Privacy Policy

This Privacy Policy explains how HTMLVault (“we,” “us,” or “our”) collects, uses, and shares information when you use HTMLVault (the “Service”). It also explains the difference between data we handle as a controller (your account) and data we handle as a processor on your behalf (the content you publish and the visitors who view your links). By using the Service, you agree to this Policy. If you do not agree, do not use the Service.

1. Two roles: controller and processor

As a controller, we determine how we handle information about you — our account holder. This includes your registration details, billing information, and how you use the Service. As a processor, we handle information on your behalf and under your instructions. This includes the HTML content you publish, any personal data contained in it (reports, lead lists, proposals), and analytics about the visitors who view your links. For that data, you are the controller and are responsible for having a lawful basis to collect and process it, and for honoring the privacy rights of those individuals. If you require a Data Processing Agreement, contact us at [email protected].

2. Information we collect

Account information. Your email address and authentication details, organization name, and team members you add. Authentication is handled through our third-party identity provider; we do not store passwords.

Billing information. Paid plans are processed by Stripe. We receive limited billing details (such as plan, status, and the last four digits of a card and billing contact) but we do not store full payment card numbers — Stripe does.

Content you publish. The HTML files, assets, links, and configuration you create, including any tracking codes and PII-scanning settings you enable. This may contain personal data of third parties that you choose to include.

Link analytics.When someone views a link you create, we collect interaction data such as view counts, unique and repeat views, time on page, scroll depth, approximate geographic location (derived from IP, not stored as a precise address), device and browser type, referral and UTM parameters, and bot-detection signals. We collect this so you can measure engagement. You can also inject your own third-party tracking (Google, Meta, etc.), which is governed by those providers’ policies.

Usage and technical data. Log data, IP addresses, request metadata, and error information we use to operate, secure, and improve the Service.

3. How we use information

We use information to: provide, maintain, and improve the Service; create and manage your account and authenticate you; process payments and manage subscriptions; generate the link analytics you rely on; run safeguards such as PII scanning, malware and safe-browsing checks, and abuse prevention; communicate with you about your account, security, changes to the Service, and (where you have not opted out) product news; and comply with legal obligations and enforce our Terms and Acceptable Use Policy. We do not sell your personal data.

4. AI PII scanning and “bring your own key”

If you enable AI-powered PII scanning on a paid plan using your own AI provider key (BYOK), the content being scanned is transmitted to the AI provider you select, under youraccount with that provider, and subject to that provider’s terms and privacy practices. We facilitate the connection; we do not control the provider’s handling of that data. Our default regex-based scanning runs within the Service and does not transmit your content to an external AI provider.

5. How we share information

We share information only as follows: Service providers who help us operate the Service (for example, hosting, database, payment processing, authentication, email delivery, and security/safe-browsing), who process data on our behalf under contract; AI providers you choose for BYOK scanning, as described above; Legal and safety disclosures where required by law, to enforce our terms, or to protect the rights, property, or safety of HTMLVault, our users, or the public — including reporting illegal content such as CSAM to the appropriate authorities; and Business transfers in connection with a merger, acquisition, or sale of assets, subject to this Policy. See our Subprocessors page for the current list of providers.

6. Data retention

We retain account and content data for as long as your account is active, then in accordance with the retention and inactivity windows applicable to your plan. Free accounts are subject to shorter expiry and inactivity-based retention; paid plans may configure longer retention windows. When data is deleted or an account is closed, we remove or de-identify it within a reasonable period, except where we must retain it to comply with legal obligations, resolve disputes, or enforce our agreements.

7. Security

We use technical and organizational measures to protect information, including encryption in transit, encryption of stored credentials and BYOK keys, access controls, and secret scanning in our development process. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

8. Your rights

Depending on where you live, you may have rights to access, correct, delete, or port your personal data, to object to or restrict certain processing, and to withdraw consent. To exercise rights regarding the account data we control, contact us at [email protected]. If your request concerns personal data contained in a link or report created by one of our customers, we act as a processor — please contact that customer (the controller) directly. We will assist them as required. We honor applicable privacy laws including the GDPR and CCPA/CPRA. California residents have the right not to receive discriminatory treatment for exercising their privacy rights, and we do not sell or “share” personal information as those terms are defined under California law.

9. International transfers

We are based in the United States and process data there. If you access the Service from outside the U.S., you understand your information will be transferred to and processed in the U.S. Where required, we rely on appropriate safeguards for international transfers.

10. Children

The Service is not directed to children under 16, and we do not knowingly collect personal data from them. If you believe a child has provided us personal data, contact us and we will delete it.

11. Cookies

We use essential cookies to operate the Service and authenticate you, and limited analytics on our own marketing site. We minimize non-essential cookies. See our Cookie Policy for details. Tracking you inject into your own links is your responsibility and subject to your own cookie and consent obligations.

12. Changes to this Policy

We may update this Policy from time to time. Material changes take effect when posted, and we will update the “Last updated” date above. Continued use of the Service after changes take effect constitutes acceptance.

13. Contact

HTMLVault, 704 13th St East, Suite 600, Whitefish, MT 59937. [email protected]