Back to Home

GDPR Compliance

Last Updated: 06/2025

W9Vault is committed to complying with the General Data Protection Regulation (GDPR) and protecting the privacy rights of individuals in the European Union. This document outlines our GDPR compliance measures and your rights under the regulation.

Data Controller Information

W9Vault

Legal Basis for Processing

We process personal data based on the following legal grounds under GDPR Article 6:

Contract Performance (Article 6(1)(b)):

  • Processing payments and managing subscriptions
  • Delivering secure document collection services
  • Sending service-related communications and notifications

Legitimate Interest (Article 6(1)(f)):

  • Maintaining security and preventing fraud
  • Improving our service based on usage analytics
  • Direct marketing to existing customers about service updates

Consent (Article 6(1)(a)):

  • Marketing communications to prospects
  • Optional analytics and improvement features
  • Non-essential cookies and tracking

Legal Obligation (Article 6(1)(c)):

  • Financial record keeping and tax reporting
  • Compliance with cybersecurity regulations
  • Responding to lawful government requests

Categories of Personal Data We Process

Account Information:

  • Contact details (name, email address, company name)
  • Account preferences and settings
  • Usage data and service interactions

Billing Information:

  • Payment information processed by Stripe (we only store transaction records)
  • Billing addresses for tax calculation and invoicing

Document Collection Data:

  • Vendor contact information for W-9 requests
  • Document metadata (upload dates, request status, file names)
  • Encrypted document contents (zero-knowledge - we cannot access file contents)

Technical Information:

  • IP addresses for security monitoring
  • Browser and device information
  • Website usage analytics (anonymized after 30 days)

Data Processing Purposes

Service Delivery:

  • Account creation and management
  • Secure document upload and collection
  • Email notifications and reminders
  • Customer support and technical assistance

Security & Compliance:

  • Fraud prevention and security monitoring
  • Audit logging for compliance purposes
  • Threat detection and incident response

Business Operations:

  • Payment processing and subscription management
  • Service improvement and development
  • Legal compliance and record keeping

Data Retention

Uploaded Documents:

  • Automatically deleted after 30 days (core security feature)
  • No long-term document storage (by design)
  • Secure cryptographic deletion

Account Data:

  • Active accounts: Retained while account is active
  • Closed accounts: Deleted within 90 days of closure
  • Financial records: Retained per legal requirements

Logs and Analytics:

  • Security logs: 2 years (personally identifiable information removed after 90 days)
  • Analytics data: Anonymized after 30 days
  • Error logs: 1 year with personally identifiable information scrubbed

International Data Transfers

Primary Processing Location: United States

Transfer Safeguards:

  • Standard Contractual Clauses (SCCs) with all processors
  • Adequacy decisions for key partners (Stripe payment processing)
  • Encryption in transit and at rest for all transfers
  • Regular assessment of transfer mechanisms and legal developments

Key Processors:

  • Supabase: Database and authentication (with EU region options)
  • Stripe: Payment processing (EU adequacy decision)
  • Resend: Email services (EU-compliant infrastructure)
  • Vercel: Hosting services (with EU data residency options)

Your GDPR Rights

You have the following rights under GDPR:

Right of Access (Article 15):

  • Request copies of your personal data
  • Information about how your data is processed
  • Details about data sharing and retention

Right to Rectification (Article 16):

  • Correct inaccurate personal data
  • Complete incomplete data records
  • Update changed information

Right to Erasure (Article 17):

  • Delete your account and associated data
  • Remove specific pieces of personal data
  • Withdraw consent for processing

Right to Restrict Processing (Article 18):

  • Limit how we use your data
  • Pause processing while disputes are resolved
  • Clear notification of any restrictions

Right to Data Portability (Article 20):

  • Export your data in machine-readable format (JSON)
  • Transfer data to another service provider
  • Available for data processed based on consent or contract

Right to Object (Article 21):

  • Object to processing based on legitimate interests
  • Opt out of direct marketing at any time
  • Withdraw consent for non-essential processing

Right to Human Review:

  • Request human review of any automated decision-making
  • Challenge automated security assessments if they affect you

Exercising Your Rights

How to Make Requests:

  • Email: privacy@w9vault.com
  • Include your account email address
  • Specify which right you're exercising
  • Identity verification may be required for sensitive requests

Our Response Process:

  • Acknowledgment within 72 hours
  • Response within 30 days (may extend to 60 days for complex requests)
  • No charge for reasonable requests
  • Clear explanation if we cannot fulfill a request

Data Protection by Design

Technical Measures:

  • Zero-knowledge client-side encryption by default
  • Automatic 30-day data deletion
  • Privacy-preserving analytics
  • Minimal data collection principles

Organizational Measures:

  • Privacy impact assessments for new features
  • Regular staff training on GDPR compliance
  • Data protection policies and procedures
  • Regular compliance audits and reviews

Data Breaches

Our Response Commitment:

  • Detection and assessment within 24 hours
  • Notification to supervisory authority within 72 hours (if high risk to rights and freedoms)
  • Individual notification without undue delay (if high risk)
  • Clear communication about the breach, impact, and remediation measures

Supervisory Authority

Primary Supervisory Authority: Since we're a US company with EU users, you may file complaints with:

  • Your local EU supervisory authority
  • The Irish Data Protection Commission (for Supabase-related matters)

Contact Information for Complaints:

Data Processing Addendum

For business customers who process EU personal data using our services, we provide a comprehensive Data Processing Addendum (DPA) that includes:

  • Standard Contractual Clauses approved by the European Commission
  • Detailed security and processing obligations
  • Data subject rights procedures
  • Breach notification requirements

Contact us at legal@w9vault.com to execute a DPA for your organization.

Contact Information

Data Protection Questions:

General Privacy Questions:

Regular Updates

This GDPR compliance document is reviewed and updated:

  • Annually or when regulations change
  • When processing activities change significantly
  • Following privacy impact assessments
  • After supervisory authority guidance updates

We are committed to maintaining the highest standards of data protection and continuously improving our GDPR compliance measures to protect your privacy rights.