Privacy Policy

Effective Date: March 7, 2026  ·  Last Updated: March 7, 2026

BBTechAdvisors LLC ("BBTechAdvisors," "we," "our," or "us") operates the Vault platform, accessible at vault.bbtechadvisors.com and via our mobile applications (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Service. Please read this policy carefully. By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.

If you do not agree with the terms of this Privacy Policy, please do not access the Service.

1. Information We Collect

1.1 Information You Provide Directly

We collect information you provide when you register for an account, use the Service, or contact us for support, including:

• Account Information: Your name, email address, and password (stored in hashed, non-reversible form).
• Organizational Data: Information about companies, organizations, locations, contacts, devices, and documents that you or your organization enter into the Service.
• Credential Data: Usernames and passwords stored within the Service's password management features. All credential values are encrypted at rest using AES-256-CBC encryption and are never stored in plaintext.
• Communications: Messages, support requests, or other communications you send to us.

1.2 Information Collected Automatically

When you use the Service, we may automatically collect certain technical information, including:

• Log Data: IP addresses, browser type, pages visited, time and date of access, and other diagnostic data.
• Device Information: Hardware model, operating system, unique device identifiers, and mobile network information.
• Cookies and Similar Technologies: Session cookies used to maintain your authenticated session. We do not use third-party tracking or advertising cookies.
• Activity Logs: Records of actions performed within the Service (e.g., records created, updated, or deleted) for audit and accountability purposes within your organization.

1.3 Information from Third Parties

We do not purchase or obtain personal information from third-party data brokers. We may receive information from your employer or organization when your account is provisioned by a company administrator.

2. How We Use Your Information

We use the information we collect to:

• Create, maintain, and secure your account and authenticate your identity.
• Provide, operate, and improve the Service and its features.
• Enable collaboration and data sharing within your authorized company and organization structure.
• Maintain audit logs of data access and modifications for security and accountability.
• Respond to your requests, questions, and support inquiries.
• Send service-related notices, security alerts, and administrative messages.
• Detect, investigate, and prevent fraudulent transactions, unauthorized access, and other illegal activities.
• Comply with applicable legal obligations.

We do not use your data to serve you advertisements, sell your information to third parties, or engage in behavioral profiling for marketing purposes.

3. Legal Basis for Processing (EEA/UK Users)

If you are located in the European Economic Area (EEA) or the United Kingdom, our legal basis for collecting and using personal information includes:

• Contract Performance: Processing necessary to provide the Service you have requested.
• Legitimate Interests: Processing necessary for our legitimate business interests (e.g., security, fraud prevention, service improvement), where those interests do not override your rights.
• Legal Obligation: Processing required to comply with applicable laws.
• Consent: Where you have given us explicit consent for specific processing activities.

4. How We Share Your Information

We do not sell, trade, or rent your personal information to third parties. We may share your information in the following limited circumstances:

• Within Your Organization: Information you store in the Service is shared with other authorized members of your company and organizations according to the role-based access controls you or your administrator configure.
• Service Providers: We engage trusted third-party vendors to assist in operating the Service (e.g., hosting providers, infrastructure services). These vendors are contractually obligated to protect your data and may only process it on our behalf.
• Legal Requirements: We may disclose your information if required by law, court order, or governmental authority, or when we believe disclosure is necessary to protect our rights, protect your safety or the safety of others, or investigate fraud.
• Business Transfers: In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will provide notice before your information is transferred and becomes subject to a different privacy policy.

5. Data Security

We implement industry-standard technical, administrative, and physical safeguards to protect your information, including:

• Encryption in Transit: All data transmitted between your browser or mobile application and our servers is encrypted using Transport Layer Security (TLS).
• Encryption at Rest: All stored credential values (passwords) are encrypted using AES-256-CBC encryption. User account passwords are stored exclusively as one-way cryptographic hashes (bcrypt) and are never stored in plaintext or reversible form.
• Access Controls: Role-based access control (admin, member, viewer) restricts access to data based on your assigned permissions within each organization.
• API Security: API access is secured via token-based authentication (Laravel Sanctum). Tokens are unique per user and can be revoked at any time.
• Audit Logging: All data creation, modification, and deletion events are recorded with timestamps and user attribution.

No method of transmission over the Internet or method of electronic storage is 100% secure. While we use commercially reasonable means to protect your information, we cannot guarantee absolute security.

6. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. We retain audit logs for a period consistent with applicable legal requirements and our legitimate business interests in security and accountability. When you close your account or request deletion, we will delete or anonymize your personal information within a commercially reasonable time, unless we are required to retain it by law.

7. Your Rights and Choices

Depending on your location, you may have the following rights with respect to your personal information:

• Access: Request a copy of the personal information we hold about you.
• Correction: Request that we correct inaccurate or incomplete information.
• Deletion: Request that we delete your personal information, subject to legal retention requirements.
• Portability: Request that we provide your information in a structured, machine-readable format.
• Objection / Restriction: Object to or request restriction of certain processing activities.
• Withdrawal of Consent: Where processing is based on consent, withdraw that consent at any time.

To exercise any of these rights, please contact us at the address in Section 11. We will respond to your request within 30 days. We may require you to verify your identity before fulfilling your request.

8. Cookies

The Service uses session cookies solely to maintain your authenticated login session. We do not use advertising cookies, tracking pixels, or third-party analytics cookies. You may configure your browser to refuse all cookies; however, doing so will prevent you from using authenticated features of the Service.

9. Children's Privacy

The Service is intended for use by business professionals and is not directed to children under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have inadvertently collected such information, we will take steps to delete it promptly. If you believe a child has provided us with personal information, please contact us.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we do, we will revise the "Last Updated" date at the top of this page. For material changes, we will provide additional notice (such as an in-Service notification or email to your registered address) at least 30 days before the changes take effect. Your continued use of the Service after the effective date constitutes your acceptance of the updated Privacy Policy.

11. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us: