At SBVault, we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our secure file storage and sharing service.
In Short: We only collect the minimum information necessary to provide you with secure file storage. We never sell your data, and we use industry-leading security measures to protect your files.
Information We Collect
Information You Provide to Us
Account Information: When you create an account, we collect your email address, username, and password (encrypted).
Files and Content: We store the files you upload, along with metadata such as file names, sizes, and upload dates.
Payment Information: If you subscribe to SBVault Pro, payment details are processed securely through Stripe. We do not store your full credit card information.
Communications: If you contact our support team, we may keep records of your correspondence.
Information Collected Automatically
Log Data: We collect information about your interactions with our service, including IP addresses, browser type, access times, and pages viewed.
Device Information: We collect information about the device you use to access vault, including device type, operating system, and unique device identifiers.
Cookies & Analytics: We use essential cookies to maintain your session and authentication. With your consent, we also use analytics cookies to understand how our site is used, measure traffic patterns, and improve our advertising. You can choose "Essential Only" on the cookie banner to opt out of analytics. See our Cookie Policy section below for full details.
How We Use Your Information
We use the information we collect for the purposes listed below. For users in the EU/UK, each purpose has a GDPR Article 6 legal basis, shown in brackets:
Provide, maintain, and improve our file storage and sharing service [performance of contract — Art 6(1)(b)]
Process your transactions and manage your subscription [performance of contract — Art 6(1)(b)]
Send you technical notices, security alerts, and support messages [legitimate interest — Art 6(1)(f); also required for contract performance]
Respond to your comments, questions, and customer service requests [performance of contract — Art 6(1)(b)]
Detect, prevent, and address technical issues and security threats [legitimate interest — Art 6(1)(f)]
Monitor and analyze usage patterns to improve user experience [consent for analytics cookies, otherwise legitimate interest — Art 6(1)(a) / 6(1)(f)]
Comply with legal obligations and enforce our Terms of Service [legal obligation — Art 6(1)(c); legitimate interest — Art 6(1)(f)]
Send marketing messages where you have explicitly opted in [consent — Art 6(1)(a); can withdraw at any time]
Security of Your Files
We implement multiple layers of security to protect your data:
Virus Scanning: Every file uploaded is automatically scanned for malware before storage. We use a layered antivirus approach combining a local engine with a trusted multi-engine hash-lookup database (see note below).
Encryption: All files are encrypted at rest with industry-standard 256-bit encryption. Data in transit is encrypted via TLS.
Access Controls: Only you can access your files unless you explicitly create a share link. We implement strict authentication and authorization controls.
Password Protection: Passwords are hashed using an industry-standard, slow password-hashing algorithm with industry-standard security parameters.
Infrastructure Security: Our servers and databases are protected by firewalls, intrusion detection systems, and regular security updates.
Hash-only scanning note: When you upload a file, SBVault generates a cryptographic hash (a unique digital fingerprint) of that file and submits only the hash to our antivirus partner for malware verification. The actual contents of your file are never transmitted to that partner or any external party for this check. This process protects your privacy while ensuring your vault remains free from malware.
Private Vault (Pro+) — zero-knowledge data handling. Files you place inside a Private Vault folder are encrypted in your browser before they reach our servers. We store only opaque ciphertext for those files and do not have the ability to decrypt them, scan them for malware, generate thumbnails, or share them via link. Julie AI also cannot read vault files. The recovery phrase you set at vault creation is the only fallback if you forget your passphrase; if you lose both, the files in that vault are permanently unrecoverable. See our Security page for the cryptographic details.
Julie AI & How Your Data Is (and Is Not) Used for AI
SBVault includes an in-app AI assistant called Julie, powered by industry-leading AI models from our trusted AI partner via their secure API. We want to be specific about what Julie can and cannot do with your data:
We never use your files to train any AI model. Not ours, not our AI partner's, not anyone's.
Our AI partner does not train on API inputs. Per our AI partner's API terms, data submitted to their API — including any file contents Julie sees on your behalf — is not used to train or improve their models. Their published policy is part of our subprocessor record, available on request.
