Vaultix-ID← Back to home
Legal

Privacy Policy

Effective date: June 6, 2026 · Last updated: June 6, 2026

Applies to: Vaultix-ID (vaultix.smritix-ai.com), its SDKs, and APIs

Smritix AI LLP ("Company", "we", "us", or "our") operates Vaultix-ID, a self-hosted authentication platform. This Privacy Policy explains how we collect, use, disclose, and protect information when you visit our website, use our services, or integrate our SDKs.

By accessing or using Vaultix-ID, you agree to the collection and use of information as described in this policy. If you disagree, please do not use our services.

1. Information We Collect

1.1 Account & Operator Data

When you sign up as a dashboard operator, we collect:

  • Name and email address (via Google OAuth or direct registration)
  • Profile picture URL (from your OAuth provider)
  • Company or project name
  • Account creation date and last login timestamp

1.2 End-User Authentication Data

When your application's users authenticate via Vaultix-ID, we process on your behalf:

  • Email address and hashed password (bcrypt, 12 rounds — plaintext is never stored)
  • OAuth provider tokens (access token, refresh token) — stored encrypted
  • TOTP secret (AES-256 encrypted at rest)
  • Session identifiers (RS256 JWT + database session row)
  • User metadata: public metadata (visible to the client) and private metadata (server-only)
  • Organisation memberships and roles

1.3 Usage & Telemetry Data

We automatically collect:

  • IP address and approximate geolocation (country, region)
  • Browser user-agent and device type
  • Authentication event logs (sign-in, sign-up, sign-out, MFA, OAuth) with outcome and timestamp
  • API request logs: route, HTTP status code, latency
  • Error traces and stack traces for debugging

1.4 Cookies & Similar Technologies

We set a vaultix-session cookie (httpOnly, Secure, SameSite=None) to maintain authenticated sessions. See our Cookie Policy for details.


2. How We Use Your Information

We use collected data for the following purposes:

  • Service delivery — authenticating users, managing sessions, issuing JWTs, delivering organisation invitations via email.
  • Security — fraud detection, rate limiting, anomaly detection, brute-force prevention, and audit logging.
  • Communication — sending transactional emails (OTP codes, magic links, org invitations) via Resend.
  • Analytics — aggregated, anonymised usage statistics to improve the product.
  • Legal compliance — retaining records as required by applicable law.

We do not sell your personal data or your end-users' personal data to third parties. We do not use personal data for advertising purposes.


3. Data Sharing & Sub-processors

We share data only with the following sub-processors, each subject to a Data Processing Agreement:

  • Supabase — primary database (PostgreSQL) and object storage. Data is stored in the region you configure. Privacy Policy ↗
  • Vercel — hosting and edge compute. Functions may run in multiple regions. Privacy Policy ↗
  • Resend — transactional email delivery. Only the recipient email address and email content are shared. Privacy Policy ↗

We may also disclose data when required by law, court order, or government authority.


4. Data Retention

  • Active sessions — retained until expiry (default 30 days) or until the user signs out.
  • Auth event logs — retained for 90 days by default. Enterprise plans may configure custom retention.
  • Pending registrations — purged after 24 hours if unverified.
  • Deleted accounts — user data is permanently deleted within 30 days of account deletion.
  • Operator accounts — retained until you request deletion or your subscription expires (90-day grace period).

5. Security

We implement industry-standard security measures:

  • Passwords hashed using bcrypt with 12 rounds
  • Sessions validated using RS256-signed JWTs + server-side database row check
  • TOTP secrets encrypted with AES-256 before storage
  • Webhooks signed with HMAC-SHA256
  • All data in transit encrypted via TLS 1.2+
  • Database encrypted at rest by Supabase
  • API keys and private keys stored only in Vercel encrypted environment variables — never in source code or logs

No method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security but are committed to industry best practices.


6. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — request correction of inaccurate data.
  • Erasure — request deletion of your personal data ("right to be forgotten").
  • Portability — receive your data in a structured, machine-readable format.
  • Restriction — request that we limit processing of your data.
  • Objection — object to processing based on legitimate interest.

To exercise any of these rights, email legal@smritix-ai.com. We will respond within 30 days.


7. Children's Privacy

Vaultix-ID is intended for developers and businesses. We do not knowingly collect personal data from children under 13 (or 16 in the EU). If you believe a child has provided us with personal data, contact us immediately.


8. International Data Transfers

We are incorporated in India. If you are located in the European Economic Area (EEA), United Kingdom, or other jurisdictions with data transfer restrictions, your data may be transferred to and processed in countries that may not provide the same level of protection. We rely on Standard Contractual Clauses (SCCs) where required. See our GDPR page for details.


9. Changes to This Policy

We may update this policy from time to time. When we do, we will revise the "Last updated" date above and, for material changes, notify you via email or an in-dashboard notice. Your continued use of Vaultix-ID after changes constitutes acceptance of the updated policy.


10. Contact Us

For privacy-related questions or requests: