Privacy Policy

This Privacy Policy ("Policy") is a legal agreement between you (the "Customer", "you" or "your") and Vault4x ("Vault4x", "we", "us", or "our"), a legal entity registered in Lithuania with operational presence in international jurisdictions, concerning your access to and use of our website, APIs and related services (the "Services").

Vault4x provides infrastructure for card and payment-identity tokenization and secure vaulting of sensitive data for fintech and regulated-platform customers. We value your privacy and are committed to protecting the personal data you submit or that we process on behalf of your end-users.

This Policy describes what personal data we collect, how we collect it, how we use it, how we share it, how we protect it, your rights, and how you can contact us.

This Policy applies to all personal data collected by Vault4x via our website, API integrations, portals, and other Services (collectively, the "Platform").

It covers data we collect from you (our Customer), your end-users (whose card/payment/identity data you submit to our Services), and other visitors to our website.

This Policy does not apply to the privacy practices of any third-party websites, services or products referenced or linked from the Platform. We encourage you to review their policies separately.

We will not sell or rent your personal information to marketers. We may share personal data only as necessary to deliver the Services or comply with law. Examples of recipients or circumstances:

• Service providers, cloud/data-hosting vendors, subcontractors or partners helping us to provide the Platform.
• Payment processors, fraud detection services, law-enforcement or regulatory agencies when required by law or legitimate interest.
• In connection with corporate transactions (merger, acquisition, insolvency) we may transfer data as part of the transaction; you will be notified if a different privacy policy will apply.
• Third-parties you authorise to receive data via our API (e.g., payment gateways, your downstream systems).

Your data may be stored, processed or transferred outside your jurisdiction (including outside the European Economic Area). By using our Services, you consent to such cross-border transfers subject to appropriate safeguards.

We retain personal data only as long as necessary to fulfil the purposes described, unless a longer retention period is required or permitted by law.

Upon termination of your account or our provision of Services, you will be given a period (for example 30 days) to export your data (tokens, metadata, logs) in a standard format. After that period, we will delete or anonymize your data in accordance with our internal retention policy.

We implement technical and organisational controls appropriate to the sensitivity of data processed (including encryption in transit and at rest, access controls, monitoring, secure data-centres). Our Platform is designed to support compliance with applicable payment-card and data-protection standards (e.g., PCI DSS).

However, no method of transmission over the Internet or method of electronic storage is entirely secure, and we cannot guarantee absolute security. You acknowledge and accept that risk when using the Platform.

Because we operate internationally, your data may be transferred to, stored, processed in jurisdictions outside the EEA. Where required by applicable data-protection law, we will apply appropriate safeguards (e.g., European Commission Model Clauses or equivalent) to protect your data.

Depending on your jurisdiction, you may have the right to access, correct, delete or restrict processing of your personal data, request portability, or object to processing where applicable.

If you wish to exercise these rights, please contact us at the email address set out below. We may require you to verify your identity before responding to your request.

You may also opt-out of receiving marketing communications (but not service-related communications such as billing or service notices).

Our Services are not directed at children under the age of 13. We do not knowingly collect data from children under 13. If you believe we have inadvertently collected such data, please contact us and we will delete it promptly.

We may modify this Privacy Policy from time to time. If the changes are material, we will provide notice (for example via email or our Platform) prior to the changes taking effect. Your continued use of the Services after the effective date of the updated Policy constitutes acceptance of the changes.

For questions, requests or complaints regarding this Policy or your personal data, please contact: