process within the platform — such as user names, email addresses, company name and authentication metadata — as “control-plane data”. We never have access to the content stored by customers, which remains encrypted at all times.

3. Personal data we collect

We may process the following categories of personal data:

  • Identification and contact data: name, username and email address of our customers' administrators and users.
  • Account and authentication data: authentication and access metadata used to access the platform. We never have access to, and do not store, your account password or your encryption keys.
  • Billing and tax data: where a customer purchases directly from us, the company and tax information needed to process payment and issue invoices in accordance with Portuguese law. Customers who purchase through our partners or distributors are billed by those partners; in those cases we process only account and administration data.
  • Device and usage data: device name, operative system, and IP address of the devices used to log in to the Vawlt software.
  • Website data: IP address, browser and device characteristics, and information collected through cookies and similar technologies when you visit our website.
  • Communications data: information you provide when you contact us for support, request a demo, use the website chat, or otherwise communicate with us.

We do not intentionally collect special categories of personal data through the Site, and we ask that you do not provide them to us.

4. How and why we use your personal data

We use personal data for the purposes and on the legal bases set out below.

PurposeDescriptionLegal basis
Providing the service and account administrationCreating and managing accounts, authenticating users, enabling platform functionality and delivering the contracted service.Performance of a contract.
Billing, invoicing and tax complianceProcessing payments for customers who purchase directly, issuing invoices and meeting related tax and accounting obligations.Compliance with a legal obligation; performance of a contract.
Responding to enquiries, demo and contact requestsResponding to demo requests, sales enquiries, website chat and other messages you send us.Legitimate interests; steps taken at your request prior to entering into a contract.
Customer supportResponding to questions, requests and support tickets from customers.Performance of a contract; legitimate interests.
Service and security communicationsNotifying you of service changes, security matters and updates to our terms and policies.Legitimate interests; legal obligation.
Website analytics and advertisingUnderstanding how the website is used, and measuring and personalising advertising, through cookies and similar technologies.Consent.
Fraud prevention and platform securityProtecting the Site, our customers and Vawlt against fraud, abuse and security threats (including website-form anti-spam).Legitimate interests.
Legal compliance and requestsComplying with legal obligations and responding to lawful requests from authorities or in legal proceedings.Legal obligation; legitimate interests.
Business transfersEvaluating or carrying out a merger, acquisition, financing or sale of assets.Legitimate interests.

5. Cookies and similar technologies

Our website uses cookies and similar technologies for essential, functional, analytics and advertising purposes. You can manage your preferences at any time through the cookie settings on our website. For details of the specific cookies we use, their purposes and durations, please see our Política de Cookies.

6. Who we share your personal data with

We share personal data only as necessary for the purposes described in this Policy. We share data with:

  • Service providers and sub-processors that process data on our behalf and under our instructions (for example, cloud hosting, payment processing, analytics, advertising and customer-communication tools);
  • Public authorities, courts or regulators, where required to comply with a legal obligation or a lawful request;
  • Third parties in connection with a merger, acquisition, financing or sale of assets, subject to appropriate safeguards.

Infrastructure providers selected and configured by a customer to store their own data are not sub-processors of Vawlt and are not covered by this Policy.

7. International data transfers

Most of the personal data we process is kept within the European Economic Area (EEA); in particular, account (control-plane) data is hosted in the EU regions of our infrastructure providers. Some of the service providers we rely on may process data outside the EEA, including in the United States. Where personal data is transferred outside the EEA, we take steps to ensure it is protected in line with applicable data protection law, on the basis of an adequacy decision or appropriate safeguards such as Standard Contractual Clauses.

8. How long we keep your personal data

We keep personal data only for as long as necessary for the purposes set out in this Policy:

  • Account and control-plane data: for as long as the customer maintains an account with us. When an account is deleted, we delete the related account metadata from our active systems; residual copies may remain in backups and logs and are removed in accordance with our backup and log retention schedule.
  • Customer-stored data: Data that customers store through the Vawlt service is processed under zero-knowledge, end-to-end encryption and is governed by our Terms of Use, not by this Policy. When a customer deletes this data, it is removed from the cloud storage without undue delay.
  • Billing, invoicing and tax data: for the period required by applicable tax and accounting law.
  • Website, analytics and advertising data: for the periods described in our Cookie Policy.
  • Security and audit logs: for as long as necessary for security, audit and legal purposes.

When we no longer have a legitimate need to process your personal data, we delete or anonymise it.

9. How we protect your personal data

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration or destruction. Account data is stored in encrypted form, and customer-stored data is protected by zero-knowledge, end-to-end encryption. Vawlt maintains an information security management system certified to ISO/IEC 27001.

Aunque siempre haremos todo lo posible para proteger su información personal, la transmisión de información personal hacia y desde nuestro Sitio es bajo su propio riesgo. Solo debe acceder a los servicios dentro de un entorno seguro.

10. Your data protection rights

Subject to applicable law, you have the right to: access your personal data; request its rectification or erasure; restrict or object to its processing; receive it in a portable format; and, where processing is based on consent, withdraw that consent at any time (without affecting processing carried out before the withdrawal).

To exercise your rights, contact us at privacy@vawlt.io. To help us verify your identity, please include your name, the email address associated with your data, and the right you wish to exercise. If an authorised agent submits a request on your behalf, we may require proof of authorisation. We will respond within one month of receiving your request; this period may be extended by up to two further months for particularly complex requests, in which case we will let you know.

If you are in the EEA, you also have the right to lodge a complaint with your local supervisory authority. In Portugal, this is the Comissão Nacional de Proteção de Dados (CNPD).

11. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The updated version will be indicated by the “Last updated” date above. If we make material changes, we will provide notice by posting the update on our website or, where appropriate, by contacting you directly. We encourage you to review this Policy periodically.

12. Governing law

This Privacy Policy and our processing of personal data are governed by Regulation (EU) 2016/679 (the GDPR) and applicable Portuguese law. The courts of Lisbon, Portugal have jurisdiction over any disputes arising from this Policy, without prejudice to mandatory legal provisions.

13. How to contact us

For any questions about this Policy or about how we handle your personal data, please contact us:

Vawlt Technologies, S.A.
Rua António Champalimaud, Lote 1, 1600-514 Lisboa, Portugal
Email: privacy@vawlt.io