Privacy Policy

This Privacy Policy explains how Vault41 Ltd ("we", "us", "our") collects, uses, and protects your personal data when you use RefVaultApp™ ("the App", "the Service"). We are the data controller for personal data processed through the Service.

We are registered in England and Wales. Our registered ICO number will appear here once registration is complete.

1. Who We Are

Vault41 Ltd
Silverstream House, 45 Fitzroy Street, London, W1T 6EB
Registered in England & Wales · Company No. 16707732
ICO Registration: ZC081090 (registered 19 January 2026, expires 18 January 2027)
Data protection contact: legal@vault41.org
Website: refvaultapp.com

As the data controller, we determine the purposes and means of processing your personal data. Where you use our Service as a candidate (the person requesting references), you are our primary customer. Referees who submit responses are also data subjects whose rights we respect.

2. What Data We Collect

Account data (when you register):

• Full name and email address
• Password (stored as a one-way hash - we cannot read it)
• Professional profile details you choose to add (headline, sector, city, LinkedIn URL, bio)

Reference data:

• Details of references you request: company, role, dates, referee name and email
• Referee responses: structured answers, trust signal, and identity verification details (full name, date of birth, employment dates)
• Identity verification data provided by referees (encrypted and access-restricted)

Payment data:

• Your subscription tier and status
• Stripe customer ID (a reference token - we do not store your card number)
• Payment history is held by Stripe under their own privacy policy

Usage and technical data:

• Browser type, device type, IP address
• Pages visited and actions taken within the app
• Sharing activity logs (who viewed a reference link, when)

3. Legal Basis for Processing

We process your data on the following legal grounds under UK GDPR:

• Contract performance - to provide the Service you have signed up for
• Legitimate interests - to improve the Service, ensure security, and prevent fraud
• Legal obligation - to comply with applicable laws and regulations
• Consent - for optional communications (e.g. marketing emails, if you opt in)

For special category data (such as date of birth collected for identity verification), we rely on explicit consent given by the referee at the point of submission.

4. How We Use Your Data

• To create and manage your account and vault
• To send reference request emails to your chosen referee
• To store and display your references securely
• To generate shareable links, QR codes, and PDF certificates
• To process payments via Stripe
• To send transactional emails (reference received, sharing notifications)
• To improve and develop the Service
• To comply with legal obligations and prevent misuse

5. Who We Share Data With

We share your data only where necessary:

• Stripe - payment processing. Stripe is PCI DSS compliant.
• Google Firebase / Firestore - secure cloud database and authentication
• EmailJS - transactional email delivery
• Employers you share references with - only the data included in a specific reference package, on your explicit instruction

We do not sell your data. We do not share your data with advertisers or third parties for marketing.

6. Referee Data

When a referee submits a reference, they provide personal data (name, job title, identity verification details). This data is:

• Stored securely and access-restricted in our database
• Shared with employers only in the structured form they completed
• Never sold or shared for any other purpose
• Retained for as long as the associated reference vault account is active

Referees are informed of this at the point of submission. If a referee wishes to withdraw their reference, they should contact us at privacy@refvaultapp.com.

7. Data Retention

We retain your data for as long as your account is active. References stored in your vault are kept permanently as part of the Service promise ("stored for life"). If you delete your account:

• Your personal profile data is deleted within 30 days
• References and associated data are anonymised or deleted upon request
• Payment records required by law (e.g. for tax purposes) are retained for 7 years

8. Your Rights (UK GDPR)

As a data subject, you have the right to:

• Access - request a copy of your personal data
• Rectification - correct inaccurate or incomplete data
• Erasure - request deletion of your data ("right to be forgotten")
• Restriction - request we limit processing of your data
• Portability - receive your data in a machine-readable format
• Object - object to processing based on legitimate interests
• Withdraw consent - where processing is based on consent, you may withdraw at any time

To exercise any of these rights, email privacy@refvaultapp.com. We will respond within 30 days.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe we have not handled your data appropriately.

9. International Transfers

Some of our sub-processors (Firebase, Stripe) may process data outside the UK or EEA. Where this occurs, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or equivalent mechanisms, in accordance with UK GDPR requirements.

10. Security

We implement industry-standard security measures including:

• Encryption in transit (HTTPS/TLS on all connections)
• Encrypted data storage via Firebase/Firestore
• Role-based access controls on all data
• Stripe's PCI DSS compliance for payment data
• Regular security reviews and dependency audits

No system is 100% secure. In the event of a data breach that poses a risk to your rights, we will notify you and the ICO as required by law.

11. Cookies and Tracking

RefVaultApp™ uses minimal cookies, primarily for authentication (Firebase session tokens) and service functionality. We do not use advertising cookies or third-party tracking pixels.

12. Children

Our Service is not directed at children under 16. We do not knowingly collect data from children. If you believe we have inadvertently collected data from a child, please contact us immediately.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a notice within the App. The "last updated" date at the top of this page reflects the most recent version.

14. Contact Us

For any privacy-related questions or requests:

📧 legal@vault41.org
📧 privacy@refvaultapp.com
🌐 refvaultapp.com