Privacy Policy

SamVault Ltd ("SamVault", "we", "us") is the data controller for personal data processed through the SamVault platform. We are registered in India and comply with applicable data protection legislation including the Information Technology Act 2000 and the Digital Personal Data Protection Act 2023 (DPDPA).

This Privacy Policy applies to all users of the SamVault website and application. By using the Service, you acknowledge the data practices described in this policy.

We use your personal data only for the following purposes:

• Providing the Service — authenticating you, storing and serving your encrypted documents, sending sharing notification emails.
• Security and fraud prevention — detecting anomalous access patterns, maintaining audit trails, responding to security incidents.
• Service communications — sending transactional emails (upload confirmations, share notifications, account alerts). These are not marketing emails and cannot be unsubscribed from while your account is active.
• Service improvement — anonymised analytics to understand how users interact with the platform.
• Legal obligations — complying with applicable law, court orders, or regulatory requirements.

We do not use your data for advertising, profiling, or automated decision-making with legal or similarly significant effects.

SamVault uses a zero-knowledge encryption architecture. Here is what this means for your data:

• Each user vault is protected by a unique encryption key generated at registration. It is never stored in a recoverable form.
• A layered encryption system ensures each document is independently protected with its own key.
• Document content is encrypted with AES-256-GCM before being stored. Only encrypted data reaches our storage systems.

We do not sell your personal data. We share data only in the following limited circumstances:

All third-party processors are bound by data processing agreements and are required to implement appropriate technical and organisational security measures.

We retain your data only for as long as necessary for the purposes outlined in this policy:

• Active account data: Retained for the duration of your account plus 90 days following closure (to allow reactivation or export).
• Encrypted documents: Deleted within 30 days of account closure or document deletion request.
• Activity logs: Retained for 12 months for security purposes, then deleted.
• Billing records: Retained for 7 years as required by financial regulations.
• Support communications: Retained for 2 years after resolution.

You may request early deletion of your data by exercising your right to erasure (see Section 7).

Under the Digital Personal Data Protection Act 2023 (DPDPA) and applicable Indian law, you have the following rights regarding your personal data:

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Request correction of inaccurate personal data.
• Right to erasure: Request deletion of your personal data ("right to be forgotten").
• Right to restriction: Request that we restrict processing of your data in certain circumstances.
• Right to portability: Receive your data in a structured, machine-readable format.
• Right to object: Object to processing based on legitimate interests.
• Rights related to automated decision-making: We do not carry out automated decision-making with significant effects.

To exercise any of these rights, contact us at privacy@samvault.com. We will respond within 30 days. You also have the right to lodge a complaint with the appropriate data protection authority in your jurisdiction.

Essential cookies: We use an HttpOnly, Secure session cookie to maintain your authentication state. This cookie is strictly necessary and cannot be disabled without breaking the Service.

Analytics: We use Google Analytics (GA4) with IP anonymisation enabled to collect aggregated, anonymised data about how visitors use the platform. No document content or personal identifiers are sent to Google Analytics. You can opt out using the Google Analytics opt-out browser add-on.

We do not use advertising cookies, tracking pixels, or any third-party marketing cookies.

We implement the following technical and organisational measures to protect your data:

• AES-256-GCM encryption for all stored documents
• TLS 1.3 for all data in transit
• Per-user, per-document encryption key hierarchy
• Bcrypt password hashing (cost factor 12)
• Private cloud storage with server-side encryption enabled
• Activity logging and anomaly detection
• Regular security reviews and dependency updates

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify affected users without undue delay, in accordance with applicable data protection law.

Your encrypted data is stored in secure cloud data centres. Some service providers (including Google Analytics) may process data outside India. Where this occurs, we ensure appropriate safeguards are in place.

Where data is transferred outside India, we ensure appropriate safeguards are in place, including contractual protections with service providers and compliance with applicable cross-border data transfer requirements under Indian law.

The Service is not directed at children under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, please contact us at privacy@samvault.com and we will delete it promptly.

For any privacy-related questions, data subject requests, or concerns, please contact:

• Data Protection Officer: privacy@samvault.com
• General enquiries: Contact form
• Postal address: Data Protection Officer, SamVault Ltd, 73 RK Puram, Jatal Road, Panipat, Haryana, 132103, India

To raise a concern with the relevant data protection authority in India, please contact the Data Protection Board of India once established under the DPDPA 2023, or the Ministry of Electronics and Information Technology (MeitY).