Privacy Notice

Welcome to The Vault. The Vault is a platform operated by Tria Software Limited, a company incorporated in Cyprus under registration number HE422111 with its registered office at Arch. Makariou III & Markou Drakou, 66-68, Mesa Geitonia, 4003, Limassol, Cyprus and operating under the brand name “The Vault” (“The Vault”, “we”, “us”, or “our”). Tria Software Limited is the data controller responsible for your personal data. We respect your privacy and are dedicated to safeguarding your personal information.

This Privacy Notice explains how The Vault collects, uses, stores, processes, and shares your personal data when you access The Vault's platform, website, or services. It also describes your rights under applicable data protection legislation and how you can exercise them.

Please read this Privacy Notice carefully. By using The Vault's services, you acknowledge that you have read and understood how we handle your personal data.

The Vault uses your personal data to provide, maintain, and improve its platform and services. Specifically, The Vault processes your data to:

• create, verify, and manage your account on The Vault platform;
• process transactions initiated through The Vault;
• fulfil identity verification and AML/KYC obligations required by applicable law;
• detect, prevent, investigate, and report fraud, financial crime, and other prohibited activities;
• provide customer support and respond to your enquiries or complaints;
• send you service-related communications, security alerts, and account notifications;
• send you marketing communications about The Vault’s products and features, where you have given consent or where otherwise permitted by law. Where you have provided consent or where The Vault is otherwise permitted to do so under applicable electronic marketing laws;
• analyse platform usage and performance to improve The Vault’s features and user experience;
• comply with applicable laws, regulations, and binding directions from competent authorities; and
• enforce The Vault’s Terms of Service, policies, and legal agreements.

The Vault will not use your personal data for any purpose that is incompatible with the purposes set out in this Privacy Notice without providing you with prior notice and, where required, obtaining your consent.

The Vault does not sell, rent, or trade your personal data to third parties for commercial or marketing purposes.

The Vault may share your personal data in the following limited and controlled circumstances:

The Vault may transfer your personal data to countries or territories outside the European Economic Area (EEA) in the course of delivering its services. Where such transfers occur, The Vault ensures that appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission;
• transfers to countries that have received an adequacy decision from the European Commission; or
• other legally recognised transfer mechanisms under Chapter V of the EU GDPR.

Where transfers are carried out using Standard Contractual Clauses, you may request a copy of the relevant safeguards by contacting The Vault using the details set out in this Privacy Notice.

The Vault retains your personal data only for as long as is necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, regulatory, tax, accounting, reporting, anti-money laundering, and compliance obligations. The Vault's retention periods are determined by reference to the nature of the data, the purpose of processing, and applicable legal requirements. Indicative retention periods include:

• identity verification, KYC, AML, sanctions screening, and transaction records: retained for a minimum period of five (5) years following the end of the business relationship or completion of the relevant transaction, or longer where required by applicable law or regulatory obligations;
• account information and contractual records: retained for the duration of the relationship with you and for up to six (6) years thereafter for legal and regulatory purposes;
• customer support correspondence, complaints, and communications data: retained for up to two (2) years following resolution of the relevant matter;
• marketing and promotional data: retained until you withdraw your consent, unsubscribe, or after twenty-four (24) months of inactivity, whichever occurs first;
• technical logs, security records, and platform usage data: generally retained for up to twelve (12) months, unless a longer retention period is necessary for security investigations, fraud prevention, dispute resolution, or legal proceedings.

In certain circumstances, The Vault may retain personal data for longer periods where necessary to establish, exercise, or defend legal claims, comply with ongoing investigations or regulatory requests, or fulfil other legal obligations.

Where retention is no longer required, The Vault will securely delete or irreversibly anonymise your personal data in accordance with its internal data disposal procedures. Anonymised data that can no longer be linked to an identifiable individual may be retained indefinitely for analytical purposes.

The Vault implements rigorous technical and organisational security measures designed to protect your personal data against unauthorised access, accidental loss, destruction, alteration, or disclosure. These measures include, but are not limited to:

• encryption of personal data in transit (TLS/SSL) and at rest;
• role-based access controls and least-privilege access principles;
• multi-factor authentication for access to sensitive systems;
• periodic security assessments and testing, and vulnerability assessments;
• incident detection, response, and recovery procedures; and
• ongoing staff training on data protection and information security obligations.

Access to your personal data is restricted to those employees, agents, and contractors of The Vault who have a legitimate business need to access it. All such persons are subject to confidentiality obligations.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, The Vault will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by Article 33 GDPR. Where the breach is likely to result in a high risk to you, The Vault will also notify you directly without undue delay in accordance with Article 34 GDPR.

Where retention is no longer required, The Vault will securely delete or irreversibly anonymise your personal data in accordance with its internal data disposal procedures. Anonymised data that can no longer be linked to an identifiable individual may be retained indefinitely for analytical purposes.

The Vault's website and platform may use cookies and similar tracking technologies to deliver, maintain, and improve The Vault's services. Where The Vault uses non-essential cookies (such as analytics or marketing cookies), it will request your consent before placing them.

You can manage your cookie preferences at any time through The Vault's cookie consent tool or your browser settings. Please note that disabling certain cookies may affect the functionality of The Vault's platform.

A full description of the cookies used by The Vault, the purposes for which they are set, and how to manage them is available in The Vault's Cookie Policy, which is incorporated into this Privacy Notice by reference.

The Vault may update this Privacy Notice from time to time to reflect changes in applicable law, regulatory guidance, or The Vault's business operations and data practices. The updated Privacy Notice will be published on The Vault's website.

For material changes that may significantly affect how The Vault processes your personal data, The Vault will provide additional notice — for example, by email notification or a prominent notice on The Vault's platform — before the changes take effect.

The Vault encourages you to review this Privacy Notice periodically to stay informed of how your personal data is being used and protected.