Privacy Policy

Effective Date: June 1, 2025

Daeyeub Kim (김대엽) ("Company", "we", "us", or "our") operates the Delivault service at delivault.dev. We take your privacy seriously. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and your rights in relation to it.

By using the Service, you acknowledge that you have read and understood this Privacy Policy.

1. Who We Are

Service: Delivault (delivault.dev)
Operator: Daeyeub Kim (김대엽)
Contact: help@mail.delivault.dev

2. Information We Collect

We collect different types of information depending on how you interact with Delivault.

2.1 Freelancers (Registered Users)

Category	Data Collected	When
Account	Email address, hashed password	At registration
Social Login	Email address, social account ID (e.g., Google)	When connecting a social account
Profile	Display name (optional)	If provided
Service Usage	Vault creation history, file metadata (name, size, type), event logs, subscription plan and history	During use
Payment	Subscription tier, billing history (raw payment card data is handled solely by Creem and never stored by us)	At payment
Technical	IP address, browser type, operating system, access timestamps, session identifiers	Automatically on each access

2.2 Clients (Non-Registered Users)

Clients do not create accounts. We collect limited data to enable authenticated delivery access:

Category	Data Collected	When
Identification	Email address (registered by the Freelancer at Vault creation)	At Vault creation
Authentication	OTP delivery timestamp, IP address, verification timestamp	On access
Activity	Delivery access events, approval/dispute actions, timestamps	During use

2.3 Automatically Collected Data

When you visit or use the Service, we automatically collect:

IP address
Browser and device information
Pages visited and time spent
Referrer URL

This data is used for security monitoring, fraud detection, and analytics.

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, we process your personal data under the following legal bases:

Processing Activity	Legal Basis
Account creation and service delivery	Performance of a contract (Art. 6(1)(b) GDPR)
Sending OTPs and notifications	Performance of a contract
Payment processing	Performance of a contract
Fraud prevention and security	Legitimate interests (Art. 6(1)(f) GDPR)
Service analytics and improvements	Legitimate interests
Compliance with legal obligations	Legal obligation (Art. 6(1)(c) GDPR)
Evidence log preservation	Legitimate interests / Legal obligation

4. How We Use Your Information

We use the information we collect to:

Provide the Service: Create accounts, authenticate users, manage Vaults, deliver files, and process subscriptions.
Authenticate Clients: Send email OTPs to verify Clients' identities before they access deliveries.
Process Payments: Facilitate subscription billing through our payment processor, Creem.
Generate Evidence: Compile timestamped event logs into evidence PDFs for dispute resolution.
Send Notifications: Email alerts related to delivery events (e.g., client access, payment confirmation, disputes).
Ensure Security: Monitor for fraud, abuse, and unauthorized access.
Improve the Service: Analyze aggregate usage patterns to enhance features and performance.
Comply with Legal Obligations: Retain records as required by applicable law.

We do not sell your personal data. We do not use your data for automated profiling or decision-making that produces legal effects.

5. Third-Party Service Providers

We share personal data with the following processors to deliver the Service:

Processor	Purpose	Location	Privacy Reference
Supabase, Inc.	Authentication, database storage, file storage	USA (with EU data region options)	supabase.com/privacy
Resend, Inc.	Transactional email delivery (OTPs, notifications)	USA	resend.com/privacy
Creem	Subscription payment processing (Merchant of Record)	See Creem's policy	creem.io/privacy

Each processor is bound by data processing agreements and maintains appropriate safeguards (e.g., EU Standard Contractual Clauses) for international data transfers.

We do not share your personal data with any other third parties except:

When required by law, court order, or government authority.
To protect the rights, safety, or property of the Company, our users, or the public.
In connection with a merger, acquisition, or sale of assets (with prior notice to you).

6. Data Retention

We retain personal data for as long as necessary to fulfill the purposes described in this Policy, subject to the following:

Data	Retention Period	Reason
Account data (active)	Duration of account + 30 days post-deletion	Service delivery; fraud prevention
Event logs and Vault records	Indefinitely	Evidence preservation and audit
Evidence PDFs	Indefinitely	Legal evidence; cannot be deleted
Payment records	5 years from transaction	Legal and accounting requirements
Email logs	30 days	Delivery confirmation
Server access logs	3 months	Security and legal compliance

When data is no longer needed, we securely delete or anonymize it.

7. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

Access: Request a copy of the personal data we hold about you.
Rectification: Request correction of inaccurate or incomplete data.
Erasure ("Right to be Forgotten"): Request deletion of your data where we no longer have a legal basis to retain it. Note: evidence PDFs and legally required records cannot be deleted.
Restriction: Request that we restrict processing of your data in certain circumstances.
Portability: Receive your data in a structured, machine-readable format (where technically feasible).
Objection: Object to processing based on legitimate interests.
Withdraw Consent: Where processing is based on consent, withdraw it at any time (this does not affect the lawfulness of prior processing).

How to exercise your rights: Email help@mail.delivault.dev with the subject line "Privacy Request" and your account email address. We will respond within 30 days. We may need to verify your identity before processing certain requests.

If you are located in the EU/EEA and believe we have not handled your data lawfully, you have the right to lodge a complaint with your local data protection authority.

8. Cookies and Tracking Technologies

We use cookies and similar technologies for the following purposes:

Cookie Type	Purpose	Duration
Session cookie	Maintain your authenticated session	Session (deleted on close)
Language preference	Remember your language setting	1 year
Security	CSRF protection and fraud prevention	Session

We do not use advertising cookies or track you across third-party websites. You can configure your browser to refuse cookies, but some features (such as staying logged in) may not function properly.

9. Security

We implement technical and organizational security measures to protect your personal data:

Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
Encryption at rest: Files stored in Supabase Storage are encrypted with AES-256.
Password hashing: Passwords are hashed using bcrypt before storage. We never store plaintext passwords.
HMAC-signed links: Delivery links are cryptographically signed to prevent tampering.
OTP security: One-time passwords expire in 10 minutes and are invalidated after a single use.
Access controls: We apply the principle of least privilege and Row Level Security (RLS) to restrict data access.
Regular security reviews: We conduct periodic security assessments of our infrastructure and code.

No system is completely secure. If you discover a security vulnerability, please report it responsibly to help@mail.delivault.dev.

10. International Data Transfers

Delivault is operated from the Republic of Korea. Our third-party processors (Supabase, Resend, Creem) are located in the United States. If you are accessing the Service from the EU/EEA, your data will be transferred to and processed in countries outside the EEA.

We ensure appropriate safeguards are in place for such transfers, including:

Standard Contractual Clauses (SCCs) approved by the European Commission.
Processor-maintained certifications or equivalent frameworks.

11. Children's Privacy

The Service is not directed at children under the age of 14 (or the applicable minimum age in your jurisdiction). We do not knowingly collect personal data from minors. If we become aware that we have inadvertently collected data from a minor, we will delete it promptly. If you believe we have done so, please contact help@mail.delivault.dev.

12. Links to Third-Party Services

The Service may contain links to third-party websites or integrations. We are not responsible for the privacy practices of those services. We encourage you to review the privacy policies of any third-party services you access.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors.

Material changes: We will notify you via email or a prominent notice in the Service at least 7 days before the changes take effect.
Changes to data collection or purpose: We will provide at least 30 days' notice and, where required, seek fresh consent.

The current version is always available at /legal/privacy-policy. Your continued use of the Service after the effective date of any changes constitutes acceptance of the updated Policy.

14. Contact Us

If you have questions about this Privacy Policy, your personal data, or how to exercise your rights, please contact our Privacy Officer:

Email: help@mail.delivault.dev
Subject line: "Privacy Inquiry"

We aim to respond to all privacy-related inquiries within 30 days.