Privacy Policy

Last Updated: July 2026

Volidator (referred to as "Volidator," "we," "our," or "us"), operated from India, respects your privacy and is committed to protecting it through our compliance with this Privacy Policy. This policy describes the types of information we may collect from you or that you may provide when you visit our website, use our Dashboard, or interact with our verifiable audit trail infrastructure services (collectively, the "Services"), and our practices for collecting, using, maintaining, protecting, and disclosing that information.

Please read this Privacy Policy carefully to understand our policies and practices regarding your information and how we will treat it. If you do not agree with our policies and practices, your choice is not to use our Services. By accessing or using the Services, you agree to this Privacy Policy.

1. Important Relationship Clarification

Volidator operates in two distinct legal capacities under privacy regulations such as the General Data Protection Regulation ("GDPR") and the California Consumer Privacy Act ("CCPA"):

  • Data Controller: For account signup information, organization setup metadata, billing details, and login telemetry associated with our direct Customers, Volidator acts as a Data Controller.
  • Data Processor: For the encrypted audit logs ingested, stored, and managed on behalf of our Customers via the Volidator API or SDKs, Volidator acts solely as a Data Processor. Our Customers act as the Data Controllers for their own audit logs.

2. Information We Collect

We collect several types of information from and about users of our Services, including:

  • Account Information: Name, email address, organization name, billing details, and Passkey/WebAuthn credentials. We use WebAuthn Passkeys for passwordless authentication; we only store public key credentials and metadata, and we never possess or store your private key.
  • Inbound Audit Logs: We ingest and store audit logs sent by our Customers. All log payloads are encrypted client-side using AES-GCM (AES-256-GCM) with keying material managed entirely by the Customer. We store only encrypted ciphertexts and blind index hashes. We cannot read, decrypt, or identify any personal data contained within these log payloads.
  • Usage Data and Telemetry: IP addresses (including headers provided by Cloudflare, such as cf-connecting-ip), browser type, operating system, pages visited, time spent, and other diagnostic telemetry generated through your interaction with our Dashboard.
  • Cookies: We use minimal, essential cookies required for session management and dashboard security. We do not use third-party tracking or advertising cookies.

3. How We Use Your Information

We use information that we collect about you or that you provide to us to:

  • Provide, maintain, personalize, and optimize our Services.
  • Authenticate users and secure organization workspace accounts.
  • Process subscription payments and transaction notifications.
  • Analyze service telemetry to monitor performance and prevent security incidents.
  • Comply with legal obligations and enforce our Terms of Service.

4. Sub-processors

To support the delivery of our Services, Volidator engages third-party sub-processors. These sub-processors are bound by contract to protect data in compliance with applicable laws:

  • Cloudflare, Inc.: Provides global hosting, Content Delivery Network (CDN) edge routing, D1 relational databases, and KV caching infrastructure.
  • DodoPayments, Inc. / Stripe, Inc.: Provides secure payment gateway routing and billing subscription management.

We reserve the right to modify, replace, or add to our list of sub-processors. We will provide notice of any sub-processor updates by updating our online documentation or notifying administrators via email.

5. Law Enforcement and Subpoenas

Volidator respects the rule of law and will comply with valid legal processes (such as subpoenas, court orders, or warrants) issued by competent law enforcement agencies. However, because of our Zero-Knowledge architecture:

  • Volidator does not possess the encryption keys required to decrypt customer audit logs.
  • If legally compelled to turn over customer data, Volidator can only hand over encrypted ciphertext payloads and associated account metadata (such as billing logs, signup email addresses, and access IP logs).
  • We cannot decrypt or provide readable plaintext logs under any circumstances, as the cryptographic keys are held exclusively by the Customer.

6. Data Security & Cryptographic Guarantees

We have implemented robust administrative, technical, and physical safeguards designed to secure your personal data from accidental loss and unauthorized access.

  • Log contents are protected by client-side End-to-End Encryption (E2EE) prior to transmission.
  • Session keys are derived client-side.
  • Storage systems utilize blinded indexing to support query matching without revealing the underlying fields to our servers.

7. Data Retention and Deletion

  • Customer Account Data: Account and organization profile data is retained as long as your workspace remains active.
  • Customer Audit Logs: Ingested logs are automatically retained and deleted based on the retention policies of your subscription tier (e.g., 7 days, 30 days, 365 days).
  • Post-Termination Deletion: Upon cancellation or termination of your subscription, all associated encrypted audit log data will be permanently and irreversibly deleted from our database systems within thirty (30) days.

8. Your Data Protection Rights

Depending on your jurisdiction (such as the European Economic Area under GDPR or California under CCPA), you may possess specific rights regarding your personal data:

  • Access and Portability: The right to request copies of your personal data in a structured, commonly used format.
  • Correction: The right to request that we correct inaccurate or incomplete personal data.
  • Deletion ("Right to be Forgotten"): The right to request deletion of your personal data, subject to certain exceptions.
  • Objection and Restriction: The right to request restriction of processing of your personal data.

To exercise any of these rights, please contact us at: Varanasi, India.

9. Children's Privacy

Our Services are intended strictly for enterprise and business users. We do not knowingly collect personal data from children under sixteen (16) years of age. If we learn we have collected personal data from a child under sixteen without verification of parental consent, we will delete that information immediately.

10. Contact Information

If you have questions, comments, or concerns about this Privacy Policy or our privacy practices, please contact us at:

Address: Varanasi, India