What Julie sees: the conversation messages you send her, the names and metadata of your files (for navigation tools), and — only when you explicitly ask Julie to read or summarize a file in a non-vault folder — the contents of that specific file for that specific request.
What Julie does NOT see: the contents of any file in a Private Vault folder (those are encrypted client-side and the server cannot read them either), any file you have not asked her to read, and any password / passphrase / recovery phrase.
Where the data goes: the user message + any file content you ask Julie to read is sent over an encrypted connection to our AI partner's API, processed by their inference servers, and the response is returned. We retain a short transcript of the conversation in your account so you can revisit it; you can delete that history at any time from your settings.
If your use case requires that no file content ever be sent to our AI partner — for example, attorney-client privileged material — store those files in a Private Vault folder. Julie cannot read vault files even if you ask her to.
How We Share Your Information
We do not sell, rent, or trade your personal information. We may share your information only in the following limited circumstances.
With Your Consent: When you create a share link, the files you share become accessible to anyone with the link (and password, if you set one).
Service Providers (subprocessors): The categories of third-party processors listed below handle limited categories of personal data on our behalf to deliver the service. Each is contractually bound to use that data only for the purposes we direct.
Category
Purpose
Data shared
Cloud infrastructure provider
Hosting + object storage (US-based)
Encrypted file bodies + service logs
Payment processor
Payment processing + subscription billing
Name, email, payment card data (tokenized — we never see PAN)
AI model provider
Julie AI assistant (chat + file Q&A on non-vault files)
Message text + file content you explicitly share with Julie (see AI note above). Our AI partner's API terms commit that API inputs are NOT used to train models.
Antivirus / malware-scan provider
Malware hash-lookup database
File hashes only — file contents never transmitted
Bot-protection provider
Bot / abuse protection on signup & contact forms
IP address, browser fingerprint
Inbound mail-forwarding provider
Inbound mail forwarding for sbvault.app addresses
Email message content addressed to support@/compliance@/etc.
Specific provider list available on request. The named subprocessor providers, locations, and contractual scope behind these categories are maintained in our internal subprocessor record (consistent with GDPR Art. 30). For the current named list, contact compliance@sbvault.app — business customers can request a signed Data Processing Addendum (DPA) that incorporates the EU Standard Contractual Clauses (Commission Decision 2021/914) for international transfers and includes the named subprocessor list as an appendix. Material changes are announced in this policy.
Legal Requirements: We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., court orders, subpoenas).
Business Transfers: If SBVault is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.
Protection of Rights: We may disclose information when we believe it is necessary to protect our rights, your safety, or the safety of others.
Data Retention
We retain personal data only for as long as needed for the purpose for which it was collected. Specific windows:
Account data (name, email, plan, settings) — Retained while your account is active; removed within 30 days after you close the account
Files and folder structure — Retained while your account is active or until you delete the items
Trashed files — Held in the recoverable Trash for 30 days, then permanently purged
Application log data (request logs, security events) — Retained up to 90 days for incident investigation
Backup snapshots — Multi-week rolling retention; deleted account data is purged from backups within 90 days
Support correspondence (tickets, email exchanges) — Retained for 24 months after the ticket is closed
Payment records and invoices — Retained for 7 years to satisfy U.S. tax record-keeping requirements (IRS Pub. 583)
Email verification codes — 30-minute expiry; auto-purged after first use or expiry
Magic-link / SSO bridge tokens — 5-minute expiry; single-use, auto-revoked after use
Recovery phrase and Private Vault keys — Never stored on our servers in plaintext. The 24-word recovery phrase exists only on the user's device + wherever the user wrote it down
Breach notification commitment. If we confirm a personal-data breach that affects your account, we will notify you without undue delay and no later than 72 hours after confirmation, in line with GDPR Article 33 and U.S. state breach-notification laws. The notice will describe what we know, what we don't yet know, and what we are doing about it.
Your Rights and Choices
You have the following rights regarding your personal information:
Access: You can access and download your files at any time through your account dashboard.
Correction: You can update your account information in your account settings.
Deletion: You can delete individual files or your entire account at any time. Account deletion is permanent and cannot be undone.
Export: You can download all your files at any time.
Opt-Out: You can opt out of non-essential communications in your account settings.
GDPR and International Privacy Rights
If you are located in the European Union or European Economic Area, you have the following rights under the General Data Protection Regulation (GDPR):
Right to access, correct, or delete your personal data
Right to restrict or object to processing of your data
Right to data portability - you may download all your files at any time
Right to withdraw consent at any time without affecting the lawfulness of prior processing
Data Protection Officer: As a small business operating below the threshold requiring a formal Data Protection Officer under Article 37 of the GDPR, SBVault is not required to appoint a DPO. Privacy matters are handled directly by the business owner and operator, SBVault, a product of SkillBreed LLC (Florida Document No. L19000003521). All privacy inquiries, including GDPR and CCPA requests, may be directed to: support@sbvault.app. We aim to respond within 48 hours.
Infrastructure: Your files and data are stored on servers hosted by an enterprise-grade US-based cloud infrastructure provider. That provider is contractually obligated to protect your data and processes it only as directed by SBVault (SkillBreed LLC). The named provider is part of our subprocessor record — available on request via compliance@sbvault.app.
Children's Privacy
SBVault is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected information from a child under 13, please contact us immediately and we will delete it.
International Data Transfers
Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws different from your country. By using SBVault, you consent to the transfer of your information to our facilities and service providers globally.
Third-Party Links
Our service may contain links to third-party websites or services that are not operated by us. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.
Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal requirements. When we make changes, we will:
Update the "Last Updated" date at the top of this policy
Post the revised policy on this page
Send a notification email to your registered email address at least 14 days before material changes take effect
Material changes include modifications to how we collect, use, or share your personal information, changes to your rights, or changes to how we store or protect your files.
Your continued use of SBVault after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. If you do not agree with the changes, you may close your account and download your files before the effective date.
Cookie Policy
We use two categories of cookies and similar local-storage technologies:
Essential cookies — Always active. Required for login sessions, security, and core site functionality. These cannot be disabled without breaking the service.
Analytics cookies — Only active after you click Accept All on our cookie banner. Used to record page views, traffic sources (e.g. UTM campaign parameters), and anonymized visitor information so we can understand how our site is used and improve our advertising. You can opt out at any time by clearing your browser's local storage for sbvault.app.
When analytics cookies are active, we log: the pages you visit, your browser type, referring website, and (with full consent) your IP address. This data is stored securely on our servers and is never sold to third parties. It may be used to build audience segments for advertising on platforms such as Google Ads or Meta Ads.
Your choices: The first time you visit SBVault you will see a cookie banner. Choosing Essential Only keeps analytics off. Choosing Accept All enables analytics logging. Your choice is remembered for 365 days. To change it, clear the sbvault_cookie_consent key from your browser's localStorage.
Global Privacy Control (GPC) & Opt-Out Signals
SBVault recognizes the Global Privacy Control (GPC) browser signal as a valid universal opt-out under California's CCPA/CPRA, Colorado's CPA, and Connecticut's CTDPA. If your browser sends the GPC signal, we treat it as a binding opt-out of "sharing" for cross-context behavioral advertising (we don't engage in sharing for that purpose, but the signal is honored regardless).
Our analytics are also consent-based — we only record data when you have clicked Accept All. If you choose Essential Only, we do not track your activity across pages or sessions. We do not share data with third-party ad networks without your consent.
California Privacy Rights (CCPA / CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you the rights below. These rights are also extended to all SBVault users regardless of state, except where the underlying right is California-specific (e.g. the "Limit Sensitive PI" right).
Your rights
Right to know — Request the categories of personal information we collect, the sources, the business or commercial purposes for collection, the categories of third parties with whom we share, and the specific pieces of personal information we hold about you
Right to delete — Request deletion of the personal information we collect from you, subject to legal exceptions (tax records, fraud prevention, etc.)
Right to correct — Request correction of inaccurate personal information
Right to data portability — Receive a copy of your data in a portable, machine-readable format
Right to opt-out of sale or sharing — See "Do Not Sell or Share" below
Right to limit use of sensitive personal information — See "Sensitive PI" below
Right to non-discrimination — We will not deny service, charge different prices, or provide lower service quality for exercising any of these rights
Do Not Sell or Share My Personal Information
SBVault does not sell personal information. SBVault does not "share" personal information for cross-context behavioral advertising as those terms are defined under Cal. Civ. Code § 1798.140(ah) and (ad). We honor the Global Privacy Control (GPC) browser signal as a valid opt-out regardless of this position.
Sensitive Personal Information
SBVault does not process Sensitive Personal Information as defined under Cal. Civ. Code § 1798.140(ae) — we do not collect Social Security Numbers, driver's license numbers, precise geolocation, racial/ethnic origin, religious beliefs, union membership, genetic data, biometric identifiers, health information, or sex-life/sexual-orientation data in the ordinary course of providing the service. If a user voluntarily uploads such data into their own SBVault storage as file content, that content is treated like any other file the user has chosen to store with us; it is not used for any purpose beyond storage and retrieval at the user's direction.
Categories of personal information collected (CCPA § 1798.130(a)(5)(C))
Category (Cal. Civ. Code § 1798.140(v))
Collected?
Examples
A. Identifiers
✅ Yes
Name, email, account username, IP address, unique account ID
B. Customer records (Cal. Civ. Code § 1798.80)
✅ Partial
Billing address; payment card data is tokenized by Stripe — we never receive the PAN
C. Protected classification characteristics
❌ No
We do not collect race, age, national origin, religion, sex, etc.
D. Commercial information
✅ Yes
Subscription tier, purchase history, plan changes
E. Biometric information
❌ No
We do not collect biometric identifiers
F. Internet / electronic network activity
✅ Yes
Login times, page views (analytics, with consent), API call logs
G. Geolocation data
⚠️ IP-derived only
Approximate location from IP (city level); we do not use GPS or precise geolocation
H. Sensory data (audio, visual)
❌ No
User-uploaded files may contain images/audio, but we do not analyze them as sensory data
I. Professional or employment-related
❌ No
Not collected
J. Education information (FERPA-covered)
❌ No
Not collected
K. Inferences drawn from other categories
❌ No
We do not build behavioral profiles for advertising or scoring
How to exercise your rights
Submit a verifiable consumer request to compliance@sbvault.app. We will verify your identity (typically by confirming a code sent to your account email) and respond within 45 days as required by Cal. Civ. Code § 1798.130(a)(2). Authorized agents may submit requests on your behalf with written permission.
Other U.S. State Privacy Rights
The following U.S. state privacy laws extend rights similar to those in the California section above. If you reside in any of these states, you may exercise the listed rights by contacting compliance@sbvault.app:
Virginia (Virginia Consumer Data Protection Act — VCDPA): right to access, correct, delete, port, and opt-out of targeted advertising / sale / profiling
Colorado (Colorado Privacy Act — CPA): same as above, plus universal opt-out via GPC (which we honor as described above)
Connecticut (Connecticut Data Privacy Act — CTDPA): same as Colorado
Utah (Utah Consumer Privacy Act — UCPA): right to access, delete, port, and opt-out of targeted advertising / sale
Texas (Texas Data Privacy and Security Act — TDPSA): right to access, correct, delete, port, and opt-out of targeted advertising / sale / profiling
Other states with comprehensive privacy laws now in effect (Oregon, Montana, Tennessee, Indiana, Iowa, Florida, Delaware, etc.) — we extend equivalent rights to residents of those states under the same process
For appeals of any denied request, contact compliance@sbvault.app with the subject line "Privacy Appeal."
Contact Us
If you have questions or concerns about this Privacy Policy or our data practices, please contact us:
Email:support@sbvault.app Company: SBVault · A SkillBreed LLC Company · Oakland Park, Florida, USA Response Time: We aim to respond to all privacy inquiries within 48 hours.