Privacy Policy

Last updated: 5 May 2026

This Privacy Policy explains how Nanamantis Investment Holdings (Pty) Ltd ("Vaulora", "we", "us", "our") collects, uses, stores, and shares personal information when you use the Vaulora platform at vaulora.com. This policy is drafted to satisfy the requirements of POPIA (Act 4 of 2013, South Africa), EU GDPR (Regulation (EU) 2016/679), UK GDPR (as retained in UK law by the European Union (Withdrawal) Act 2018 and the Data Protection Act 2018), and CCPA/CPRA (California Civil Code sections 1798.100–1798.199).

1. Who We Are

Responsible Party / Data Controller: Nanamantis Investment Holdings (Pty) Ltd, a company incorporated under the laws of the Republic of South Africa. Our Information Officer is responsible for ensuring POPIA compliance and acts as our point of contact for all data protection matters.

Email: legal@nanamantis.com. Physical address: Nanamantis Investment Holdings (Pty) Ltd, KwaDukuza, KwaZulu-Natal, South Africa.

EU and UK users. Nanamantis Investment Holdings (Pty) Ltd is established in South Africa and does not have an establishment in the EU or the UK. EU and UK users may contact us directly at legal@nanamantis.com to exercise any right under this policy. We are evaluating whether the scale of EU and UK user activity requires formal appointment of an EU or UK representative under GDPR Article 27 or UK GDPR Article 27, and will update this policy when that determination is made.

2. What Personal Information We Collect

2.1 Account Data

Full name, email address, password (stored as a cryptographic hash, where set — magic link is the default authentication path and does not require a stored password), phone number (optional, used to infer your country and display currency), ISO country code (derived from your phone number), and timezone.

2.2 Vaulora Content

Content you create and seal in a Vaulora: letters, photos, voice notes, videos, and captions. This content is stored encrypted at rest and accessed only for the purpose of delivering your Vaulora. Vaulora content is deeply personal in nature. Letters in particular may contain sensitive personal information — for example, references to health conditions, family circumstances, relationships, beliefs, religious views, or emotional experiences. These categories may constitute special categories of personal data under EU GDPR Article 9 or UK GDPR Article 9. We treat all Vaulora content as sensitive and apply the highest available access restrictions to it. We process any special category content solely on the basis of your explicit consent, given when you seal the Vaulora containing that content.

2.3 Recipient Data

When you create a Vaulora: recipient name, email address, WhatsApp number (optional), and delivery date. This data is provided by you and used solely to deliver the Vaulora on your behalf.

2.4 Payment Data

Payment is processed by Stripe, Inc. Vaulora does not receive or store your card number, expiry date, or CVV. We retain transaction amount, date, and Stripe reference for accounting and tax compliance.

2.5 Technical Data

IP address (used to determine your pricing region), browser and device type (standard web server logs), and access timestamps including when a recipient first opens a Vaulora.

3. Legal Basis for Processing

We process personal information only where we have a lawful basis. The following maps each processing activity to the applicable legal basis under GDPR and POPIA:

  • Account creation and management — performance of a contract with you (GDPR Art 6(1)(b); POPIA s11(1)(b))
  • Storing and delivering Vaulora content (draft and pre-delivery sealed) — performance of a contract (GDPR Art 6(1)(b); POPIA s11(1)(b))
  • Retaining sealed content between sealing and delivery — legitimate interests: the recipient's reasonable expectation of receiving the Vaulora you sealed for them, and our contractual delivery obligation (GDPR Art 6(1)(f); POPIA s11(1)(f)). See also clause 8 of the Terms of Use for the interaction with deletion rights.
  • Retaining sealed content after delivery — legitimate interests: enabling recipients to revisit the reveal experience and enabling dispute resolution (GDPR Art 6(1)(f); POPIA s11(1)(f)); time-limited as described in section 6
  • Payment processing — performance of a contract and compliance with legal obligation (GDPR Art 6(1)(b) and (c); POPIA s11(1)(b) and (c))
  • Delivery notifications — performance of a contract (GDPR Art 6(1)(b); POPIA s11(1)(b))
  • IP-based region detection — legitimate interests: showing you the correct pricing for your region (GDPR Art 6(1)(f); POPIA s11(1)(f))
  • Support correspondence — legitimate interests: resolving your enquiry (GDPR Art 6(1)(f); POPIA s11(1)(f))
  • Tax and accounting record retention — compliance with legal obligation (GDPR Art 6(1)(c); POPIA s11(1)(c))
  • Writing assistance (optional) — consent, given by you at the moment you click an assist button (GDPR Art 6(1)(a); POPIA s11(1)(a)). See section 8 for details.
  • Special category content in Vauloras — explicit consent given at the point of sealing (GDPR Art 9(2)(a); POPIA s27(1)(a))

