Legal Document

Privacy Policy

Last updated: 17 April 2026Neuverk UG (haftungsbeschränkt)

This Privacy Policy explains how Neuverk (“we”, “us”, “our”) collects, uses, and protects personal data when you use VaultDoc at vaultdoc.neuverk.com. We are committed to protecting your privacy in accordance with the General Data Protection Regulation (GDPR) and applicable European data protection law.

1. Data Controller

The data controller responsible for your personal data is:

Neuverk

Munich, Germany

Email: privacy@neuverk.com

Note: Neuverk is currently in the process of formal registration. Registered office details will be updated upon completion of incorporation.

2. Data We Collect

We collect the following categories of personal data:

Account data

When you register or sign in via Clerk, we collect your name, email address, and authentication identifiers (such as Google or Microsoft account identifiers). This data is necessary to provide you with access to VaultDoc.

Document content

When you generate documents, we collect the inputs you provide — including document title, type, department, compliance frameworks, and answers to guided questions. This content is used to generate your compliance documentation and is stored in your personal document library.

Billing data

If you subscribe to a paid plan, Stripe processes your payment information on our behalf. We store only your Stripe customer ID, subscription status, and plan level. We do not store full card numbers or payment credentials.

Usage data

We collect basic usage information such as pages visited, features used, and timestamps of key actions (document creation, exports, logins). This is used to improve the platform and monitor for security incidents.

Technical data

We collect IP addresses, browser type, and device information as part of standard web server logging and security monitoring via Vercel.

3. Legal Basis for Processing

We process your personal data on the following legal bases under GDPR Article 6:

  • Contract (Art. 6.1.b): To provide the VaultDoc service you have subscribed to, including document generation, storage, and export.
  • Legitimate interest (Art. 6.1.f): To improve the platform, monitor security, prevent fraud, and maintain service reliability.
  • Legal obligation (Art. 6.1.c): To comply with applicable tax, financial, and regulatory requirements.
  • Consent (Art. 6.1.a): For optional cookies and analytics where consent is obtained via our cookie banner.

4. AI Processing — Anthropic

Important notice regarding AI processing

VaultDoc uses AI to generate document drafts. The information you enter — including document titles, department names, compliance framework selections, scope descriptions, and answers to guided questions — may be transmitted to our AI provider (Anthropic) to produce the output. Do not enter passwords, secrets, special-category personal data (as defined under GDPR Article 9), or highly confidential information when using document generation features. Review all AI-generated content carefully before operational or audit use.

Anthropic is a third-party AI provider based in the United States. The transfer of data to Anthropic is governed by Standard Contractual Clauses (SCCs) incorporated into Anthropic's commercial API Terms of Service, which constitute the transfer mechanism under GDPR Chapter V.

We do not transmit your name, email address, payment information, or account credentials to Anthropic. Only the document content inputs described above are transmitted, solely for the purpose of generating the requested document output. Anthropic does not use API inputs to train its models. Inputs transmitted via the API are subject to Anthropic's data retention policy, which provides for a short-term retention window (up to 30 days) for trust and safety review, after which inputs are deleted. Your data is not shared with any other third party beyond what is necessary to provide the VaultDoc service.

VaultDoc's AI processing does not involve automated decision-making that produces legal effects or similarly significantly affects you (GDPR Art. 22). The AI generates draft documents for your review; all operational decisions remain with you.

5. Sub-processors

We use the following sub-processors to deliver the VaultDoc service. Each has been assessed for GDPR compliance and appropriate data transfer mechanisms where required:

Sub-processorPurposeLocation
AnthropicAI document generationUnited States
ClerkAuthentication and user managementUnited States
StripePayment processingUnited States / EU
NeonDatabase hostingGermany (Frankfurt)
VercelApplication hosting and deliveryUnited States / EU
ResendTransactional email deliveryUnited States
SentryError monitoring and diagnosticsGermany (EU)
UpstashRate limiting (processes IP addresses and user identifiers transiently)United States / EU

For sub-processors located outside the EU/EEA, we rely on Standard Contractual Clauses (SCCs) or other appropriate transfer mechanisms under GDPR Chapter V.

6. Data Retention

  • Account data: Retained for the duration of your account. Deleted within 30 days of account deletion request.
  • Document content: Retained until you delete the document or your account. You can delete individual documents from your library at any time.
  • Billing records: Retained for 10 years to comply with German commercial law (HGB § 257).
  • Usage and audit logs: Retained for 12 months for security and operational purposes.
  • Stripe customer data: Retained per Stripe's retention policy; billing identifiers retained for the duration required by law.
  • Database backups: Automated backups are retained for up to 7 days on a rolling basis, after which they are permanently deleted. Data deleted from the primary database will be absent from backups within this window.
  • AI processing inputs (Anthropic): Inputs transmitted to Anthropic's API are subject to Anthropic's retention policy (up to 30 days for trust and safety review). They are not retained by VaultDoc beyond the lifetime of your stored documents.

7. Your Rights Under GDPR

Under the GDPR, you have the following rights regarding your personal data. To exercise any of these rights, contact us at privacy@neuverk.com. We will respond without undue delay and within one month of receiving your request, as required by GDPR Art. 12.3.

  • Right of access (Art. 15): Request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16): Request correction of inaccurate personal data.
  • Right to erasure (Art. 17): Request deletion of your personal data. You can delete your account directly from your billing settings.
  • Right to restriction (Art. 18): Request that we restrict processing of your data in certain circumstances.
  • Right to portability (Art. 20): Request your data in a structured, machine-readable format.
  • Right to object (Art. 21): Object to processing based on legitimate interests.
  • Right to withdraw consent (Art. 7.3): Withdraw consent for optional processing at any time.

You also have the right to lodge a complaint with your local data protection authority. In Germany, the supervisory authority is the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA).

8. Cookies

VaultDoc uses cookies for authentication (Clerk) and payment processing (Stripe). These are technically necessary cookies required for the service to function. We do not use advertising or tracking cookies. You will be asked for consent via our cookie banner when you first visit the platform.

9. Security

We implement appropriate technical and organisational measures to protect your personal data, including:

  • All data in transit encrypted via HTTPS/TLS
  • Database encrypted at rest (Neon Postgres)
  • Authentication managed by Clerk with industry-standard security
  • Access controls — each user can only access their own documents
  • API rate limiting to prevent abuse
  • Regular review of sub-processor security posture

No system is completely secure. In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify you and the relevant supervisory authority in accordance with GDPR Articles 33 and 34.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice in the platform. The date of the most recent revision appears at the top of this page. Continued use of VaultDoc after changes are posted constitutes acceptance of the updated policy.

11. Contact

For any questions, requests, or concerns regarding this Privacy Policy or your personal data, please contact:

Neuverk — Data Privacy

Munich, Germany

Email: privacy@neuverk.com

We aim to respond to all privacy requests within 30 days.