← Back to Home

Privacy Policy

Last updated: March 30, 2026

This Privacy Policy describes how Lucid Vault ("we," "us," or "our") collects, uses, and protects information when you use our secure document sharing platform and related services (the "Service"). By using Lucid Vault, you agree to the practices described in this policy.

1. Information We Collect

Account Information

When you register for Lucid Vault, we collect:

• Name and email address
• Organization name and billing address
• Payment information (processed and stored by Stripe; we do not store full card numbers)
• Authentication credentials (passwords are hashed and salted; we never store plaintext passwords)

Documents and Files

We store the documents and files you upload to the Service. These files are encrypted at rest using AES-256-GCM encryption and are accessible only to authorized users within your organization's tenant.

Usage and Activity Logs

We collect information about how you interact with the Service, including:

• Login timestamps and IP addresses
• File upload, download, and sharing activity
• Administrative actions (user management, settings changes)
• API usage and request metadata

Cookies and Local Storage

We use cookies and browser localStorage for:

• Session management and authentication tokens
• User interface preferences (theme, language, layout settings)
• Security features (CSRF protection, rate limiting)

We do not use third-party advertising or tracking cookies.

Automatically Collected Information

When you access the Service, we automatically collect:

• Browser type and version
• Operating system
• Referring URL
• Pages visited and time spent
• Device identifiers

2. How We Use Your Data

Service Delivery

We use your information to:

• Provide, operate, and maintain the Service
• Process document uploads, sharing, and downloads
• Manage your account and subscription
• Process payments through our billing partner, Stripe

Security and Compliance

We use activity logs and usage data to:

• Detect and prevent unauthorized access, fraud, and abuse
• Maintain audit trails for compliance purposes
• Monitor system health and performance
• Enforce our Terms of Service and Acceptable Use Policy

Communications

We may use your email address to send:

• Transactional notifications (file shared with you, download confirmations, account alerts)
• Security alerts (new login detected, password changes)
• Service updates and maintenance notices
• Billing receipts and subscription reminders

We will not send marketing emails without your explicit consent, and you may opt out of non-essential communications at any time.

3. Data Storage and Security

Encryption

All documents are encrypted at rest using AES-256-GCM with unique per-file encryption keys. Data in transit is protected by TLS 1.3. Encryption keys are stored separately from encrypted data and are never exposed through the application interface.

Single-Tenant Isolation

Each customer receives a dedicated, isolated instance of the Service. Your data is never co-mingled with other customers' data. This architecture provides inherent data isolation at the infrastructure level.

Infrastructure Security

We employ industry-standard security measures including:

• Containerized deployments with minimal attack surface
• Regular security updates and patch management
• Rate limiting on all API endpoints
• Intrusion detection and monitoring
• Regular security assessments

SOC 2 Compliance

Lucid Vault is built with SOC 2 Type II controls in mind. We are actively pursuing formal certification. We can provide documentation of our security controls for your organization's security review upon request.

4. Data Retention

We retain your data as follows:

• Account data: Retained for the duration of your subscription and for 30 days following cancellation to allow for data export.
• Documents and files: Retained for the duration of your subscription. Upon cancellation and after the 30-day export window, all files are permanently deleted.
• Audit and activity logs: Retained for 1 year from the date of the event, then automatically purged.
• Billing records: Retained as required by applicable tax and financial regulations.

5. Third-Party Services

We use the following third-party services in the operation of Lucid Vault:

• Stripe: Payment processing and subscription management. Stripe's privacy policy governs their handling of your payment information. See stripe.com/privacy.
• SMTP Email Providers: Transactional email delivery for notifications and alerts.
• Cloud Storage Providers: Document storage infrastructure. The specific provider depends on your deployment configuration and may include AWS S3, Azure Blob Storage, Google Cloud Storage, or other providers as configured by your organization.

We do not sell, rent, or share your personal information with third parties for their own marketing purposes.

6. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights regarding your personal data:

• Right of Access: You can request a copy of all personal data we hold about you. This is available directly through your account settings via the data export feature.
• Right to Rectification: You can update your personal information at any time through your account settings.
• Right to Erasure: You can request deletion of your account and all associated data. The deletion feature is built into the application and can be initiated from your account settings.
• Right to Data Portability: You can export all your data in standard, machine-readable formats directly from the application.
• Right to Restrict Processing: You can request that we limit how we use your data.
• Right to Object: You can object to our processing of your personal data in certain circumstances.

To exercise any of these rights, you can use the built-in features in your account settings or contact us at the address below. We will respond to your request within 30 days.

7. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you.
• Right to Delete: You may request deletion of personal information we have collected from you.
• Right to Opt-Out of Sale: We do not sell your personal information. We have not sold personal information in the preceding 12 months.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
• Right to Correct: You may request correction of inaccurate personal information.

To exercise these rights, contact us using the information provided in the Contact section below.

8. International Data Transfers

If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where our infrastructure is located. We take appropriate safeguards to ensure your data is protected in accordance with this Privacy Policy, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data processing agreements with all sub-processors
• Technical measures including encryption at rest and in transit

Enterprise customers may select specific data residency regions for their deployment to meet jurisdictional requirements.

9. Cookies and localStorage

Lucid Vault uses cookies and browser localStorage as follows:

• Essential Cookies: Required for authentication, session management, and security features. These cannot be disabled without breaking core functionality.
• Preference Storage (localStorage): Used to remember your UI preferences such as theme selection, sidebar state, and display settings. This data remains on your device and is not transmitted to our servers.

We do not use analytics cookies, advertising cookies, or any third-party tracking technologies on the application.

10. Data Breach Notification

In the event of a data breach that affects your personal information or documents:

• We will notify affected customers within 72 hours of becoming aware of the breach, as required by GDPR.
• Notification will include the nature of the breach, the data affected, the measures taken to address it, and recommendations for protective steps you can take.
• We will notify relevant supervisory authorities as required by applicable law.
• We will provide ongoing updates as our investigation progresses.

11. Children's Privacy

Lucid Vault is a business-to-business service and is not designed for or directed at individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us immediately.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a prominent notice within the Service at least 30 days before the changes take effect. Your continued use of the Service after the effective date of a revised policy constitutes acceptance of the changes.

13. Contact Us

If you have questions about this Privacy Policy, want to exercise your data rights, or need to report a privacy concern, please contact:

David Soden
davidsoden.com

For data protection inquiries, you may also reach us by visiting our website and using the contact form.

See also: Terms of Service