Privacy Policy

Version 2.1 · May 2026

IN BRIEF

We collect your data only for what is necessary to operate Le Vault.
We do not sell your personal data to third parties.
You can access, correct or delete your data at any time.
Analytics cookies are optional and can be disabled in the consent banner.
For any question: [email protected]
We do not use marketing or advertising cookies.

01 Data Controller

LeVault OÜ · Registry number Ä 50311671 · Tartu mnt 67/1-13b, c/o Dalanta OÜ, 10115 Tallinn, Estonia · Legal representative: Jessica Sales Coelho da Silva · GDPR contact: [email protected]

02 Data We Collect

We collect: identity data (name, email), location data (city, country, postal code), transaction data (purchase and sales history), technical data (IP address, browser), profile data (preferences, saved items).

03 How We Use Your Data

Your data is used to: manage your membership, process transactions, send order and shipping notifications, prevent fraud, comply with legal obligations.

04 Data Processing Table — Legal Bases (GDPR Art. 13–14)

LeVault OÜ processes your personal data in accordance with the General Data Protection Regulation (GDPR, EU 2016/679). For each category of data collected, we identify below the purpose of processing, the applicable legal basis, the retention period and any recipients.

Data category	Purpose	Legal basis (GDPR)	Retention	Recipients
Email, name, password	Account creation and management	Contract performance · Art. 6.1.b	Account duration + 3 years	LeVault team · Resend (emails)
Postal address, phone number	Order delivery	Contract performance · Art. 6.1.b	Account duration + 3 years	Sendcloud · carriers
Payment data (tokenised card)	Payment processing	Contract performance · Art. 6.1.b	Per Stripe policy	Stripe Payments Europe
Tax identifiers (TIN, country, date of birth)	DAC7 compliance — EU Directive 2021/514	Legal obligation · Art. 6.1.c	10 years after last transaction	EMTA (Estonian Tax and Customs Board)
Identity documents, business certificates	Anti-fraud verification and KYC compliance	Legal obligation · Art. 6.1.c	5 years after last interaction	LeVault verification team
IP address, connection logs	Security and fraud prevention	Legitimate interest · Art. 6.1.f	12 months	LeVault team · Railway (hosting)
Navigation data (essential cookies)	Site functionality	Legitimate interest · Art. 6.1.f	Session	LeVault
Navigation data (analytics cookies)	Anonymised audience measurement	Consent · Art. 6.1.a	Up to 13 months	LeVault · analytics providers
Messages and negotiations	Transaction management and dispute resolution	Contract performance · Art. 6.1.b	Account duration + 5 years	LeVault team · CM2C (disputes)
Item photos submitted	Curation and marketplace listing	Contract performance · Art. 6.1.b	Account duration + 1 year	Potential buyers · LeVault team
Reviews and comments	Community reputation	Consent · Art. 6.1.a + legitimate interest	Indefinitely (anonymised after account deletion)	Public · LeVault team
2FA authentication data	Account security	Consent · Art. 6.1.a	Duration of 2FA activation	LeVault only

05 Data Sharing & International Transfers

Some of your data may be transferred outside the European Economic Area (EEA) through the following services: Stripe Payments (USA — payments), Resend (USA — transactional emails), Sendcloud (Netherlands — within EU, no international transfer), Railway (USA — hosting). These transfers are governed by Standard Contractual Clauses (SCC) approved by the European Commission, in accordance with GDPR Art. 46.2.c. Stripe and Resend are also certified under the EU-USA Data Privacy Framework. Your personal data is never sold to third parties.

06 Retention

Retention periods vary by data category as detailed in the table above. In general, account data is retained for the duration of your account and for up to 10 years after closure for legal obligation categories (DAC7, KYC).

07 Your Rights (GDPR Art. 15–22)

Right of access (Art. 15) — obtain confirmation that your data is processed and receive a copy
Right of rectification (Art. 16) — correct inaccurate or incomplete data
Right to erasure (Art. 17) — request deletion of your data where permitted by law
Right to restriction of processing (Art. 18)
Right to data portability (Art. 20) — receive your data in a structured, machine-readable format
Right to object (Art. 21) — object to processing based on legitimate interest
Right to withdraw consent at any time, for processing based on consent
Right to lodge a complaint with a supervisory authority

To exercise these rights: [email protected]. We respond within one month.

08 Security

We implement appropriate technical and organisational measures to protect your data.

09 Supervisory Authorities

France: Commission Nationale de l'Informatique et des Libertés (CNIL) — www.cnil.fr
Estonia: Andmekaitse Inspektsioon (AKI) — www.aki.ee

10 Contact

For all data protection and privacy requests: [email protected] · levaultofficial.com

As a small operator, LeVault OÜ is not required to designate a formal Data Protection Officer (GDPR Art. 37). Privacy requests are handled directly by the legal representative, Jessica Sales Coelho da Silva, within one month.

11 Minors

Le Vault is a platform intended for adults aged 18 or over. We do not knowingly collect personal data from minors under 18. If you believe a minor has registered or submitted data to our platform, please contact us at [email protected] so we can delete the relevant data promptly.

12 Automated Decision-Making

Le Vault does not use automated decision-making or profiling within the meaning of GDPR Art. 22 that produces legal or similarly significant effects on users. All decisions concerning membership acceptance, item curation and dispute resolution involve human review.