Privacy Policy

1. Introduction

VaultCore Technologies, Inc. (“VaultCore,” “we,” “us,” or “our”) is committed to protecting the privacy of individuals who interact with our website, platform, and related services. This Privacy Policy describes how we collect, use, disclose, and safeguard information in connection with our public-facing website at vaultcoretechnology.com; the VaultCore operator platform and administrative tools; provider-readiness and compliance workflow products; and communications, demos, and support interactions.

This Policy applies to VaultCore as a data controller for information we collect directly. Where VaultCore processes data on behalf of Tenant Operators as a data processor, the Operator’s privacy policies and data processing agreements govern that processing. If you are a trader or end-user participating in a prop firm evaluation program operated by a VaultCore Tenant Operator, please review that Operator’s privacy policy for information about how they handle your data.

By using our Services, you acknowledge this Privacy Policy. If you do not agree with this Policy, please do not use the Services.

2. Information We Collect

Information You Provide Directly. We collect information you provide when you: complete contact or inquiry forms; request a demo or sales consultation; create an account or execute a service agreement; communicate with our team via email, chat, or telephone; and participate in surveys, onboarding calls, or provider-readiness review sessions. This may include your name, email address, phone number, company name, job title, billing and payment information, and the content of your communications with us.

Platform and Account Data. For Tenant Operators who access the VaultCore platform, we collect account credentials, configuration data, operator settings, user management records, audit log entries, challenge configuration parameters, risk and payout review records, and usage statistics associated with your account.

Trader and End-User Data Processed on Behalf of Operators. Where Tenant Operators use the VaultCore platform to manage trader evaluation programs, VaultCore may process personal data about traders (such as names, contact information, trading account identifiers, and evaluation results) as a data processor acting on the Operator’s instructions. VaultCore does not use this data for its own purposes beyond providing the Services.

Usage and Technical Data. We automatically collect certain technical data when you access our website or platform, including: IP addresses; browser type and version; device identifiers; operating system; pages viewed and time spent; referring URLs; and clickstream data. We use cookies, web beacons, and similar tracking technologies.

Provider-Readiness and Compliance Materials. We collect and store documentation, assessments, checklists, and supporting materials that Operators submit in connection with provider-readiness review processes.

3. How We Use Your Information

We use the information we collect to:

• Provide and operate the Services, including account management, platform delivery, billing, and technical support;
• Respond to inquiries and communications, including sales consultations, demo requests, and support tickets;
• Conduct provider-readiness assessments and prepare documentation packages for Operators;
• Maintain security and audit records, including access logs, change histories, and integrity monitoring;
• Improve and develop the Services, including analytics, testing, and feature development based on usage patterns;
• Comply with legal and regulatory obligations, including record retention, fraud prevention, and law enforcement requests;
• Communicate updates, product announcements, and legal notices to customers and registered users;
• Enforce these Terms and our other policies, including investigating and responding to reported violations.

We do not sell your personal information to third parties for their marketing purposes.

4. Legal Basis for Processing (International Users)

For individuals located in the European Economic Area (EEA), United Kingdom, or other jurisdictions that require a legal basis for processing personal data, VaultCore processes personal data on the following grounds:

• Contract Performance: Processing necessary to provide the Services under our agreement with you or your organization;
• Legitimate Interests: Processing for our legitimate business interests, such as improving the Services, maintaining security, and communicating with prospective customers, where those interests are not overridden by your rights;
• Legal Obligation: Processing necessary to comply with applicable law or regulatory requirements;
• Consent: Processing based on your consent, such as for marketing communications, which you may withdraw at any time.

If you are located in the EEA or UK and wish to exercise your rights under the General Data Protection Regulation (GDPR) or UK GDPR, please contact us at [email protected].

[ATTORNEY REVIEW NOTE: Confirm whether VaultCore has customers or data subjects in the EEA or UK that would trigger GDPR obligations. If so, consider appointment of a GDPR representative and execution of Standard Contractual Clauses for any international data transfers.]

5. Information Sharing and Disclosure

VaultCore does not sell, rent, or trade your personal information. We may share information in the following circumstances:

• Service Providers. We share information with third-party vendors who provide services on our behalf, including cloud hosting, payment processing, email delivery, analytics, security monitoring, and customer relationship management. These vendors are contractually bound to use information only for the purposes we specify.
• Tenant Operator Context. Where VaultCore processes data on behalf of a Tenant Operator, we may share that data with the Operator or with sub-processors authorized by the Operator’s data processing agreement.
• Legal Requirements. We may disclose information when required by applicable law, court order, subpoena, or government investigation, or when we believe disclosure is necessary to protect our rights, prevent fraud, or respond to an emergency affecting safety.
• Business Transfers. If VaultCore is involved in a merger, acquisition, asset sale, or financing transaction, personal information may be transferred as part of that transaction. We will provide notice before your information becomes subject to a materially different privacy policy.
• Consent. We may share information with third parties when you have given your explicit consent.

[ATTORNEY REVIEW NOTE: Review CCPA and Minnesota privacy law requirements for disclosure of data sharing arrangements with third parties.]

6. Third-Party Processors

VaultCore uses third-party service providers to support the operation of our platform. These processors may include, without limitation: cloud infrastructure and hosting providers; payment and billing processors; email and communication platforms; security and monitoring services; analytics and product usage tracking services; customer support tooling; and KYC/AML or identity verification services selected in connection with Operator onboarding workflows.

We require all processors to implement appropriate technical and organizational security measures and to process personal data only in accordance with our instructions and applicable data protection law. A current list of key sub-processors is available upon request at [email protected].

[ATTORNEY REVIEW NOTE: Maintain and publish or make available a sub-processor list if servicing customers subject to GDPR, CCPA, or contractual data processing addenda requirements.]

7. Data Retention and Deletion

VaultCore retains personal data for as long as necessary to fulfill the purposes described in this Privacy Policy, to maintain and improve the Services, to comply with legal obligations, to resolve disputes, and to enforce our agreements.

Retention periods vary by data type:

• Account and contract records are retained for the duration of the customer relationship and for a period thereafter as required by applicable law or audit obligations (typically three to seven years);
• Audit and security logs are retained in accordance with our security and compliance policies, typically one to two years;
• Marketing and contact records are retained until you opt out or request deletion, subject to any legitimate interest basis for retention;
• Trader data processed on behalf of Operators is retained in accordance with the applicable data processing agreement and Operator instructions.

Upon termination of a service agreement, VaultCore will delete or return Operator data as specified in the applicable agreement, subject to applicable legal obligations. You may request deletion of your personal data by contacting [email protected]. We will respond within the timeframes required by applicable law.

8. Security

VaultCore implements technical, organizational, and administrative safeguards designed to protect personal data against unauthorized access, use, disclosure, alteration, and destruction. These measures include, but are not limited to: encryption of data in transit and at rest; access controls and authentication requirements; audit logging; network segmentation and monitoring; vendor security assessment; and employee security awareness and training.

No security program is perfect or impenetrable. In the event of a security incident affecting personal data, VaultCore will respond in accordance with its incident response procedures and applicable legal notification requirements, including those described in Section 10 below.

If you discover a potential security vulnerability in VaultCore systems, please report it in accordance with our Security Responsible Disclosure Policy.

9. Your Rights and Choices

Depending on your location and applicable law, you may have the following rights with respect to your personal data:

• Access: Request a copy of personal data we hold about you;
• Correction: Request correction of inaccurate or incomplete personal data;
• Deletion: Request deletion of your personal data, subject to legal retention requirements;
• Restriction: Request that we restrict processing of your personal data in certain circumstances;
• Portability: Receive your personal data in a structured, machine-readable format;
• Opt-Out of Marketing: Unsubscribe from marketing communications at any time by following the unsubscribe link in any email or by contacting us directly;
• Withdrawal of Consent: Where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

To exercise any of these rights, please contact us at [email protected]. We will respond to all requests within the timeframes required by applicable law. We may need to verify your identity before fulfilling a request. Where VaultCore processes data on behalf of a Tenant Operator, you should direct data subject requests to that Operator.

10. Minnesota Residents — Data Breach Notification

VaultCore Technologies, Inc. is a Minnesota-based company and complies with the Minnesota Data Breach Notification Act, Minnesota Statutes Section 325E.61. In the event of a security breach involving personal information of Minnesota residents, VaultCore will:

• Conduct a prompt and reasonable investigation to determine the nature and scope of the breach;
• Notify affected Minnesota residents in the most expedient time possible and without unreasonable delay following discovery of the breach, consistent with the legitimate needs of law enforcement;
• Notify the Minnesota Attorney General and appropriate consumer reporting agencies where required by law;
• Provide affected individuals with information about the breach, the type of information involved, and steps they may take to protect themselves.

For purposes of this Section, “personal information” means an individual’s first name or first initial and last name, combined with any one or more of the following: Social Security number; driver’s license number or Minnesota identification card number; account, credit card, or debit card number in combination with a security code, access code, or password; or protected health information as defined by applicable law.

[ATTORNEY REVIEW NOTE: Confirm current Minnesota breach notification requirements and thresholds as of the effective date, and verify whether any HIPAA or federal breach notification obligations apply to any data processed by VaultCore.]

11. Children’s Privacy

The Services are not directed to individuals under the age of eighteen (18). VaultCore does not knowingly collect personal information from children under 18. If we become aware that we have inadvertently collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe we may have collected information from a child under 18, please contact us at [email protected].

12. Changes to This Policy

VaultCore reserves the right to update or modify this Privacy Policy at any time. When we make material changes, we will update the Effective Date at the top of this page and provide notice through the Services or by email to registered account holders. We encourage you to review this Policy periodically. Your continued use of the Services after any changes constitutes your acceptance of the updated Policy.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact:

For security-related reports, please refer to our Security Responsible Disclosure Policy.