We do not use your personal information for automated decision-making that produces legal effects or significantly affects you. Our optional writing assistance uses AI models to generate suggestions for your review; these suggestions do not produce decisions about your account, your rights, or your access to the Platform. The protections in GDPR Article 22 and POPIA section 26 are therefore not engaged in a way that requires specific consent, but we disclose the use of AI-assisted features fully in section 8 of this policy.

4. How We Use Your Personal Information

We use your personal information to: create and manage your account; store, seal, and deliver Vaulora content; process payments and subscriptions; send transactional notifications (delivery confirmations, account notices, payment receipts); detect your pricing region; respond to support enquiries; retain tax and accounting records as required by law; and operate, maintain, and improve the Platform. We do not sell your personal information. We do not use your personal information for third-party advertising or for AI model training.

5. Recipient Data: Roles and Responsibilities

When you provide a recipient's contact details and create a Vaulora for them, you are acting as an independent controller or responsible party in respect of that recipient's personal information: you determine the purpose and means of processing their data (sending a Vaulora). Vaulora processes recipient contact details as a processor acting on your instruction for the sole purpose of delivering the Vaulora.

By providing recipient contact details, you confirm that: you have a lawful basis to share that person's contact details with us for delivery purposes; the recipient can reasonably expect to receive a personal message from you; and, where WhatsApp delivery is selected, you have a lawful basis — including, where required, the recipient's consent — to share their WhatsApp number with Twilio and Meta for the purpose of delivering a WhatsApp notification.

Recipients are not registered users of the Platform. We do not use recipient contact details for any purpose other than delivering the Vaulora you created for them.

6. Data Retention

Account data is retained while your account is active. On closure, personal information is retained for a thirty-day grace period during which you may reverse the closure. After thirty days, account data is permanently deleted from operational systems.

Draft Vaulora content is retained until you delete the draft or close your account, whichever occurs first.

Sealed Vaulora content — pre-delivery is retained from the point of sealing until the Vaulora is delivered. We cannot delete sealed pre-delivery content following a deletion request because the content is still necessary for the purpose for which it was submitted and because our delivery obligation to the recipient requires it to be held intact. The legal basis for this retention is described in sections 3 and 8 of the Terms of Use. If you believe exceptional circumstances justify a deletion request before delivery, contact legal@nanamantis.com.

Sealed Vaulora content — post-delivery is retained for 2 years after delivery to allow recipients to revisit the reveal experience and to allow us to resolve any delivery or content disputes. After that period, post-delivery sealed content is permanently deleted from our servers unless your account remains active and you have not requested deletion, in which case it remains accessible within your account history until account closure. You may request deletion of post-delivery sealed content at any time by contacting legal@nanamantis.com; we will process such requests within 30 days.

Payment records are retained for 7 years as required by South African tax legislation (Income Tax Act 58 of 1962) and applicable accounting standards.

Server logs are retained for 90 days.

Support correspondence is retained for 3 years.

7. Sharing Your Personal Information

We share personal information only with the following processors, each contractually bound to process your data only on our instructions and to implement appropriate security measures:

  • Supabase, Inc. (United States) — database, authentication, and file storage. Supabase hosts all Vaulora content and account data on our behalf.
  • Stripe, Inc. (United States) — payment processing. Stripe receives payment card data directly from your browser; we receive only a transaction confirmation and reference.
  • Twilio, Inc. (United States) — WhatsApp delivery. When WhatsApp delivery is selected, Twilio receives the recipient's WhatsApp number and the delivery notification message.
  • Meta Platforms, Inc. / Meta Platforms Ireland Ltd (United States / Ireland) — WhatsApp messaging infrastructure. When Twilio sends a WhatsApp message, it routes through the WhatsApp Business API operated by Meta. Meta processes the recipient's WhatsApp number and the notification message content as a sub-processor under Meta's Business Messaging Terms. Meta does not receive the full Vaulora content — only the delivery notification message. EU and UK recipients' WhatsApp data is processed by Meta Platforms Ireland Ltd.
  • Resend, Inc. (United States) — email delivery. Resend receives recipient email addresses and the delivery email content when email delivery is selected.
  • OpenRouter, Inc. (United States) — optional AI writing assistance routing. See section 8 for full details.
  • Vercel, Inc. / DigitalOcean, LLC (United States) — cloud hosting and infrastructure. These services host the Platform application and may process technical data (IP addresses, request logs) in the ordinary course of serving the application.

We may also disclose personal information to law enforcement agencies, regulators, or courts where required or permitted by applicable law, including the South African Information Regulator, SARS, or any court of competent jurisdiction. If Nanamantis Investment Holdings is acquired by or merges with another entity, we will notify users before personal information is transferred as part of that transaction, and any acquirer will be bound by this policy or required to obtain your consent to any materially different use of your personal information.

8. Writing Assistance

Vaulora includes optional writing assistance routed via OpenRouter, Inc., a US-based API gateway that forwards requests to free-tier large language models. Four surfaces offer this assistance: a Not sure where to start? button in the content step that generates writing prompts tailored to your relationship and context; a Preview how this will read button on the why step that composes a brief introduction from your answers; a Help me find the words button on letter editors that offers light editorial tightening; and a Draft this for me button on the Collective framing step that drafts a curator invitation message.

Each of these is a one-shot assist. We send OpenRouter only the specific text you typed into that surface plus the contextual metadata that surface requires (for example, the recipient's first name and relationship, the Vaulora shape). We do not send your email address, payment details, or content from other Vauloras. OpenRouter forwards the request to whichever free-tier model is currently serving — at present models hosted by Qwen and NVIDIA — and returns the suggestion. The suggestion is always shown to you for review. You may accept, edit, or reject it. Suggestions are not saved to the Platform until you explicitly accept them.

OpenRouter's terms of service prohibit the underlying model providers from training their models on free-tier API inputs and outputs. Writing-assistance requests are transmitted over HTTPS and are not retained by Vaulora beyond the request lifecycle.

The legal basis for processing your text through writing assistance is your consent, given at the moment you click an assist button. Each click is an independent consent act. You may withdraw consent at any time simply by not using the assist buttons — there is no account-level opt-out because nothing is processed unless you actively initiate it. You can use Vaulora in full without invoking writing assistance.

9. International Data Transfers

All processors listed in section 7 are based in the United States. This means that personal information is transferred outside the Republic of South Africa, the European Economic Area, and the United Kingdom when processed by these services. We address these transfers as follows:

9.1 Transfers from South Africa (POPIA section 72)

Under POPIA section 72, transfers of personal information to a foreign recipient require that the recipient ensures a level of protection substantially similar to POPIA. We rely on the following bases: (a) contractual safeguards incorporated into our data processing agreements with each processor, requiring them to implement protections substantially equivalent to POPIA (section 72(1)(a)); (b) performance of the contract between us and you, which requires the use of these processors to store and deliver your Vaulora (section 72(1)(c)–(d)); and (c) your consent, given at registration by accepting these Terms and this Privacy Policy.

9.2 Transfers from the European Economic Area (EU GDPR Chapter V)

For transfers of EU personal data to processors in the United States, we rely on Standard Contractual Clauses (SCCs) adopted by the European Commission on 4 June 2021 (Commission Implementing Decision (EU) 2021/914), incorporated into our data processing agreements with each processor. Where a processor is certified under the EU-US Data Privacy Framework (EU adequacy decision of 10 July 2023), transfers to that processor may also rely on that adequacy decision.

9.3 Transfers from the United Kingdom (UK GDPR)

For transfers of UK personal data to processors in the United States, we rely on International Data Transfer Agreements (IDTAs) issued by the UK Information Commissioner, or the UK Addendum to the EU SCCs (International Data Transfer Addendum, Version B1.0, effective 21 March 2022). Where a processor participates in the UK-US Data Bridge (UK adequacy regulations effective 12 October 2023), transfers to that processor may also rely on that framework.

