Legal

Privacy Policy

Last updated: 6 July 2026 · GDPR-compliant

This Privacy Policy (the “Policy”), as may be amended, restated, supplemented, or otherwise modified from time to time, describes the manner in which BitVault Europe S.A. LTD. (“BitVault”, “we”, “us”, or “our”), acting in its capacity as data controller within the meaning of Regulation (EU) 2016/679 (the “GDPR”), collects, records, organises, structures, stores, adapts, retrieves, consults, uses, discloses, and otherwise processes personal data in connection with the websites, applications, and services made available by or on behalf of BitVault from time to time (the “Services”), in accordance with the GDPR, the Austrian Data Protection Act (Datenschutzgesetz), and such other data-protection laws as may be applicable from time to time. The controller responsible for the processing described herein is BitVault Europe S.A. LTD., with its registered office at Kärntner Ring 12, 1010 Vienna, Austria. This Policy should be read together with our Terms of Service and Cookie Policy, each of which is incorporated by reference to the extent relevant.

Data Protection Officer: Enquiries of a privacy-related nature, and requests concerning the exercise of data-subject rights, may be addressed to our Data Protection Officer at dpo@bitvaultapp.net.

1. Scope & Application

This Policy applies to personal data processed by or on behalf of BitVault in connection with the Services, irrespective of the medium or channel through which such data is collected, and applies to prospective, current, and former users, as well as, where relevant, to their authorised representatives, beneficial owners, and other connected persons. This Policy does not apply to processing carried out by third parties acting as independent controllers, including third-party websites or services that may be linked from the Services, for which BitVault accepts no responsibility.

2. Categories of Personal Data

The categories of personal data that we may collect and otherwise process, whether obtained directly from you, generated in the course of your use of the Services, or received from third-party sources where lawful, include, without limitation:

The provision of certain categories of data is a contractual or statutory requirement; a failure to provide such data may result in our being unable to establish or continue the relationship or to make available some or all of the Services.

3. Purposes & Legal Bases of Processing

Personal data is processed only where a lawful basis exists, and, in each case, to the extent necessary for the relevant purpose, including:

4. Security of Processing

BitVault implements and maintains such technical and organisational measures as it considers appropriate having regard to the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing, as well as the risks presented thereby. Such measures include, by way of illustration and not limitation, encryption of sensitive data at rest using AES-256-GCM, protection of data in transit by means of TLS 1.3, the restriction of access on a least-privilege basis, and ongoing monitoring. No system can, however, be warranted to be absolutely secure, and further particulars regarding relevant risks are set out in our Risk Disclosure Statement.

5. Disclosure of Personal Data

Personal data may be disclosed, on a need-to-know basis and subject to appropriate safeguards, to: (a) processors and service providers engaged to act on our documented instructions, including providers of hosting, verification, communications, and analytics services, in each case pursuant to data-processing arrangements satisfying the requirements of Article 28 GDPR; (b) exchanges, financial institutions, professional advisers, and other intermediaries, where necessary in connection with the Services, recovery-related matters, or the establishment, exercise, or defence of legal claims; (c) courts, law-enforcement agencies, regulators, and other competent authorities, where disclosure is required or permitted by applicable law; and (d) actual or prospective acquirers, successors, or assignees in connection with any corporate transaction, subject to customary confidentiality protections. BitVault does not sell personal data.

6. International Transfers

Where personal data is transferred to a country outside the European Economic Area that has not been recognised by the European Commission as ensuring an adequate level of protection, such transfer is effected subject to appropriate safeguards within the meaning of Chapter V GDPR, including, as applicable, the European Commission’s Standard Contractual Clauses, together with such supplementary measures as may be appropriate. Further information regarding the safeguards applied to any particular transfer may be requested from the contact points set out below.

7. Retention of Personal Data

Personal data is retained for no longer than is necessary for the purposes for which it is processed, having regard to applicable legal, regulatory, accounting, and reporting requirements and to the periods necessary for the establishment, exercise, or defence of legal claims. By way of indication only, records maintained pursuant to anti-money-laundering legislation are generally retained for a period of up to ten (10) years following the termination of the business relationship or the execution of the relevant transaction, or for such other period as may be prescribed from time to time. Upon expiry of the applicable retention period, personal data is deleted or irreversibly anonymised.

8. Rights of Data Subjects

Subject to the conditions and limitations set out in the GDPR and applicable law, you have the right to request access to, rectification of, or erasure of your personal data; the right to restriction of processing; the right to data portability; the right to object to processing based on legitimate interests; and the right to withdraw any consent previously given, without affecting the lawfulness of processing carried out prior to such withdrawal. Requests may be submitted to privacy@bitvaultapp.net and will be addressed within the timeframes prescribed by law; we may require verification of your identity before giving effect to any request. You further have the right to lodge a complaint with a supervisory authority, in particular the Austrian Data Protection Authority (Datenschutzbehörde), without prejudice to any other administrative or judicial remedy.

9. Automated Decision-Making

BitVault does not make decisions based solely on automated processing, including profiling, which produce legal effects concerning you or similarly significantly affect you, save where such processing is necessary for the entering into or performance of a contract, is authorised by applicable law, or is based on your explicit consent, in which case appropriate safeguards will be applied as required.

10. Cookies & Similar Technologies

Information regarding our use of cookies and similar technologies, and the choices available to you in respect thereof, is set out in our Cookie Policy.

11. Amendments to this Policy

We may amend, restate, supplement, or otherwise modify this Policy from time to time in order to reflect changes in our processing activities, in applicable law, or otherwise. Where an amendment is material, we will provide such notice as is reasonable in the circumstances or as required by law, which may be given through the Services or by email. The version published within the Services from time to time shall be the operative version.

12. Contact

Enquiries concerning this Policy or our processing of personal data may be directed to privacy@bitvaultapp.net, to our Data Protection Officer at dpo@bitvaultapp.net, or by post to BitVault Europe S.A. LTD., Kärntner Ring 12, 1010 Vienna, Austria.