Privacy Policy
Last Updated: March 26, 2026
THIS PRIVACY POLICY EXPLAINS HOW VAULT27 LIMITED COLLECTS, USES, STORES, SHARES, AND PROTECTS YOUR PERSONAL DATA IN CONNECTION WITH THE VAULT27 CARD PLATFORM. PLEASE READ IT CAREFULLY. BY USING THE VAULT27 CARD
SERVICE, YOU CONFIRM THAT YOU HAVE READ AND UNDERSTOOD THIS POLICY AND CONSENT TO THE PROCESSING OF YOUR PERSONAL DATA AS DESCRIBED HEREIN.
Section 1 — Who We Are & How to Contact Us
Data Controller: Vault27 Limited
Company ID: 3-102-948161
Registered Address: San José, Montes de Oca, San Pedro, Barrio Dent, Calle 37, Avenida 3, Oficina 101, Costa Rica
Support: legal@vault27.pro
Website: vault27.pro
Vault27 Limited (“Vault27”, “we”, “us”, “our”) operates the Vault27 Card platform including the prepaid card programme, cryptocurrency wallet service, and revenue share programme (collectively, the “Service”). We are the data controller responsible for your personal data collected through the Service. For all privacy-related enquiries, data subject requests, or complaints, please contact us at legal@vault27.pro.
Section 2 — Scope of This Policy
This Privacy Policy applies to all personal data collected by Vault27 in connection with your use of the Vault27 Card Service, including:
- Registration and account creation on the Vault27 Card platform.
- Identity verification (KYC) and anti-money laundering (AML) screening.
- Card issuance, loading, spending, and withdrawal transactions.
- Participation in the Vault27 Card revenue share programme.
- Cryptocurrency deposits and blockchain-linked activities.
- Communications with Vault27 support or compliance teams.
- Use of the Vault27 Card website, application, and related digital services.
This Policy does not apply to third-party websites, services, or applications that may be linked from our Platform. We are not responsible for the privacy practices of such third parties and encourage you to review their own policies.
Section 3 — The Personal Data We Collect
3.1 Identity & Contact Information
We collect the following when you register for or use the Vault27 Card Service:
- Full legal name as it appears on your government-issued identification.
- Date of birth.
- Residential address (current and, where required, previous).
- Email address.
- Phone number.
- Nationality and country of residence.
- Government-issued identification documents (passport, national ID, driving licence) — including document images and facial biometric data collected during liveness verification.
- Selfie photographs and/or video recordings collected during identity verification.
3.2 Financial & Transaction Data
- Cryptocurrency wallet addresses associated with your account.
- Details of all deposits, top-ups, card transactions, withdrawals, and transfers.
- Card balance and transaction history.
- Exchange rates applied to your transactions.
- Revenue share commission records — amounts earned, by level, and associated transaction references.
- Source of funds information where required for KYC/AML compliance.
3.3 Technical & Device Data
- IP address and approximate geolocation derived from IP.
- Device type, operating system, browser type and version.
- Device identifiers and advertising IDs where applicable.
- Log files, access times, and session duration.
- Cookies and similar tracking technologies — see Section 11.
3.4 Communications Data
- Content of emails, live chat messages, or support tickets you send to Vault27.
- Records of any calls with Vault27 support where consent to recording has been obtained.
- Feedback, survey responses, and reviews you submit.
3.5 Compliance & Due Diligence Data
- Results of sanctions screening, PEP (Politically Exposed Person) checks, and adverse media screening.
- Risk assessment scores and compliance decision records.
- Suspicious activity reports and internal compliance notes (where legally permissible to disclose).
- Blockchain analytics data, including transaction risk scores derived from on-chain analysis.
3.6 Blockchain & Public Data
You acknowledge that certain data associated with cryptocurrency transactions — including wallet addresses, transaction hashes, amounts, and timestamps — is recorded on public blockchain networks and is visible to anyone with access to those networks. This data is outside Vault27’s control and cannot be deleted. Vault27 may use blockchain analytics tools to analyse on-chain data associated with your wallet addresses for compliance purposes.
3.7 Data We Do Not Collect
Vault27 does not collect or store your full card number, CVV, or PIN in unencrypted form. These are handled by our card programme partner in accordance with PCI DSS standards. Vault27 does not collect biometric data for any purpose other than identity verification, and does not use facial recognition for any ongoing surveillance or profiling purpose.
Section 4 — How and Why We Use Your Personal Data
We process your personal data only where we have a lawful basis to do so. The lawful bases we rely on are: (1) Contractual Necessity — to deliver the Service you have requested; (2) Legal Obligation —
to comply with AML, KYC, and regulatory requirements; (3) Legitimate Interests — to protect our
business and users from fraud; (4) Consent — where you have given us specific consent.
4.1 Providing the Service (Contractual Necessity)
- Creating and managing your Vault27 Card account.
- Processing card purchases, top-ups, transactions, and withdrawals.
- Issuing and managing your prepaid Mastercard/Visa card.
- Calculating and distributing revenue share commissions.
- Processing cryptocurrency deposits and conversions.
- Providing customer support.
4.2 Identity Verification & Compliance (Legal Obligation)
- Conducting KYC identity verification as required by applicable AML regulations.
- Screening against international sanctions lists (OFAC, EU, UN, and others).
- Conducting PEP screening and adverse media checks.
- Performing ongoing transaction monitoring for suspicious activity.
- Filing Suspicious Activity Reports (SARs) with relevant authorities where legally required.
- Complying with requests from regulatory authorities, law enforcement, and judicial orders.
- Maintaining records as required by anti-money laundering and data retention laws.
4.3 Security & Fraud Prevention (Legitimate Interests)
- Detecting, investigating, and preventing fraud, money laundering, and other illegal activity.
- Protecting the security and integrity of the Platform and our users’ accounts.
- Monitoring transactions for patterns inconsistent with legitimate use.
- Conducting blockchain analytics to identify high-risk wallet activity.
- Verifying device and IP information to detect unauthorised access.
4.4 Service Improvement & Analytics (Legitimate Interests)
- Analysing usage patterns to improve Platform functionality and user experience.
- Conducting internal research and product development.
- Testing new features and resolving technical issues.
- Generating aggregated, anonymised statistical data for internal reporting.
4.5 Communications (Contractual Necessity / Legitimate Interests)
- Sending transaction confirmations, account notifications, and security alerts.
- Responding to your support requests and enquiries.
- Providing important policy or service updates.
4.6 Marketing (Consent)
- Sending promotional communications about Vault27 Card services and features — only where you have given your express consent.
- You may withdraw consent to marketing communications at any time by emailing legal@vault27.pro or using the unsubscribe link in any marketing email. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
Section 5 — How We Share Your Personal Data
Vault27 does not sell your personal data to third parties. We will never sell, rent, or trade your personal data for commercial purposes. We share your data only in the following limited circumstances:
5.1 Service Providers & Data Processors
We share data with carefully selected third-party service providers who process data on our behalf under strict contractual obligations:
- KYC & Identity Verification: Sumsub — processes identity documents, biometric data, and conducts sanctions/PEP screening on our behalf. Sumsub processes data in accordance with its own Privacy Policy and under contractual data processing agreements with Vault27.
- Card Programme Partners: Our issuing bank and card network partners (Mastercard/Visa) — receive cardholder data required for card issuance and transaction processing, in compliance with PCI DSS standards.
- Blockchain Analytics: Third-party blockchain analytics providers — receive wallet address data for transaction risk scoring.
- Cloud Infrastructure & Hosting: Secure cloud hosting providers that store Platform data under strict data processing agreements including encryption and access controls.
- Payment Processing: Cryptocurrency payment processors that facilitate deposits and withdrawals.
- Customer Support Tooling: Help desk and communication platforms used to manage support tickets.
- Analytics Providers: Platform analytics tools used in anonymised or pseudonymised form only.
5.2 Legal & Regulatory Disclosure
We may disclose your personal data to:
- Regulatory authorities, government agencies, or law enforcement bodies where required by applicable law, court order, or regulatory requirement.
- Financial intelligence units and AML supervisory authorities in connection with suspicious activity reporting obligations.
- Card networks (Mastercard/Visa) in connection with fraud investigations or chargeback disputes.
- Our legal advisers in connection with legal proceedings or regulatory investigations.
Where permitted by law, we will notify you of such disclosures. In cases involving criminal investigations, national security, or where notification is prohibited by law, we may not be able to inform you.
5.3 Revenue Share Programme Disclosure
Your username (not your full name or other personal information) is visible to members of your direct upline and downline within the Vault27 revenue share network for the purpose of displaying revenue share relationships and commission structures. No other personal data is shared within the revenue share network without your consent.
5.4 Business Transfers
In the event of a merger, acquisition, restructuring, or sale of all or substantially all of Vault27’s assets, your personal data may be transferred to the acquiring entity. You will be notified of any such transfer in advance where practicable, and any acquirer will be required to honour this Privacy Policy or provide you with a materially equivalent policy.
5.4 Business Transfers
Transactions conducted on public blockchain networks are inherently public and are not within Vault27’s control. Wallet addresses, transaction amounts, and timestamps may be visible to any party with access to the relevant blockchain explorer.
Section 6 — International Data Transfers
Vault27 is incorporated in Costa Rica and our service providers operate in multiple countries including the United States, the European Union, and other jurisdictions. Your personal data may be transferred to and processed in countries outside your country of residence.
Where personal data is transferred outside the European Economic Area (EEA) or the United Kingdom, we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission, incorporated into our agreements with international data processors.
- Adequacy decisions where applicable.
- Binding Corporate Rules or equivalent data transfer mechanisms where SCCs are not applicable.
By using the Vault27 Card Service, you acknowledge that your data may be processed internationally in accordance with the safeguards described above. You may request a copy of the relevant transfer safeguards by contacting legal@vault27.pro.
Section 7 — Data Retention
We retain your personal data only for as long as is necessary for the purposes for which it was collected, or as required by applicable law. The following retention periods apply:
- Active accounts: Personal data is retained for the duration of your account relationship with Vault27.
- Closed accounts — Identity & KYC data: Retained for a minimum of 7 years following account closure, as required by AML regulations.
- Transaction records: Retained for a minimum of 7 years from the date of the transaction, in accordance with financial record-keeping requirements.
- AML & Compliance records: Retained for a minimum of 5 years from the date of the relevant compliance decision or SAR filing.
- Marketing data: Retained until you withdraw consent or unsubscribe, after which it is deleted within 30 days.
- Support communications: Retained for 3 years from the date of the communication, unless the matter is subject to ongoing legal proceedings.
- Technical logs: Retained for 12 months in standard circumstances, or longer if required for security investigation purposes.
Following the expiry of the applicable retention period, your data will be securely deleted or anonymised. Where anonymisation is not possible, the data will be destroyed in a manner that renders it irrecoverable.
Section 8 — Data Security
Vault27 implements a comprehensive programme of technical and organisational security measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. These measures include:
8.1 Technical Measures
- Transport Layer Security (TLS 1.2 or higher) for all data transmitted between your device and our Platform.
- AES-256 encryption for all personal data stored at rest.
- End-to-end encryption for sensitive cardholder data.
- PCI DSS compliant card data handling through our card programme partners.
- Multi-factor authentication (MFA) required for all administrative access to Vault27 systems.
- Segregated network architecture with firewalls, intrusion detection systems, and real-time threat monitoring.
- Regular penetration testing and vulnerability assessments conducted by qualified third parties.
- Automated anomaly detection and security incident response protocols.
8.2 Organisational Measures
- Strict role-based access controls — personal data is accessible only to personnel with a legitimate operational need.
- All personnel with access to personal data are subject to confidentiality obligations and receive regular data protection training.
- Data processing agreements in place with all third-party processors, including security requirements.
- A documented Data Breach Response Plan with defined escalation procedures and regulatory notification timelines.
- Regular internal audits of data processing activities and security controls.
8.3 Your Responsibilities
The security of your account also depends on you. You are responsible for maintaining the confidentiality of your login credentials, enabling two-factor authentication, and notifying Vault27 immediately at legal@vault27.pro if you suspect any unauthorised access to your account. Vault27 will never ask you for your password.
8.4 Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, Vault27 will notify you and relevant supervisory authorities in accordance with applicable data protection law, within the timeframes required by law (typically 72 hours for regulatory notification where required).
Section 9 — Your Rights as a Data Subject
Depending on your jurisdiction, you may have the following rights in respect of your personal data. Vault27 is committed to honouring these rights promptly and transparently.
9.1 Right of Access
You have the right to request a copy of the personal data we hold about you, along with information about how it is used, who it is shared with, and how long it will be retained. We will respond to access requests within 30 days.
9.2 Right to Rectification
If any personal data we hold about you is inaccurate or incomplete, you have the right to request that it be corrected. Please contact us at legal@vault27.pro with the specific correction required.
9.3 Right to Erasure ("Right to be Forgotten")
You may request the deletion of your personal data in certain circumstances, including where it is no longer necessary for the purposes for which it was collected, or where you withdraw consent. However, this right is subject to important limitations — we may be required to retain certain data to comply with our legal obligations under AML regulations, financial record-keeping requirements, or ongoing legal proceedings. Where deletion is not possible, we will inform you of the reason.
9.4 Right to Restriction of Processing
You may request that we restrict the processing of your personal data in certain circumstances — for example, while a dispute about the accuracy of your data is being resolved, or where you have objected to processing based on legitimate interests.
9.5 Right to Data Portability
Where processing is based on your consent or on a contract, and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format, and to have it transmitted to another controller where technically
feasible.
9.6 Right to Object
You have the right to object to processing based on our legitimate interests at any time. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or where processing is necessary for the establishment, exercise, or defence of legal claims. You may always object to processing for direct marketing purposes — this right is absolute.
9.7 Right to Withdraw Consent
Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. To withdraw consent, contact legal@vault27.pro.
9.8 Rights Under GDPR
If you are located in the European Economic Area or the United Kingdom, you have the rights described above under the General Data Protection Regulation (GDPR) / UK GDPR. You also have the right to lodge a complaint with your local supervisory authority. In the EU, you may contact the supervisory authority in your country of residence. In the UK, you may contact the Information Commissioner’s Office (ICO) at ico.org.uk.
9.9 Rights Under CCPA (California Residents)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the CPRA, including:
- The right to know what personal information is collected, used, shared, or sold.
- The right to delete personal information held by a business.
- The right to opt out of the sale or sharing of personal information. Note: Vault27 does not sell personal information.
- The right to non-discrimination for exercising your privacy rights.
- The right to correct inaccurate personal information.
- The right to limit the use of sensitive personal information.
To exercise your CCPA rights, contact legal@vault27.pro with the subject line “CCPA Request”.
9.10 How to Submit a Request
To exercise your CCPA rights, contact privacy@vault27.pro with the subject line “CCPAaTo exercise any of the above rights, please contact us at legal@vault27.pro. We may need to verify your identity before processing your request. We will respond within 30 days, or within the timeframe required by applicable law. We do not charge a fee for exercising your rights, unless requests are manifestly unfounded or excessive. Request”.
Section 10 — Children's Privacy
The Vault27 Card Service is strictly intended for users aged 18 and over. We do not knowingly collect personal data from persons under the age of 18. If you believe that a person under 18 has provided personal data to Vault27, please contact us immediately at legal@vault27.pro. Upon confirmation, we will promptly delete all such data and close the relevant account. We reserve the right to conduct age verification checks as part of our KYC process.
Section 11 — Cookies & Tracking Technologies
11.1 What Are Cookies
Cookies are small text files placed on your device when you access our website or application. We also use similar technologies including pixel tags, web beacons, and local storage objects. These technologies help us operate the Platform, recognise returning users, and understand how the Platform is used.
11.2 Types of Cookies We Use
- Essential / Strictly Necessary Cookies: Required for the Platform to function. These include authentication cookies, session security tokens, and CSRF protection tokens. You cannot opt out of these without disabling the Platform entirely.
- Functionality Cookies: Remember your preferences such as language settings and display options. These enhance your experience but are not essential.
- Analytics Cookies: Collect anonymised or pseudonymised data about how users interact with the Platform (e.g., pages visited, time spent, error messages). We use Google Analytics and similar tools. Data is aggregated and does not identify you individually.
- Security Cookies: Assist in detecting and preventing fraud and unauthorised access.
- Marketing Cookies: Used only where you have given explicit consent, to deliver relevant information about Vault27 Card features and offers.
11.3 Managing Cookies
You can control cookies through your browser settings. Most browsers allow you to refuse cookies, delete existing cookies, or be notified when a new cookie is set. Please note that disabling essential cookies will affect the functionality of the Platform. For more information on managing cookies, visit allaboutcookies.org.
For analytics opt-out, you may install the Google Analytics Opt-Out Browser Add-on available at tools.google.com/dlpage/gaoptout.
Section 12 — Automated Decision-Making & Profiling
Vault27 uses automated processing in the following contexts:
- KYC Verification: Our KYC provider (Sumsub) uses automated tools to verify identity documents and conduct liveness checks. Automated decisions made during this process may result in your application being flagged for manual review or rejected. You have the right to request human review of any automated KYC decision — please contact privacy@vault27.pro.
- Sanctions & PEP Screening: Automated screening tools check your details against sanctions lists and PEP databases. Positive matches are reviewed by our compliance team before any action is taken.
- Transaction Risk Scoring: Blockchain analytics tools generate automated risk scores for cryptocurrency transactions. High-risk scores may result in your transaction being held for manual review.
- Fraud Detection: Automated systems monitor transactions for patterns consistent with fraud. Flagged transactions are reviewed by our security team.
Where an automated decision produces a significant effect on you (such as account suspension or transaction blocking), you have the right to request human review and to challenge the decision. Please contact privacy@vault27.pro with your request, including your account username and the details of the decision you wish to challenge.
Section 13 — Third-Party Links & Services
The Vault27 Card Platform may contain links to third-party websites, services, or applications, including but not limited to Mastercard/Visa merchant sites, blockchain explorers, and external KYC portals. Vault27 is not responsible for the privacy practices or content of such third parties. We encourage you to review the privacy policies of any third-party services you access through or in connection with our Platform.
Section 14 — Changes to This Privacy Policy
Vault27 reserves the right to update or amend this Privacy Policy at any time. When changes are material, we will:
- Post the updated policy on vault27.pro with a revised “Last Updated” date.
- Notify you by email to the address registered to your account at least 14 days before the changes take effect, where the changes materially affect your rights.
- Where required by applicable law, obtain your consent before implementing any material changes to the way we process your personal data.
Your continued use of the Vault27 Card Service following the effective date of any updated Privacy Policy constitutes your acceptance of the revised policy. If you do not agree with the changes, you must discontinue use of the Service and may request account closure.
Section 15 — Complaints
If you have a complaint about how Vault27 handles your personal data, we encourage you to contact us in the first instance at legal@vault27.pro so that we can attempt to resolve the matter directly. We will acknowledge your complaint within 5 business days and aim to provide a substantive response within 30 days.
If you are not satisfied with our response, or if you believe we are processing your personal data unlawfully, you have the right to lodge a complaint with the relevant data protection supervisory authority:
- European Union: The supervisory authority in your country of residence.
- United Kingdom: Information Commissioner’s Office (ICO) — ico.org.uk — Tel: 0303 123 1113.
- California (USA): California Privacy Protection Agency (CPPA) — cppa.ca.gov.
- Other jurisdictions: The relevant national data protection authority in your country of residence.
Section 16 — Governing Law
This Privacy Policy is governed by the laws of the Republic of Costa Rica. For users in the European Union or United Kingdom, the applicable data protection law (GDPR / UK GDPR) applies in addition to and, where there is a conflict, prevails over this Policy. For users in
California, the CCPA/CPRA applies.
