Privacy Policy

Effective Date: April 14, 2026  |  Virtual Vault

1. Introduction

Virtual Vault ("the Platform," "we," "us," or "our") is committed to protecting the privacy and security of your personal information. This Privacy Policy describes how we collect, use, store, and protect the data you provide when you access or use our secure digital vault platform, located at vault.xlvoip.com.

By accessing or using the Platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with these terms, you must discontinue use of the Platform.

2. Information We Collect

We collect the following categories of personal information:

2.1 Account Information

  • Full Name — provided during account registration
  • Email Address — used for authentication and communication
  • Phone Number — optional; used for account identification
  • Password — stored in an irreversibly hashed format (bcrypt); never stored in plain text

2.2 Transaction Data

  • Vault entry records (reference number, amount, payment mode, date)
  • Assigned officer information for each transaction
  • Transaction timestamps (immutable, permanently recorded)

2.3 Security and Activity Data

  • Login timestamps and IP addresses
  • Failed authentication attempts
  • One-time password (OTP) verification activity
  • Session activity logs for security monitoring

2.4 Technical Data

  • IP address of the requesting device
  • Browser session identifiers (session cookies)

3. How We Use Your Information

We use collected information for the following purposes:

  • Authentication — verifying your identity at login via password and one-time code
  • Transaction Tracking — maintaining an accurate and auditable ledger of vault entries
  • Security Monitoring — detecting and responding to unauthorized access attempts
  • Account Administration — managing user accounts by authorized administrators
  • Audit Compliance — maintaining audit trails required for internal record-keeping
  • Communication — delivering security codes (OTPs) and critical account notifications via email

4. Data Protection Measures

  • All passwords are hashed using bcrypt with a work factor of 12 — they cannot be reversed or read by anyone
  • One-time passwords (OTPs) are hashed before storage and expire within 5 minutes
  • All data is transmitted over HTTPS (TLS 1.2+) encrypted connections
  • Session cookies are flagged HttpOnly, Secure, and SameSite=Strict
  • All database queries use parameterized prepared statements to prevent SQL injection
  • CSRF tokens protect all state-changing requests
  • Sessions automatically expire after 30 minutes of inactivity
  • Accounts are temporarily locked after 5 consecutive failed login attempts

5. Third-Party Services

We use the following third-party services in the operation of this Platform:

  • SMTP Email Providers — We use a configured SMTP service (e.g., Gmail SMTP) to deliver one-time verification codes and account notifications. Email content is transmitted securely via STARTTLS encryption. We do not share your data with email providers beyond what is necessary for delivery.

We do not sell, rent, or share your personal information with any third parties for marketing or advertising purposes.

6. Data Retention

Vault entry records and audit logs are retained indefinitely for compliance and traceability purposes. Account information is retained for as long as the account remains active. Upon account deletion (at the discretion of an authorized administrator), personal account data is removed, except where retention is required by law or internal policy.

7. Your Rights

As a user of this Platform, you have the following rights:

  • Access — Request a copy of the personal information we hold about you
  • Correction — Update inaccurate or incomplete profile information via your account settings
  • Deletion — Request the deletion of your account by contacting the Platform administrator
  • Portability — Export your transaction ledger in CSV format at any time from within your account

To exercise any of these rights, please contact us at support@vault.xlvoip.com.

8. Cookies

This Platform uses session-based cookies only. These cookies are strictly necessary for authentication and security purposes. They do not track your behavior across external websites and are deleted when you close your browser or your session expires.

We do not use tracking cookies, analytics cookies, or third-party advertising cookies.

9. Children's Privacy

This Platform is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from minors. If you believe a minor has submitted personal information through this Platform, please contact us immediately.

10. Changes to This Policy

We reserve the right to update this Privacy Policy at any time. Changes will be reflected by updating the Effective Date above. Continued use of the Platform following any updates constitutes your acceptance of the revised policy.

11. Contact Information

For privacy-related inquiries or to exercise your rights, please contact: