Privacy Policy

Politique de Confidentialité

1. Data Controller

VAULTAI, a simplified joint-stock company (société par actions simplifiée) with a share capital of €1,000, registered office located at 3 RUE DE TANGER, 31400 TOULOUSE, France, registered with the Toulouse Trade and Companies Register under number 995 400 041, represented by Mr. Hugo Dorus, acting in his capacity as President.

  • Company Name: VAULTAI SAS
  • Share Capital: €1,000
  • Registered Office: 3 RUE DE TANGER, 31400 TOULOUSE, France
  • SIREN: 995 400 041
  • Legal Representative: Hugo Dorus (President)
  • Data Protection Contact: hello@vaultai.eu

Last updated: 28 January 2026

1.1 Google User Data - Limited Use Disclosure

Limited Use Disclosure: VaultAI's use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

What we collect: When you sign in with Google, we only collect your email address and basic profile information (name, profile picture) for account creation and authentication.

How we use Google data: Your Google account information is used exclusively to authenticate you and display your profile within VaultAI. It is never sent to AI models, analytics services, or any external system.

What we do NOT do with Google data:

  • We do NOT transfer Google user data to third parties
  • We do NOT use it for advertising purposes
  • We do NOT use it for credit assessment or lending
  • We do NOT sell, rent, or share it with anyone
  • We do NOT use it to train AI or machine learning models

Limited exceptions: We may only disclose Google user data if required by law, to investigate security incidents, or as part of a company merger (with prior notification to users).

2. Information Processing Models

2.1 Cloud Platform (Hosted by VaultAI)

For users of our cloud platform, data is processed on secure servers located in the European Union. VaultAI acts as a data processor on behalf of our customers.

  • All data is hosted on EU-based servers (GDPR-compliant)
  • End-to-end encryption for data in transit and at rest
  • Regular security audits and updates
  • VaultAI administrators may access data for maintenance purposes (under NDA when required)

2.2 Self-Hosted Solution

For our self-hosted solution deployed on customer infrastructure:

  • All data remains within your infrastructure
  • VaultAI does not have access to your data unless explicitly granted for support purposes
  • You are the data controller for all information processed within your instance
  • We may collect minimal telemetry data for license validation and service monitoring (see Section 10)

3. Data We Collect

3.1 Application Usage Data

  • Account information (name, email address)
  • Usage logs and platform interactions
  • Technical information (browser type, device information)
  • Payment information (processed by our payment provider)

3.2 User-Uploaded Files

Documents and files you upload to VaultAI for analysis and processing, including but not limited to:

  • PDFs, Word documents, Excel spreadsheets
  • Images and presentations
  • Text files and code
  • Any other files you choose to upload

3.3 Third-Party Integrations (OAuth Connections)

When you authorize VaultAI to connect to third-party services, we access data with your explicit consent:

  • Google Drive: User files (read-only access)
  • Notion: User pages and databases (read-only access)
  • SharePoint / OneDrive: User files (read-only access)
  • Google Calendar: Events, participants, meeting links (read-only access)
  • Gmail: Emails (read-only access) — planned feature
  • Outlook Calendar: Events and meetings (read-only access) — planned feature

Important: VaultAI operates in read-only mode for all third-party integrations. We do not modify or delete any files in your connected services.

3.4 Meeting Recordings

When you use our meeting transcription feature, we collect:

  • Video recordings (configurable — can be disabled)
  • Audio recordings (configurable — can be audio-only or disabled)
  • Automatic transcriptions
  • AI-generated summaries and action items

You have full control over recording settings and can choose to capture video + audio, audio only, or transcription only.

3.5 AI Conversational Memory

To provide personalized assistance, VaultAI stores:

  • User preferences and settings
  • Project context and notes
  • Conversation history with the AI assistant
  • Custom instructions and prompts

You have full control over this memory and can view, modify, or delete any stored memories at any time.

3.6 Web Search Data

When you use web search features within VaultAI, we process:

  • Search queries submitted through our interface
  • Search results retrieved from standard search engines

3.7 Third-Party Public Data Sources

For certain features (especially the Legal Module), VaultAI may access public data sources:

  • Pappers: French company data (paid API — Pappers is the data controller for this data)
  • Judilibre: French case law database (public database)
  • Légifrance: French laws and regulations (public database)

4. Purposes of Processing

We process your data for the following purposes:

  • Meeting Transcription and Summarization: Converting audio/video recordings into searchable text and generating summaries
  • Unified Document Search (RAG): Enabling intelligent search across your documents and connected data sources
  • Contextual AI Assistance: Providing personalized AI responses based on your data and preferences
  • Content Generation: Creating documents, diagrams, code, images, and other content based on your requests
  • Legal Analysis: Providing legal research and analysis features (Legal Module only)
  • Billing and Account Management: Managing subscriptions, tracking usage (number of users, active modules), and processing payments
  • Service Improvement: Analyzing usage patterns to improve our platform and user experience
  • Security and Compliance: Protecting our systems and ensuring compliance with applicable laws

5. Legal Basis for Processing

We process your personal data based on:

  • Contract Performance: Processing necessary to provide our services as outlined in our Terms of Service
  • Consent: Where you have given explicit consent, particularly for third-party integrations and optional features
  • Legitimate Interests: Processing necessary for our legitimate business interests, such as fraud prevention and service improvement
  • Legal Obligations: Processing required to comply with applicable laws and regulations

6. Data Sharing

6.1 Google User Data - No Third-Party Sharing

Important: Google user data (email, profile information) obtained through Google Sign-In is NEVER shared with third parties except as explicitly permitted in section 1.1 above (security purposes, legal compliance, or merger/acquisition with notification).

Your Google account credentials are securely stored and never exposed to AI models or any third parties.

6.2 AI Features

VaultAI includes AI-powered features that allow you to analyze your own documents and generate content. When you use these features:

  • You explicitly choose to submit your own documents or prompts for AI processing
  • You select and control which AI model processes your request
  • This is a core user-facing feature visible and prominent in the application

Google user data is never involved in AI processing:

  • Your Google account information (email, profile) is NEVER sent to AI systems
  • Only content you explicitly submit (your documents, your prompts) is processed
  • Google OAuth data remains isolated and is used only for authentication

Google Workspace Data: VaultAI does not use data obtained through Google Workspace APIs or Google OAuth to develop, improve, or train generalized AI and/or ML models.

6.3 Service Providers

We may share data with essential service providers:

  • Cloud hosting providers (EU-based)
  • Payment processors
  • Analytics services (anonymized data only)

Note: These are service providers acting on our behalf, not third parties receiving your data for their own purposes.

6.4 No Commercial Data Sharing

We do not sell, rent, or share your personal data with third parties for commercial or advertising purposes.

6.5 Legal Requirements

We may disclose data when required by law, court order, or to protect our legal rights.

7. Data Retention

7.1 Active Accounts

We retain your data for as long as your account is active and as needed to provide our services.

7.2 After Account Termination

After account termination or subscription cancellation:

  • Your data is retained for 90 days to allow for data export and account reactivation
  • After 90 days, all personal data is permanently deleted from our active systems
  • Backup copies may be retained for up to 180 days for disaster recovery purposes

7.3 Google OAuth Data Retention

Google user data (email, basic profile): This information is retained while your account is active. Upon account deletion, Google OAuth data is permanently removed within 30 days.

7.4 Immediate Deletion

You may request immediate deletion of your data at any time by contacting us at hello@vaultai.eu. We will process such requests within 30 days.

8. Your Rights (GDPR)

Under the General Data Protection Regulation (GDPR) and applicable French data protection laws, you have the following rights:

  • Right of Access: Request a copy of all personal data we hold about you
  • Right to Rectification: Request correction of inaccurate or incomplete data
  • Right to Erasure: Request deletion of your personal data ("right to be forgotten")
  • Right to Data Portability: Receive your data in a structured, machine-readable format
  • Right to Restrict Processing: Request limitation of how we process your data
  • Right to Object: Object to processing based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent

8.1 Disconnecting Third-Party Integrations

You can disconnect any third-party integration (Google Drive, Notion, SharePoint, etc.) at any time through your account settings. Upon disconnection:

  • Access tokens are immediately revoked
  • Indexed data from that integration is deleted within 24 hours
  • You can reconnect at any time with a new authorization

8.2 AI Memory Control

You have full control over the AI conversational memory:

  • View all stored memories in your account settings
  • Modify or correct any memory
  • Delete individual memories or clear all memory
  • Disable memory feature entirely

8.3 Exercising Your Rights

To exercise any of these rights, please contact us at hello@vaultai.eu. We will respond to your request within 30 days.

If you are not satisfied with our response, you have the right to lodge a complaint with the French data protection authority (CNIL):

  • CNIL — Commission Nationale de l'Informatique et des Libertés
  • 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07
  • Website: www.cnil.fr

9. Data Security

  • End-to-end encryption for data in transit (TLS 1.3)
  • Encryption at rest (AES-256)
  • Regular security audits and penetration testing
  • Access controls and authentication mechanisms
  • Secure data centers within the European Union
  • Regular backup and disaster recovery procedures

10. Telemetry and Monitoring

For both Cloud and Self-Hosted deployments, VaultAI may collect minimal telemetry data for license validation and service monitoring:

  • Automatic reports are sent hourly from each VaultAI instance
  • Data collected:
    • Number of active users
    • Active modules (enabled features)
    • Application version
    • Basic health metrics
  • Data NOT collected:
    • IP addresses of end users
    • Document contents or file names
    • Conversation contents
    • Search queries
    • Any personally identifiable information

For Self-Hosted deployments, you may request a fully air-gapped configuration with no external telemetry. Contact us for details.

11. International Data Transfers

Your data is primarily processed within the European Union. When we use AI model providers (OpenAI, Anthropic, Google), YOUR DOCUMENTS may be transferred to the United States under appropriate safeguards:

  • EU-US Data Privacy Framework
  • Standard Contractual Clauses (SCCs)
  • Additional technical and organizational measures

Important: Google user data (OAuth credentials) remains in the EU and is NOT transferred to AI providers.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any significant changes through:

  • Email notification to registered users
  • Prominent notice on our platform
  • Update to the "Last updated" date at the top of this policy

Your continued use of VaultAI after such modifications constitutes your acknowledgment and acceptance of the updated policy.

13. Contact Information

For any privacy-related questions, data requests, or concerns, please contact us:

  • Email: hello@vaultai.eu
  • Address: VAULTAI SAS, 3 RUE DE TANGER, 31400 TOULOUSE, France
  • Data Protection Officer: Hugo Dorus

We strive to respond to all requests within 30 days.