DhatuVault — Privacy Policy

1. Scope & Roles

Scope. This Policy explains how we collect, use, disclose, and protect Personal Data and Sensitive Data processed via: (1) public websites (e.g., landing pages, documentation); (2) DhatuVault accounts and dashboards; and (3) support/sales interactions.
Controller vs. Processor.
- For marketing, sales, support, and billing, DFOLDS is the Data Controller (GDPR/UK GDPR) / Business (CPRA).
- For Customer Content processed in DhatuVault (e.g., configuration data, evidence, audit logs, scan results), DFOLDS acts as a Data Processor / Service Provider on behalf of the customer (the Controller/Business), processing only under customer instructions and the MSA/DPA/BAA.
HIPAA Role. For PHI processed on behalf of Covered Entities or Business Associates, DFOLDS acts as a Business Associate and will sign a BAA upon request.

2. Definitions (Plain Language)

Personal Data: information that identifies or can reasonably be linked to an individual (e.g., name, email, identifiers).
Sensitive Data: includes health data/PHI, precise geolocation, government IDs, financial data, and other sensitive categories defined by law.
Customer Content: data uploaded, connected, or generated in your tenant (evidence, findings, audit trails, documents, tickets).
Processing: any operation on data (collecting, storing, using, sharing, deleting).

3. What We Collect & Sources

Account & Contact Data: information that identifies or can reasonably be linked to an individual (e.g., name, email, identifiers).
Customer Content (processor context) : configuration metadata, evidence artifacts, audit logs, scan results, documents; may include PHI or other regulated data if you choose to process such data in DhatuVault.
Usage & Device Data: IP address, device/browser type, timestamps, telemetry, event logs, crash reports.
Billing Data: subscription tier, invoices, payment status (payment card data handled by PCI‑compliant processor; we store tokens/last 4 only where needed).
Support Interactions: chat transcripts, emails, attachments.
Cookies/Similar Tech: session/auth cookies, preferences, analytics (see Cookie Notice at /cookies ). Sources include you, your organization, integrated systems you connect (e.g., AWS/Azure/GCP, Okta, GitHub), subprocessors, and lawful public sources.

4. Purposes & Legal Bases (GDPR/UK GDPR)

Provide & secure the service (accounts, auth, scans, reports, audit trails).Legal bases: Contract performance; Legitimate interests; for PHI—Business Associate obligations.
Improve platform & support (troubleshooting, telemetry, reliability, UX).Legal bases: Legitimate interests; Consent where required.
Communications (service announcements, security notices, billing).Legal bases: Contract performance; Legal obligations; Legitimate interests.
Compliance & Legal (prevent abuse, detect fraud, satisfy legal duties).Legal bases: Legal obligations; Legitimate interests.
Marketing (limited) (newsletters, product updates; opt‑out anytime).Legal bases: Consent where required; Legitimate interests.
AI/automation transparency. We do not train public/foundation models on Customer Content without your prior written consent.

5. Cookies, Analytics & Tracking

Strictly Necessary (auth, load balancing, security) — required.
Preferences/Functional — optional.
Analytics — aggregated metrics to improve performance; IP truncation where feasible.
No cross‑site behavioral advertising; no sale/sharing of Personal Data for targeted ads. Manage choices via the Cookie banner/Preference Center and browser settings; we honor legally required signals (e.g., Global Privacy Control) where applicable. See /cookies.

6. Disclosures to Third Parties

We disclose Personal Data only to: subprocessors/service providers (cloud, email, analytics, support) under DPAs;integration partners you connect; affiliates under same protections; legal/safety recipients when required; and business transfers subject to this Policy and notice. A live Subprocessors list is available on our Trust Center

7. International Transfers

We use EU SCCs and UK IDTA/Addendum with supplementary measures for cross‑border transfers. Regional data residency (US/EU/India) may be available by configuration/contract.

8. Security

Controls include encryption in transit/at rest, RBAC/SSO/MFA, network isolation, vulnerability management, third-party pen tests, secure SDLC, audit logging, immutable backups, and vendor risk management. For HIPAA BA relationships, safeguards align to the Security Rule; breach notification will be made without unreasonable delay andno later than 60 days after discovery, as required by HITECH.

9. Retention

We retain Personal Data only as long as necessary or as required by law/contract. Typical defaults (customizable by agreement): account/profile—life of account + 12 months; telemetry/audit—12–24 months; backups—30–45 days; support—24 months. Upon contract end, we delete/return Customer Content per DPA/BAA and purge backups per schedule.

10. Your Rights

Depending on your location, you may have rights to access, correct, delete, restrict, object, port,and withdraw consent. Certain US states (e.g., CA/CPRA) add rights to opt‑out of sale/sharing(we do not sell/share for cross‑context behavioral ads) and to limit use of Sensitive Personal Information.

11. Children

Business‑use only; not directed to children under 16. If a child’s Personal Data is identified, contact contactus@dfolds.com for deletion.

12. Third‑Party Links & Integrations

Linked services are governed by their own policies. Review them carefully; we are not responsible for third‑party practices.

13. Changes

We may update this Policy; the date above reflects the latest version. Material changes will be notified via email or in‑app. Continued use after the effective date constitutes acceptance.

14. How to Contact Us

General inquiries:enquiry@dfolds.com
Privacy & data rights: contactus@dfolds.com
Postal: DFOLDS LLC — Privacy, 262 CHAPMAN RD, STE 240, NEWARK, DE 19702, USA
EU/UK Representative: Posted on our Trust Center when appointed.