10. Security

We implement: HTTPS/TLS for all data in transit; AES-256-GCM encryption for Vaulora content at rest in Supabase storage; Supabase Row Level Security, ensuring each user can access only their own data; Stripe PCI DSS Level 1 compliance for payment data; and access to production systems restricted to authorised personnel only.

Breach notification. In the event of a personal data breach posing a risk to your rights and freedoms: we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach (GDPR Article 33; UK GDPR Article 33); we will notify you without undue delay where the breach is likely to result in a high risk to your rights and freedoms (GDPR Article 34; UK GDPR Article 34); and we will notify the South African Information Regulator and affected data subjects as soon as reasonably possible following discovery of the breach (POPIA section 22).

11. Cookies

We use session cookies for authentication only. These cookies are strictly necessary for the Platform to function and do not require your consent under applicable law. We do not use advertising cookies, tracking cookies, or third-party analytics cookies that identify you across other sites. Our Cookie Policy provides full details of the cookies we set and their purpose.

12. Your Rights

To exercise any of the rights below, contact legal@nanamantis.com with your name, the email address registered on the Platform, and a description of your request. We will not charge a fee for reasonable requests. We may ask you to verify your identity before acting on a request. We will respond within the timeframe applicable to your jurisdiction as set out in the sections below.

12.1 All Users

Regardless of your location, you have the right to: access a copy of the personal information we hold about you; request correction of inaccurate personal information; object to direct marketing at any time; and lodge a complaint with a supervisory authority in your jurisdiction (see section 15).

12.2 South African Users — POPIA (Act 4 of 2013)

If you are a South African data subject, you have the following rights:

  • Section 23 — Right of access: to establish whether we hold personal information about you and to receive a copy of that information.
  • Section 24 — Right to correction, deletion, or destruction: to request that personal information which is inaccurate, irrelevant, excessive, outdated, incomplete, misleading, or unlawfully obtained be corrected or deleted; and to request deletion of personal information that is no longer necessary for the purpose for which it was collected. This right is subject to the limitations in section 6 of this policy in respect of sealed pre-delivery Vaulora content, which remains necessary for its original purpose until delivered.
  • Section 26 and section 11(3) — Right to object: to object to the processing of your personal information where we rely on legitimate interests as the legal basis. On receipt of a valid objection, we will cease processing unless we can demonstrate compelling legitimate grounds that override your rights, or that processing is necessary for the establishment, exercise, or defence of legal claims.
  • Section 69 — Direct marketing: to object at any time to the processing of your personal information for direct marketing. We do not currently carry out direct marketing, but this right will apply if we do so in future.
  • Section 26 — Automated decision-making: not to be subject to a decision that has legal or similarly significant effects and is based solely on automated processing. We do not make such decisions.

We will respond to POPIA requests within 30 days. If we are unable to act on your request, we will explain the reason. You may escalate unresolved complaints to the Information Regulator (see section 15).

12.3 EU Users — GDPR (Regulation (EU) 2016/679)

If you are located in the European Economic Area, you have the following rights under GDPR:

  • Article 15 — Right of access: to obtain confirmation of whether we process personal data about you and, if so, to receive a copy of that data together with supplementary information about its use.
  • Article 16 — Right to rectification: to have inaccurate personal data corrected and incomplete personal data completed without undue delay.
  • Article 17 — Right to erasure ("right to be forgotten"): to have personal data erased where it is no longer necessary for the purpose for which it was collected, where consent is withdrawn and there is no other legal basis, where you object successfully under Article 21, or where processing is unlawful. This right does not apply to sealed pre-delivery Vaulora content because the data remains necessary for its original purpose (Article 17(1)(a) requires the data to be no longer necessary — it still is), and because Article 17(3)(e) (retention necessary for the establishment, exercise, or defence of legal claims) applies. This right is fully available for sealed post-delivery content (see section 6) and for all account data.
  • Article 18 — Right to restriction of processing: to request that we restrict processing of your personal data while the accuracy of the data is contested, while an Article 21 objection is pending, where processing is unlawful but you prefer restriction to erasure, or where we no longer need the data but you require it for legal claims.
  • Article 20 — Right to data portability: to receive personal data you have provided to us in a structured, commonly used, machine-readable format and to transmit it to another controller, where processing is based on consent or contract and is carried out by automated means.
  • Article 21 — Right to object: to object at any time to processing based on Article 6(1)(f) (legitimate interests). We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or that processing is necessary for the establishment, exercise, or defence of legal claims.
  • Article 22 — Automated individual decision-making: not to be subject to a decision based solely on automated processing that produces legal effects or similarly significantly affects you. We do not make such decisions. Writing assistance produces suggestions for your review only and does not produce decisions about you.
  • Article 77 — Right to lodge a complaint: with your national data protection authority (see section 15).

