1. Data we collect

Account data: email, name, organization, when you create an account or contact us. Required to deliver service.

Operational metadata: timestamps, request types, jurisdiction of access. Required for billing, audit, and security.

Telemetry: only what is strictly necessary for security and compliance. No behavioral profiling, no advertising trackers.

Encrypted content (Vault ZK): stored, never read. Mathematically inaccessible to us.

2. Why we collect it

Provide the service you contracted for.

Comply with legal obligations (tax, KYC where applicable, lawful requests).

Detect and prevent fraud, abuse, and unauthorized access.

Improve product quality through aggregated, non-identifying signals.

3. How long we keep it

Account data: contract duration + 7 years (legal/audit).

Operational metadata: 12 months by default, extendable for security investigations.

Encrypted content: as long as you maintain the storage subscription. Deleted on account closure.

4. Who can access your data

Authorized SerenityVault personnel with explicit operational need, under written confidentiality.

No third-party processors that could profile or repurpose your data.

Lawful authorities only with valid legal process from a competent jurisdiction. Annual transparency report.

5. Your rights

Access — request a copy of your account data.

Rectification — correct inaccurate information.

Deletion — close your account (subject to legal retention).

Portability — export your data in a machine-readable format.

Objection — restrict processing for specific purposes.

Complaint — file with a data protection authority in your jurisdiction.

6. International transfers

SerenityVault™ operates across multiple jurisdictions (Quebec, Paraguay, Dubai). Transfers between nodes use post-quantum encrypted channels and ZK proofs — no plaintext crosses borders.

7. Updates to this policy

Material changes are notified via email at least 30 days before they take effect.