Privacy Policy

Last updated: 21 April 2026

This Privacy Policy explains how Nanamantis Investment Holdings (Pty) Ltd ("Vaulora", "we", "us", "our") collects, uses, stores, and shares personal information when you use the Vaulora platform. This policy is written to comply with POPIA (South Africa), UK GDPR, EU GDPR, and CCPA/CPRA (California).

1. Who We Are

Responsible Party / Data Controller: Nanamantis Investment Holdings (Pty) Ltd. Information Officer: legal@nanamantis.com. Physical address: Nanamantis Investment Holdings (Pty) Ltd, KwaDukuza, KwaZulu-Natal, South Africa.

2. What Personal Information We Collect

2.1 Account Data

Full name, email address, password (stored as a cryptographic hash, where set — magic link is the default authentication path and does not require a stored password), phone number (optional, used to infer your country and display currency), ISO country code (derived from your phone number), and timezone.

2.2 Vaulora Content

Content you create and seal in a Vaulora: letters, photos, voice notes, videos, and captions. This content is stored securely and encrypted at rest. It is accessed only for the purpose of delivering your Vaulora.

2.3 Recipient Data

When you create a Vaulora: recipient name, email address, WhatsApp number (optional), and delivery date. This data is provided by you and used solely to deliver the Vaulora on your behalf.

2.4 Payment Data

Payment is processed by Stripe. Vaulora does not receive or store your card number, expiry date, or CVV. We retain transaction amount, date, and Stripe reference for accounting compliance.

2.5 Technical Data

IP address (used to determine your pricing region), browser and device type (standard web server logs), and access timestamps including when a recipient first opens a Vaulora.

3. How We Use Your Personal Information

We use your personal information to create and manage your account (contract); store and deliver Vaulora content (contract); process payments (contract); send delivery notifications (contract); detect your pricing region via IP address (legitimate interests); respond to support enquiries (legitimate interests); and comply with legal obligations.

We do not use your personal information for automated decision-making that produces legal effects. We do not sell your personal information. We do not use your personal information for third-party advertising.

4. Recipient Data: Roles and Responsibilities

When you provide your recipient's contact details, you are acting as a data controller for that recipient's personal information. Vaulora acts as a data processor on your behalf. By providing recipient contact details, you confirm you have a lawful basis to do so and that the recipient can reasonably expect to receive a message from you.

5. Data Retention

Account data is retained until you close your account. On closure, the account is marked for deletion and personal information is retained for a thirty-day grace period during which you may contact us to reverse the closure. After thirty days, personal information is removed from operational systems. Draft Vaulora content is retained until you delete the draft or close your account, whichever occurs first. Sealed Vaulora content is retained indefinitely. Once a Vaulora is sealed, its content cannot be deleted — this is an intrinsic feature of the product, is essential to the delivery commitment, and you consent to indefinite storage at the point of sealing. Payment records are retained for 7 years as required by applicable tax legislation. Server logs are retained for 90 days. Support correspondence is retained for 3 years.

6. Sharing Your Personal Information

We share personal information only with the following processors, all contractually bound to process data only on our instructions:

We may also disclose personal information to law enforcement or regulators where required by applicable law. If Nanamantis Investment Holdings is acquired or merges with another entity, we will notify users before any transfer of personal information takes effect.

6A. Writing Assistance

Vaulora includes optional writing assistance routed via OpenRouter, Inc., a US-based API gateway that forwards requests to free-tier large language models hosted by their providers. Four surfaces offer this assistance today: a Not sure where to start? button in the content step that generates writing prompts tailored to your relationship and context; a Preview how this will read button on the why step that composes a brief introduction from your answers; a Help me find the words button on letter editors that offers light editorial tightening; and a Draft this for me button on the Collective framing step that drafts a curator invitation message.

Each of these is a one-shot assist. We send OpenRouter only the specific text you typed into that surface plus the metadata that surface needs (e.g. the recipient's first name and relationship, the Vaulora shape). We do not send your email address, payment details, or content from other Vauloras. OpenRouter forwards the request to whichever free-tier model is currently serving, at present models hosted by Qwen and NVIDIA, and returns the suggestion to us. The suggestion is always shown to you for review. You may accept, edit, or reject it. Suggestions are never saved to the Platform until you explicitly accept them, and what you accept is your content, the same as anything else you have written in the Platform.

OpenRouter's terms of service prohibit the underlying model providers from training their models on free-tier API inputs and outputs. Your text passes through OpenRouter's infrastructure for routing and is then handled by the model provider under that no-training condition. We do not share writing-assistance inputs or outputs with anyone other than OpenRouter for the purpose of serving your request. Writing-assistance requests are transmitted over HTTPS and are not retained by Vaulora beyond the request lifecycle.

You can use Vaulora in full without ever invoking writing assistance. Nothing is generated, submitted, or logged unless you click one of the assist buttons. If writing guidance is unavailable for any reason, a service outage, a rate limit, or model unavailability, you will see a brief notice and can keep working without it.

7. International Data Transfers

All processors listed above are based in the United States. Transfers from South Africa are made under contractual safeguards that provide protection substantially similar to POPIA, as required by section 72 of POPIA. Transfers from the UK and EU are made under Standard Contractual Clauses as adopted by the European Commission.

8. Security

We implement HTTPS/TLS for all data in transit; AES-256-GCM encryption for Vaulora content at rest; Supabase Row Level Security; Stripe PCI DSS compliance for payment data; and restricted access to production systems. In the event of a data breach posing a risk to your rights, we will notify you and the relevant supervisory authority as required by law.

9. Cookies

We use session cookies for authentication and no advertising or tracking cookies. See our Cookie Policy for full details.

10. Your Rights

10.1 All Users

Access to personal information we hold about you; correction of inaccurate information; and objection to direct marketing at any time.

10.2 GDPR / UK GDPR (EU and UK Users)

Erasure of personal information where there is no legitimate reason to continue processing, including account data such as your name, email address, phone number, country code, and timezone (note: sealed Vaulora content cannot be erased because its delivery is a contractual commitment to the recipient that outlives the account relationship); restriction of processing; data portability; withdrawal of consent where processing is consent-based; and the right to lodge a complaint with your local supervisory authority.

10.3 POPIA (South African Users)

Rights under sections 23 (access), 24 (correction), 11(2)(c) (objection to processing), 11(3) (objection on legitimate interests grounds), and 69 (direct marketing) of POPIA. Submit requests to legal@nanamantis.com. We will respond within 30 days.

10.4 CCPA / CPRA (California Users)

The right to know what personal information is collected; the right to delete personal information; the right to correct inaccurate information; the right to opt out of sale or sharing (we do not sell or share personal information for advertising); and the right to non-discrimination. To exercise California rights, contact legal@nanamantis.com. We will respond within 45 days.

11. Children

The Platform is not directed at children under 18. We do not knowingly collect personal information from children under 18. If you believe a child under 18 has provided personal information to us, contact legal@nanamantis.com and we will delete it promptly.

12. Changes to This Policy

We will notify registered users of material changes by email at least 14 days before they take effect.

13. Contact and Complaints

Information Officer, Nanamantis Investment Holdings (Pty) Ltd. Email: legal@nanamantis.com. Physical address: Nanamantis Investment Holdings (Pty) Ltd, KwaDukuza, KwaZulu-Natal, South Africa.

If you are not satisfied with our response, you may contact: the Information Regulator, South Africa (inforeg.org.za); the ICO, UK (ico.org.uk); your national data protection authority in the EU; or the California Privacy Protection Agency (cppa.ca.gov).