We will respond to GDPR requests within one month of receipt. For complex or numerous requests we may extend this period by up to two further months, in which case we will notify you of the extension and the reasons within the first month. There is no charge for requests made in good faith.

12.4 UK Users — UK GDPR (UK GDPR and Data Protection Act 2018)

If you are located in the United Kingdom, you have the same rights as listed in section 12.3 above (Articles 15–22 and Article 77), applied under UK GDPR and the Data Protection Act 2018. References to "GDPR" in section 12.3 should be read as UK GDPR for UK users. The supervisory authority for UK data subjects is the Information Commissioner's Office (ICO) at ico.org.uk. We will respond within the same one-month timeframe applicable to EU GDPR requests.

12.5 California Users — CCPA/CPRA (California Civil Code sections 1798.100–1798.199)

We extend the following rights to California residents as a matter of best practice. Note: Vaulora is an early-stage product and may not currently meet the statutory thresholds for mandatory CCPA/CPRA applicability (annual gross revenues exceeding $25 million in California; processing personal information of 100,000 or more California consumers or households annually; or deriving 50% or more of annual revenues from selling California consumers' personal information). We nonetheless extend these rights to California residents:

  • Section 1798.100 — Right to know: to know what categories of personal information we collect about you, the purposes for which we use it, and the categories of third parties to whom we disclose it.
  • Section 1798.105 — Right to delete: to request deletion of personal information we have collected from you. This right is subject to the limitations in section 6 of this policy regarding sealed pre-delivery Vaulora content, which remains necessary for its original purpose until delivered.
  • Section 1798.106 — Right to correct: to request correction of inaccurate personal information we maintain about you.
  • Section 1798.120 — Right to opt out of sale or sharing: to opt out of the sale or sharing of your personal information for cross-context behavioural advertising. We do not sell personal information. We do not share personal information for advertising purposes.
  • Section 1798.121 — Right to limit use of sensitive personal information: to direct us to limit our use of sensitive personal information to the purposes specified in section 1798.121(a). We treat Vaulora content as sensitive and use it only to operate the Platform and deliver your Vaulora.
  • Section 1798.125 — Right to non-discrimination: you will not receive discriminatory treatment for exercising any of these rights.

We will respond to CCPA/CPRA requests within 45 days. We may extend this period by a further 45 days with notice. To exercise California rights, contact legal@nanamantis.com and confirm you are a California resident.

13. Children

The Platform is not directed at children under 18. We do not knowingly collect personal information from children under 18. If you believe a child under 18 has registered an account or otherwise provided personal information directly to us, contact legal@nanamantis.com and we will delete it promptly. This applies to account registrations only — registered users (who must be 18 or older) may create Vauloras that name a child as a recipient, in which case the registered user is the responsible party for the recipient's contact details.

14. Changes to This Policy

We will notify registered users of material changes by email at least 14 days before they take effect. The updated policy will be posted at vaulora.com/legal/privacy. Continued use of the Platform after the effective date constitutes acceptance. If you do not accept a material change, you may close your account before it takes effect.

15. Contact and Complaints

Information Officer, Nanamantis Investment Holdings (Pty) Ltd. Email: legal@nanamantis.com. Physical address: Nanamantis Investment Holdings (Pty) Ltd, KwaDukuza, KwaZulu-Natal, South Africa. We aim to acknowledge all requests within 5 business days and resolve them within the applicable statutory timeframe.

If you are not satisfied with our response, you may contact the relevant supervisory authority:

  • South Africa: Information Regulator — inforeg.org.za — complaints@inforegulator.org.za
  • United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk — 0303 123 1113
  • European Union: your national data protection authority. A list of EU supervisory authorities is maintained at edpb.europa.eu/about-edpb/about-edpb/members_en.
  • California: California Privacy Protection Agency — cppa.ca.gov