ReceiveVault

Legal

Privacy Policy

Version 1.0.0 · Effective May 9, 2026

1. Who we are

ReceiveVault (the "Service") is operated by Viscous Bits ("we," "us," "our"). We are based in Canada and provide a hosted file-collection platform that lets our customers ("Customers") request files from third parties ("Contacts") by sending magic-link invitations.

2. Scope

This Privacy Policy describes how we handle information about:

  • Customers - people and organizations who hold an account on the Service.
  • Contacts - third parties who receive a magic link from a Customer and upload files in response.
  • Visitors - anyone who accesses our public marketing pages without signing in or uploading.

When a Customer uses the Service to collect files from a Contact, the Customer is the "controller" of those files for purposes of applicable privacy law and we act as their "processor". We handle Contact files only as instructed by the relevant Customer.

3. Information we collect

3.1 Account information

When a Customer signs up for an account, we collect their email address, a password hash (never the plaintext password), the account name they provide, and any optional second-factor authentication data (TOTP secret, registered passkey credentials, recovery codes). All authentication secrets are stored hashed or encrypted.

3.2 File request and upload data

When a Customer creates a file request, we store the request title, description, the Contact's email address, an optional plaintext message, file-type and size constraints, and the magic token (hashed at rest). When a Contact uploads a file, we store the file itself, its filename, MIME type, size, a SHA-256 hash, the result of our virus scan, and a record of the upload event.

3.3 Audit and security logs

For every meaningful action (login, password change, MFA change, file upload, file download, account creation, etc.) we record the actor, the action, a timestamp, the originating IP address, and the User-Agent string. This information is used for security investigations and to provide an audit trail to the Customer for their own records.

3.4 Device information

To detect sign-ins from unfamiliar devices, we store a fingerprint derived from the Customer's User-Agent and the truncated IP block (the /24 for IPv4 or /64 for IPv6 - never the full IP) of each successful sign-in. Customers can view and revoke recognised devices from their settings page.

3.5 Information we do NOT collect

  • We do not use third-party analytics, advertising trackers, or behavioural profiling tools on the application.
  • We do not collect biometric data. WebAuthn passkeys are stored as public-key credentials; the underlying biometric never leaves the user's device.
  • We do not knowingly collect information from children. See section 12.

4. How we use information

We use the information we collect to:

  • Provide, secure, and maintain the Service.
  • Authenticate users, enforce account-level access control, and detect unauthorised access.
  • Scan uploaded files for malware. Files identified as malicious are deleted from storage, and the Customer is notified.
  • Send transactional emails (invite links, upload notifications, security alerts, password reset links).
  • Comply with legal obligations and respond to lawful requests.

We do not sell personal information. We do not share personal information with third parties for advertising purposes. We do not use uploaded files to train any machine-learning model.

5. Sharing and sub-processors

We share information with a small set of vendors who help us operate the Service. Each sub-processor receives only the information needed for their function and is contractually obligated to handle it in line with this policy.

  • Email delivery (SMTP provider) - used to deliver invite, summary, security, and password-reset emails. The provider sees the recipient address and the contents of the email body.
  • Hosting infrastructure - our application, database, and object storage run on virtual private servers in Canadian data centres. The hosting provider has physical access to the underlying hardware but does not access our application data in the normal course of business.

Object storage and virus scanning are operated by us on our own infrastructure; they are not separate sub-processors.

A current list of sub-processors is available on request. If we add a new sub-processor, we will update this policy and (where the change is material) notify Customers in advance.

6. Where your information is stored

Application data, database, and uploaded files are stored on servers located in Canada. Email is delivered by an SMTP provider that may route messages through servers outside Canada in transit; the contents of email bodies are protected by TLS during transmission.

If we ever change the primary jurisdiction of storage, we will update this policy and notify Customers in advance.

7. How long we keep information

  • Account information - kept for as long as the account is active, then deleted within 90 days of account closure unless retention is required by law.
  • Uploaded files - kept for the lifetime of the associated request, which by default expires 30 days after creation. Customers may delete files and requests at any time.
  • Audit logs - kept for up to 12 months from the event date, then deleted.
  • Email delivery logs - retained briefly by the SMTP provider per their policy; we do not retain a separate copy.

8. Security

We use industry-standard measures to protect information, including TLS in transit, encrypted authentication secrets at rest (Argon2id for passwords, AES-256-GCM for TOTP secrets), HTTP-only secure session cookies, virus scanning of all Contact uploads, and per-event audit logging. Multi-factor authentication is available on every account.

No system is perfectly secure. If we become aware of a breach affecting your information, we will notify affected Customers and, where required, the relevant regulator without unreasonable delay.

9. Your rights under PIPEDA

If you are an individual whose information we hold, you have the right to:

  • Request access to the personal information we hold about you and information about how it has been used and disclosed.
  • Request correction of inaccurate or incomplete information.
  • Withdraw consent to our processing, subject to legal or contractual constraints (e.g. we cannot continue providing the Service if you withdraw consent to processing your account credentials).
  • File a complaint with the Office of the Privacy Commissioner of Canada if you believe we have not handled your information in accordance with the law.

Contacts whose files were uploaded at a Customer's request should generally direct access and correction requests to the Customer who collected those files; we will assist the Customer in responding.

10. Notice for California residents (CCPA)

If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) gives you additional rights. Subject to verification of your identity:

  • Right to know - you may request the categories and specific pieces of personal information we have collected about you, the sources, and the purposes.
  • Right to delete - you may request deletion of personal information we hold, subject to legal exceptions.
  • Right to correct - you may request correction of inaccurate personal information.
  • Right to limit use of sensitive personal information - we do not use sensitive personal information beyond providing the Service, so this right is exercised by default.
  • Right to non-discrimination - exercising any of these rights does not affect the price or quality of the Service.

We do not "sell" or "share" personal information as those terms are defined under the CCPA. We do not knowingly collect personal information from California residents under the age of 16.

11. Cookies and similar technologies

We use a small number of strictly necessary cookies and local storage entries:

  • A signed session cookie to keep you signed in across page loads.
  • A short-lived "sudo" cookie that elevates your session for security-sensitive actions (e.g. changing two-factor settings).
  • A short-lived cookie used during login when a second factor is required.
  • CSRF protection cookies issued by the framework.

We do not use advertising, analytics, or cross-site tracking cookies.

12. Children

The Service is not intended for individuals under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us using the details below and we will delete it.

13. Changes to this policy

We may update this Privacy Policy from time to time. The version number and effective date at the top of this page reflect the current published version. We bump the version only when the meaning of a clause changes, not for typo or formatting fixes. When the change is material, we will notify Customers by email before the change takes effect.

14. Contact us

To exercise any of the rights described above, or to ask questions about this policy, contact us at:

privacy@viscousbits.ca

Privacy Policy - ReceiveVault