Privacy Policy

Effective Date: January 1, 2026 Last Updated: January 15, 2026

1. Introduction

Torvus Security ("Torvus," "we," "us," or "our") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, share, and protect your information when you use our digital vault and document management platform (the "Service").

This policy applies to all users of Torvus Security, including individuals, journalists, and organizations who create accounts and use our platform to store, manage, and control access to sensitive documents and digital assets.

By using Torvus Security, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with this policy, please do not use our Service.

2. Information We Collect

2.1 Information You Provide Directly

Account Information:

Email address (required for authentication)
Full name
Password (stored as encrypted hash)
Profile information (optional: organization, role, bio)
Account settings and preferences

Vault and Document Data:

Vault names and descriptions
Document metadata (file names, sizes, upload dates, file types)
Encrypted document contents (end-to-end encrypted, we cannot access)
Check-in configurations and schedules
Release policies and triggers
Recipient information (names, email addresses, relationship descriptions)
Beneficiary designations for digital legacy features
Cryptocurrency asset documentation (metadata only, not private keys)

Case Management Data (Journalist Mode):

Case names and descriptions
Timeline entries and notes
Source submission metadata (excluding identifying information)
Intake link configurations

Communications:

Support requests and correspondence
Feedback and survey responses
Email communications with our team

2.2 Information Collected Automatically

Usage Data:

IP address (anonymized for analytics)
Browser type and version
Operating system
Device information (type, screen resolution)
Pages visited and features used
Time spent on pages
Click patterns and navigation paths
Login timestamps and frequency

Technical Data:

Session identifiers
Authentication tokens (encrypted)
API request logs
Error logs and crash reports
Performance metrics

Analytics Data (with your consent):

Feature usage patterns
User journey analytics
Interaction with UI elements
Session recordings (with anonymization)
Conversion events

2.3 Information from Third Parties

We may receive limited information from:

Authentication Providers: If you sign in with OAuth (Google, etc.), we receive your email address and basic profile information
Payment Processors: Payment confirmation and subscription status (when payment features are implemented)

3. How We Use Your Information

We use your information for the following purposes:

3.1 Service Delivery (Legal Basis: Contract Performance)

Account Management: Create, maintain, and authenticate your account
Vault Operations: Store, organize, and manage your vaults and documents
Security Features: Implement encryption, access controls, and security monitoring
Check-in System: Monitor check-ins and trigger release policies
Release Execution: Deliver vault contents to designated recipients when trigger conditions are met
Digital Legacy: Execute beneficiary designations and asset transfers
Journalist Mode: Provide secure case management and anonymous source intake

3.2 Service Improvement (Legal Basis: Legitimate Interest)

Product Development: Identify bugs, understand feature usage, prioritize improvements
Performance Optimization: Monitor system performance, identify bottlenecks
User Experience: Analyze user journeys, improve onboarding and workflows
Security Enhancement: Detect and prevent security threats, abuse, and fraud

With your explicit consent, we use analytics tools (PostHog) to:

Track feature adoption and usage patterns
Understand user behavior and preferences
Measure product success metrics
Conduct A/B testing and experiments
Generate anonymized usage reports

You can withdraw analytics consent at any time from your account settings.

3.4 Legal and Compliance (Legal Basis: Legal Obligation)

Regulatory Compliance: Comply with GDPR, CCPA, and other privacy regulations
Legal Requests: Respond to court orders, subpoenas, and legal process
Fraud Prevention: Detect and prevent fraudulent activity, abuse, and security incidents
Audit and Compliance: Maintain audit logs for security and compliance purposes

Transactional Emails: Account confirmations, password resets, security alerts (cannot opt out)
Service Updates: Critical product updates, security notifications (cannot opt out)
Product Communications: Feature announcements, tips, best practices (opt-in only)
Marketing: Newsletters, promotional content (opt-in only, requires explicit consent)

4. How We Store and Protect Your Information

4.1 Data Storage

Infrastructure:

Database: Supabase PostgreSQL (hosted on AWS in US region)
File Storage: Supabase Storage with AES-256 encryption at rest
Authentication: Supabase Auth with bcrypt password hashing
Geographic Location: All data stored in United States data centers

Encryption:

Data at Rest: All database records and stored files encrypted with AES-256
Data in Transit: All communications use TLS 1.3 encryption (HTTPS)
End-to-End Encryption: Document contents are encrypted client-side before upload; we cannot access document contents

Backups:

Automated daily backups with 30-day retention
Backups encrypted with same security standards as primary data
Geographic redundancy for disaster recovery

4.2 Security Measures

Access Controls:

Row Level Security (RLS): Database-level access controls ensure users can only access their own data
Role-Based Access Control (RBAC): Staff access limited by role (Viewer, Operator, Security Admin)
Multi-Factor Authentication: Optional MFA for enhanced account security
Session Management: Secure session tokens with automatic expiration

Monitoring and Incident Response:

Security Monitoring: 24/7 automated threat detection with Sentry
Audit Logging: Comprehensive logs of all data access and modifications
Incident Response: Dedicated security team, documented incident response procedures
Vulnerability Management: Regular security audits and penetration testing

Organizational Security:

Background Checks: All staff undergo security screening
Security Training: Regular training on data protection and security best practices
Least Privilege: Staff access limited to minimum necessary for job function
Vendor Management: Third-party services undergo security assessment

4.3 Data Retention

Active Accounts:

Account data retained as long as your account is active
Vault data retained according to your configured retention policies
Audit logs retained for 7 years for security and compliance purposes

Inactive Accounts:

Accounts inactive for 2 years may be flagged for archival
90-day notice provided before any data deletion
You can reactivate your account before deletion occurs

Deleted Accounts:

30-day grace period for account recovery (soft delete)
After 30 days, permanent deletion of all personal data (hard delete)
Audit logs anonymized (user_id removed, actions retained for aggregate analysis)
Legal holds override deletion requests (court orders, regulatory investigations)

We do not sell your personal data. We share information only in the following limited circumstances:

5.1 Service Providers (Data Processors)

We share data with trusted third-party service providers who help us operate our Service:

Provider	Purpose	Data Shared	Location
Supabase	Database, storage, authentication	Account data, vault metadata, encrypted files	United States (AWS)
Vercel	Application hosting and CDN	IP address (temporary), HTTP headers	Global (edge network)
PostHog	Analytics (with consent)	Anonymized usage data, feature interactions	European Union
Sentry	Error monitoring and debugging	Error logs, stack traces (no personal data)	United States
Resend	Transactional emails	Email address, name (for sending emails)	United States

All service providers:

Sign Data Processing Agreements (DPAs) with appropriate safeguards
Process data only according to our instructions
Implement appropriate technical and organizational security measures
Are prohibited from using data for their own purposes

5.2 Release to Designated Recipients

When you configure release policies, we share vault contents with your designated recipients under the following conditions:

Trigger Event: Release policy conditions are met (inactivity, death certificate, manual trigger, date-based)
Data Shared: Vault contents, documents, and metadata you explicitly designated for release
Recipient Verification: Recipients receive secure access links requiring email verification
Audit Trail: All releases are logged with timestamp, trigger reason, and recipient information

5.3 Legal Requirements

We may disclose information when required by law or when we believe disclosure is necessary to:

Comply with Legal Process: Respond to court orders, subpoenas, or other lawful requests
Protect Rights: Enforce our Terms of Service and protect our legal rights
Prevent Harm: Protect the safety and security of users or the public
Detect Fraud: Investigate and prevent fraud, abuse, or security incidents

We will notify you of legal requests unless prohibited by law.

5.4 Business Transfers

If Torvus Security is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will provide notice before your data is transferred and becomes subject to a different privacy policy.

6. Your Privacy Rights

If you are located in the European Economic Area (EEA), UK, or Switzerland, you have the following rights:

Right to Access: Request a copy of all personal data we hold about you

How to Exercise: Use the "Export Data" feature in your account settings
Response Time: Immediate for self-service export, up to 72 hours for large datasets
Format: JSON (structured data) and CSV (tabular data)

Right to Rectification: Correct inaccurate or incomplete personal data

How to Exercise: Update information directly in your account settings
Response Time: Immediate for self-service updates

Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data

How to Exercise: Use the "Delete Account" feature in account settings
Response Time: 30-day grace period for recovery, then permanent deletion
Limitations: May not apply if we have legal obligation to retain data

Right to Restrict Processing: Request that we limit how we use your data

How to Exercise: Contact privacy@torvussecurity.com
Response Time: 72 hours for acknowledgment, 30 days for implementation

Right to Data Portability: Receive your data in a portable format and transfer to another service

How to Exercise: Use the "Export Data" feature (JSON format is portable)
Response Time: Immediate

Right to Object: Object to processing based on legitimate interests or direct marketing

How to Exercise: Withdraw consent in account settings or contact privacy@torvussecurity.com
Response Time: Immediate for analytics consent, 72 hours for other objections

Right to Withdraw Consent: Withdraw consent for analytics or marketing

How to Exercise: Toggle consent options in account settings
Response Time: Immediate effect

Right to Lodge a Complaint: File a complaint with your local data protection authority

How to Exercise: Contact your national supervisory authority (e.g., ICO in UK, CNIL in France)

6.2 Rights Under CCPA (California Users)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

Right to Know: Request disclosure of personal information collected, used, or shared

How to Exercise: Use "Export Data" feature or contact privacy@torvussecurity.com
Response Time: 45 days (may extend to 90 days for complex requests)

Right to Delete: Request deletion of personal information

How to Exercise: Use "Delete Account" feature or contact privacy@torvussecurity.com
Response Time: 30-day grace period, then permanent deletion

Right to Opt-Out of Sale: We do NOT sell personal information, so opt-out is not applicable

Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

Authorized Agent: You may designate an authorized agent to make requests on your behalf (power of attorney required)

6.3 How to Exercise Your Rights

Self-Service Privacy Portal: Visit /account/privacy in your account settings to:

Export all your data (JSON/CSV formats)
Delete your account (with 30-day recovery period)
Manage consent preferences (analytics, marketing)
View privacy request history

Email Requests: Contact privacy@torvussecurity.com with requests

Include: Full name, email address, specific request, verification information
Response time: 72 hours for acknowledgment, 30 days for completion

Verification: We may request additional information to verify your identity before fulfilling requests

7. Cookies and Tracking Technologies

7.1 Cookies We Use

Essential Cookies (cannot be disabled):

Session Cookies: Maintain your logged-in session across pages
Authentication Tokens: Securely authenticate your requests to our servers
Security Cookies: Protect against CSRF attacks and secure your account
Lifetime: Session duration or 30 days (remember me option)

Analytics Cookies (requires consent):

PostHog Analytics: Track feature usage, user journeys, and product metrics
Purpose: Improve product, identify bugs, prioritize development
Lifetime: 1 year
Opt-Out: Disable analytics consent in account settings

We do NOT use:

Advertising cookies
Third-party tracking cookies
Cross-site tracking
Social media pixels

7.2 Do Not Track (DNT)

We honor Do Not Track browser signals. If DNT is enabled:

We disable analytics tracking
We do not load analytics scripts
Only essential cookies are used

7.3 Managing Cookies

Browser Settings: You can control cookies through your browser settings:

Most browsers allow you to view, delete, and block cookies
Disabling essential cookies may prevent you from using our Service

Consent Management: Manage analytics cookies through:

Account settings → Privacy → Analytics consent toggle
Initial onboarding consent modal

8. International Data Transfers

8.1 Data Location

All Torvus Security data is stored in United States data centers (AWS US regions). If you access our Service from outside the United States, your data will be transferred to and processed in the United States.

