Privacy Policy

The Vilkax Privacy Policy is the canonical contract on what we collect, why, how long we keep it, and your rights under GDPR, CCPA, and the local data-protection laws that apply.

What we collect

• Account email — the only field required to use Vilkax. Stored case-insensitive, hash-indexed (SHA-256) for query, and AES-256-GCM encrypted at rest.
• Phone number — only if you choose to enrol one (smart 2FA fallback, SMS scam scanning on Pro+). Stored as a SHA-256 hash in our hot indexes; the raw number is held encrypted.
• Crypto wallet addresses — only the addresses you explicitly register. Public on-chain data we monitor against threat-intel feeds. Never your private keys.
• Postal address — only if you choose to provide one for shipping rewards or compliance KYC.
• Threat metadata — for messages you forward / share to Vilkax for scanning, we keep the verdict (kind, category, risk_score, severity) but discard the raw body after the scan completes.
• Device fingerprint — OS, browser, hashed UA, last-seen timestamp. Used by smart 2FA to detect anomalous sign-ins.
• Audit log — every state-changing action you take, with actor, target, IP, and timestamp. Hash-chained so tampering is detectable.

What we do NOT collect

• The contents of your inbox, messaging apps, or files. The desktop agent reports event metadata only.
• Your private keys, seed phrases, or wallet recovery material. Ever.
• Precise geolocation. We log coarse country code only.
• Cross-site browsing behavior. We don't run trackers; the only third-party loads on the marketing site are Google Fonts (Manrope) and Cloudflare Turnstile (the captcha).
• Behavioral data for advertising. Vilkax has no ads business.

Your rights

• Access — request a JSON export of your row + every shield event ever raised on your behalf.
• Rectification — fix wrong data via the app's Settings page or by emailing [email protected].
• Erasure — soft-delete in 30 days, hard-delete in 90 (configurable on Enterprise).
• Portability — the JSON export is machine-readable for moving to another provider.
• Explanation — every automated decision (threat score, AI tier, anomaly flag) is logged with its inputs. You can request the row that drove any specific call.

Where data lives

Account data is stored in Postgres in a single primary region (currently us-central1). Cloudflare's edge cache holds only public, anonymous data (marketing pages, public state aggregates).

Contact

Privacy questions: [email protected]
Data protection officer: [email protected]
Security disclosures: /.well-known/security.txt

Last updated: 2026-05-12 · Version v1