Privacy Policy
Last updated: June 2026
Vaulty ("we", "us") operates the website at vaulty.world, the Vaulty Telegram bot (@VaultyWorld_bot), and the Vaulty Mini App. This policy explains what data we collect, why, and the rights you have under the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA).
1. Data we collect
- On-chain identifiers — Solana wallet addresses and transaction hashes you voluntarily connect or send.
- Telegram identifiers — your Telegram user ID, username and language code when you interact with our bot or Mini App, supplied by Telegram via signed
initData. - Technical data — IP address, user agent, and basic request logs retained for up to 30 days for security and abuse prevention.
- Voluntary data — anything you submit through forms, support chats, or governance proposals.
We do not ask for, store, or transmit private keys, seed phrases, or government-issued identity documents.
2. Legal bases (GDPR Art. 6)
- Contract — to deliver the wallet-binding, payout, and Mini App features you request.
- Legitimate interest — fraud prevention, network security, and product analytics.
- Consent — non-essential cookies and marketing communications (revocable any time).
3. Cookies & local storage
We use a minimal set of first-party cookies and localStorage keys (e.g. wallet session, site-config cache, theme). No third-party advertising or cross-site tracking pixels are deployed.
4. Sharing
Data is processed by infrastructure providers acting as processors under contract: our hosting provider, our managed database/edge-function provider, and Telegram (for bot delivery). We never sell personal data.
5. Retention
Wallet bindings persist until you unlink them. Request logs are deleted after 30 days. Backups roll on a 90-day cycle.
6. Your rights
You may request access, rectification, erasure, restriction, portability, or object to processing. EU/UK residents may also lodge a complaint with their supervisory authority. California residents have the right to know, delete, and opt out of "sale" (we do not sell data). Data protection contact: legal@vaulty.world.
7. International transfers
Where data leaves the EEA/UK, transfers rely on Standard Contractual Clauses with the receiving processor.
8. Changes
Material changes will be announced on this page and via our official Telegram channel at least 14 days before taking effect.
9. Vaulty Wallet — what we collect and what we never see
Vaulty Wallet is self-custody. Keys are generated and encrypted locally on your device. We collect only what is needed to display your account and provide the platform experience:
- Profile data you provide (e.g. display name, email if you sign in, language preference).
- Read-only on-chain status: public address, balance, token holdings, and confirmed transactions visible on the Solana blockchain — used to render your portal, statements, and Credit Rating display.
- Session metadata: lock state, last-seen timestamp, device fingerprint hash for abuse prevention.
We never collect, store, transmit, or have access to:
- Private keys or recovery (seed) phrases.
- Wallet unlock passwords or PINs.
- Off-chain transaction details beyond what is publicly visible on Solana.
10. Vaulty Credit Rating
The Credit Rating is derived from public on-chain signals and aggregated platform activity. Credit-related processing is segregated from wallet security material: the system never reads, requires, or has access to your keys, recovery phrase, or password. The Credit Rating is a community profile indicator only and is not shared with credit bureaus, lenders, or advertising networks.
11. Linked external wallets
When you connect an external wallet (Phantom, Solflare, or any Solana Wallet Standard provider), that wallet remains governed by its own provider's privacy policy. Vaulty only reads the public address you choose to share and any signatures you explicitly approve. We do not receive your external wallet's keys or seed phrase.
12. Sharing & standards
We do not sell personal data and do not share sensitive data with third-party advertisers. Processing aligns with UK GDPR, EU GDPR, and equivalent global data-protection standards. Sub-processors (hosting, managed database/edge functions, Telegram delivery) act under contract and only with the minimum data required to operate the Services.
13. Optional Secure Backup & biometric verification
If you enable the optional Secure Backup & Recovery service, the following data-handling rules apply in addition to the rest of this Policy:
- Biometric data is never stored on Vaulty servers. When you use Face ID, Touch ID, Windows Hello, or any other FIDO2 / WebAuthn authenticator to confirm your identity, the biometric template never leaves your device. Vaulty receives only the cryptographic public key generated at enrollment and a per-challenge signed assertion at verification time — neither of which can be reversed into a fingerprint, face scan, or other biometric sample.
- Only encrypted blobs are stored externally. Backup shards are encrypted on your device with AES-256-GCM before any upload. What is transmitted to and stored on third-party storage networks (Arweave, IPFS via Pinata) is opaque ciphertext combined with an inert Shamir share. No plaintext seed phrase, password, AES key, or single recoverable secret ever leaves your device.
- How the data is used. The encrypted shards are used solely to allow you to reconstruct your own wallet during recovery. Public storage locators (Arweave transaction ID, IPFS CID, local filename) are kept on your device so the recovery flow knows where to fetch your shards. Vaulty does not index, analyze, or monetize this data.
- Never shared. Vaulty does not share backup shards, biometric public keys, recovery metadata, or any related material with advertisers, data brokers, or any third party other than the storage network you explicitly chose for a given shard.
- Deletion. Disabling Secure Backup in Settings clears the local status and stored locators on your device. Encrypted shards already published to permanent or pinned storage may persist on those networks under the providers' own terms; because the shards are encrypted and individually useless, this does not expose your account.
14. Contact us
General inquiries: hello@vaulty.world
Data protection & subject rights: legal@vaulty.world
Security incidents: security@vaulty.world