8.2 Legal Basis for Transfers

For EEA/UK Users:

Standard Contractual Clauses (SCCs): We use EU-approved Standard Contractual Clauses for data transfers from EEA to United States
Adequacy Decisions: We monitor EU Commission adequacy decisions and update our practices accordingly
Additional Safeguards: Encryption in transit and at rest, access controls, and audit logging

For Other International Users:

By using our Service, you consent to the transfer of your data to the United States
We implement appropriate safeguards to protect your data according to this Privacy Policy

8.3 Future International Expansion

If we expand to additional regions, we will:

Offer data residency options (store data in your region)
Update this Privacy Policy with new data locations
Provide notice to existing users before transferring their data

9. Children's Privacy

Torvus Security is not directed to individuals under the age of 18. We do not knowingly collect personal information from children.

If we discover we have collected data from a child under 18:

We will delete the data as soon as possible
We will notify the parent/guardian if contact information is available
We will take steps to prevent future collection from that user

If you are a parent/guardian and believe your child has provided us with personal information:

Contact privacy@torvussecurity.com immediately
Provide: Child's name, email address, date account was created
We will verify and delete the account within 72 hours

10. Third-Party Links and Integrations

Our Service may contain links to third-party websites, applications, or services. This Privacy Policy does not apply to those third parties.

When you click external links:

You leave Torvus Security and enter a third-party service
That service's privacy policy applies (not ours)
We are not responsible for their privacy practices
We recommend reviewing their privacy policy before sharing data

Third-Party Integrations (Future):

If we add integrations (Slack, Zapier, etc.), we will request your consent
We will clearly disclose what data is shared with each integration
You can revoke integration access at any time from account settings

11. Data Breach Notification

We take security incidents seriously and have implemented comprehensive incident response procedures.

In the event of a data breach:

Detection: Automated monitoring systems alert our security team
Containment: Immediate action to contain and mitigate the breach
Investigation: Forensic analysis to determine scope and impact
Notification:
- Users affected: Within 72 hours of discovery
- Regulatory authorities (GDPR): Within 72 hours if high risk to rights and freedoms
- Law enforcement: As required by law
Remediation: Steps to prevent future incidents, enhanced security measures
Transparency: Public disclosure if breach affects large number of users

What we will tell you:

Nature of the breach and data affected
Potential consequences and impact
Measures we've taken to address the breach
Steps you can take to protect yourself
Contact information for questions

12. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices, legal requirements, or Service features.

How we notify you of changes:

Material Changes: Email notification to all users at least 30 days before effective date
Minor Changes: Notice in your account dashboard
Continued Use: Using the Service after changes take effect means you accept the new policy

What constitutes a material change:

Changes to data collection practices (new types of data collected)
Changes to data sharing practices (new third parties)
Changes to user rights or how to exercise them
Changes to data retention periods

Policy Version Control:

We maintain a changelog of all policy updates
Previous versions are available at /legal/privacy-policy/history
Effective date and last updated date clearly displayed at top of policy

13. Contact Information

13.1 Privacy Questions

For questions about this Privacy Policy or our privacy practices:

Email: privacy@torvussecurity.com Response Time: 72 hours for acknowledgment, 30 days for resolution

13.2 Privacy Requests

To exercise your privacy rights (access, deletion, correction):

Self-Service Portal: https://platform.torvussecurity.com/account/privacy Email: privacy@torvussecurity.com

13.3 Data Protection Officer

For GDPR-related inquiries:

Email: dpo@torvussecurity.com Postal Address: Torvus Security Data Protection Officer [Address will be added when office is established]

13.4 Supervisory Authorities

EU/EEA Users: You have the right to lodge a complaint with your national data protection authority:

Find your authority: https://edpb.europa.eu/about-edpb/board/members_en

California Users: California Attorney General's Office:

Website: https://oag.ca.gov/privacy
Phone: (916) 210-6276

For transparency, we process your data under the following legal bases:

Processing Activity	Legal Basis	Description
Account management	Contract	Necessary to provide Service you signed up for
Vault and document storage	Contract	Core service functionality
Security monitoring	Legitimate Interest	Protect our systems and user data
Product improvement	Legitimate Interest	Improve Service quality and features
Analytics (with consent)	Consent	Voluntary analytics participation
Marketing communications	Consent	Opt-in only, can withdraw anytime
Legal compliance	Legal Obligation	Required by law (GDPR, CCPA, etc.)
Fraud prevention	Legitimate Interest	Protect users and prevent abuse

15. Glossary

Personal Data: Any information relating to an identified or identifiable person

Data Controller: Entity that determines purposes and means of processing personal data (Torvus Security)

Data Processor: Entity that processes personal data on behalf of controller (our service providers)

Data Subject: Individual whose personal data is being processed (you, the user)

Processing: Any operation performed on personal data (collection, storage, use, disclosure, deletion)

Consent: Freely given, specific, informed agreement to processing of personal data

Anonymization: Irreversibly altering data so individuals cannot be identified

Pseudonymization: Replacing identifying information with pseudonyms (reversible with additional information)

Right to be Forgotten: Right to request deletion of personal data (GDPR Article 17)

Data Portability: Right to receive personal data in machine-readable format (GDPR Article 20)

16. Conclusion

This Privacy Policy explains how Torvus Security protects your privacy and gives you control over your personal data. We are committed to transparency, security, and compliance with global privacy regulations.

Key Takeaways:

We encrypt your data end-to-end (we cannot access your vault contents)
We never sell your personal data to third parties
You can export all your data at any time (JSON/CSV formats)
You can delete your account with a 30-day grace period
You control analytics and marketing consent
We respond to privacy requests within 72 hours

If you have questions or concerns about this policy, please contact privacy@torvussecurity.com.

Thank you for trusting Torvus Security with your most sensitive information.

Document Version: 1.0.0 Effective Date: January 1, 2026 Last Updated: January 15, 2026 Next Review: April 15, 2026

This privacy policy was drafted to comply with GDPR (Regulation (EU) 2016/679), CCPA (Cal. Civ. Code § 1798.100 et seq.), and other applicable privacy laws. It is a living document subject to updates as our practices evolve and regulations change.

1. Introduction​

2. Information We Collect​

2.1 Information You Provide Directly​

2.2 Information Collected Automatically​

2.3 Information from Third Parties​

3. How We Use Your Information​

3.1 Service Delivery (Legal Basis: Contract Performance)​

3.2 Service Improvement (Legal Basis: Legitimate Interest)​

3.3 Analytics and Research (Legal Basis: Consent)​

3.4 Legal and Compliance (Legal Basis: Legal Obligation)​

3.5 Communications (Legal Basis: Legitimate Interest / Consent)​

4. How We Store and Protect Your Information​

4.1 Data Storage​

4.2 Security Measures​

4.3 Data Retention​

5. How We Share Your Information​

5.1 Service Providers (Data Processors)​

5.2 Release to Designated Recipients​

5.3 Legal Requirements​

5.4 Business Transfers​

6. Your Privacy Rights​

6.1 Rights Under GDPR (European Users)​

6.2 Rights Under CCPA (California Users)​

6.3 How to Exercise Your Rights​

7. Cookies and Tracking Technologies​

7.1 Cookies We Use​

7.2 Do Not Track (DNT)​

7.3 Managing Cookies​

8. International Data Transfers​

8.1 Data Location​

8.2 Legal Basis for Transfers​

8.3 Future International Expansion​

9. Children's Privacy​

10. Third-Party Links and Integrations​

11. Data Breach Notification​

12. Changes to This Privacy Policy​

13. Contact Information​

13.1 Privacy Questions​

13.2 Privacy Requests​

13.3 Data Protection Officer​

13.4 Supervisory Authorities​

14. Legal Basis for Processing (GDPR)​

15. Glossary​

16. Conclusion​