Privacy Policy

Last updated: April 2026

1. Introduction

VaultBytes ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains what data we collect, why we collect it, and how we protect it when you use our website or the CipherExplain API.

2. Information We Collect

2.1 Information You Provide

  • Contact information (email address) when you sign up or contact us
  • Billing information processed by Stripe — we never store full card numbers
  • Communications you send to us

2.2 CipherExplain API Data

When you use the CipherExplain API we collect and store the following:

  • API key hash — your raw API key is never stored. We store only a SHA-256 hash, which cannot be reversed to recover your key.
  • Model weights — the coefficient and intercept arrays you submit via POST /models/register. No training data or raw personal data is transmitted or stored.
  • Usage metadata — for each API call: timestamp, endpoint, model ID, feature count, and tier. This is used for quota tracking and billing. Input feature vectors submitted to /explain and /explain_raw are processed in memory only and are not logged or persisted.
  • Audit report inputs — the benchmark JSON you submit to POST /report is used only to generate your PDF and is not stored after the response is returned.

2.3 Automatically Collected Information

  • Server access logs (IP address, HTTP method, path, response code, latency) retained for up to 30 days for security and abuse prevention
  • No browser analytics, tracking pixels, or third-party analytics scripts are used on this website

3. How We Use Your Information

  • To provision and operate your API access and enforce tier quotas
  • To process payments via Stripe
  • To send transactional emails (key issuance, billing receipts, quota warnings)
  • To detect and prevent abuse or fraudulent activity
  • To respond to your support requests

We do not use your model weights or explain call data for any purpose other than serving your requests.

4. Information Sharing

We do not sell or share your personal information with third parties for marketing. We share data only:

  • Stripe — to process payments. Stripe's privacy policy governs their handling of your billing data.
  • Infrastructure providers — our API runs on Hetzner Cloud (EU data centres). Data does not leave the EU.
  • Legal obligations — if required by law or to protect our rights and the safety of others.

5. Data Security

  • API keys stored as SHA-256 hashes — the raw key is shown once at issuance and not retrievable afterwards
  • All API traffic encrypted in transit via TLS 1.2+
  • Model weights stored in an encrypted SQLite database on EU infrastructure
  • No training data or raw personal data is ever transmitted to our servers

6. Data Retention

  • Model weights — retained while your API key is active. Deleted within 30 days of subscription cancellation or key deactivation.
  • Usage logs — retained for 13 months for billing disputes, then deleted.
  • Server access logs — retained for 30 days.
  • Billing records — retained for 7 years as required by UK tax law.

7. Your Rights

Under the UK GDPR and Data Protection Act 2018, you have the right to:

  • Access a copy of the personal data we hold about you
  • Correct inaccurate data
  • Request deletion of your data (subject to legal retention obligations)
  • Object to or restrict processing
  • Data portability (receive your data in a machine-readable format)
  • Lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk

To exercise any of these rights, contact us at b@vaultbytes.com. We will respond within 30 days.

8. Children's Privacy

Our services are not intended for individuals under 18. We do not knowingly collect personal information from children.

9. Changes to This Policy

We will notify you of material changes by email (for registered API users) and by updating the date above at least 14 days before changes take effect.

10. Contact Us

Data controller: VaultBytes. For privacy enquiries:

b@vaultbytes.com