Privacy Policy

Effective April 14, 2026

BlueRock Vault LLC ("BlueRock Vault," "we," "us," or "our") operates bluerockvault.com and the BlueRock Vault document-management service (collectively, the "Service"). This Privacy Policy explains what information we collect, how we use it, who we share it with, and the choices and rights you have over it.

By using the Service you agree to the practices described in this Policy. If you do not agree, please do not use the Service.

1. Who we are

BlueRock Vault LLC is a Delaware limited liability company. You can reach us for privacy questions, data subject requests, or anything else through the contact form. A postal mailing address is available on request through that form.

2. Information we collect

2.1 Information you provide

  • Account information — name, email address, and (optionally) a phone number for receiving verification codes and compliance alerts via SMS.
  • Business information — the business name, industry, number of locations, and addresses you enter during onboarding or on the locations page.
  • Documents and document metadata — files you upload (licenses, contracts, insurance certificates, permits, and other business records), filenames, folder names, and any tags, expiration dates, or notes you attach to them.
  • Team and invitation data — the email addresses, names, and roles of people you invite to your account.
  • Billing information — plan selection and billing contact. Credit-card numbers are collected and stored exclusively by our payment processor (Stripe, Inc.); we never see or store the full card number on our servers.
  • Support and feedback — messages you send through our contact form or feedback tool, including any screenshots you attach.

2.2 Information collected automatically

  • Log data — IP address, browser type and version, operating system, pages viewed, referring URL, and timestamps. We use this for security monitoring, fraud prevention, and to diagnose service issues.
  • Audit trail — actions taken within your account (who uploaded, renamed, moved, or downloaded a document, and when). This is a feature of the Service and is visible to authorized administrators of your business.
  • Cookies — we use first-party cookies to keep you signed in and to remember basic preferences. We do not use advertising cookies or third-party tracking cookies.

2.3 Information we do NOT collect

We do not knowingly collect data from anyone under the age of 13. The Service is intended for use by businesses and their authorized personnel, not by children.

3. How we use your information

  • To operate, maintain, and secure the Service, including processing uploads, running expiration reminders, generating audit trails, and enforcing access control.
  • To process billing, manage subscriptions, and send transactional emails (account verification, password resets, invitation emails, renewal reminders, billing receipts).
  • To extract structured data (such as expiration dates, policy numbers, and amounts) from documents you upload, using automated processing described in Section 5.
  • To provide customer support and respond to your inquiries.
  • To detect, investigate, and prevent fraudulent, unauthorized, or illegal activity, and to comply with legal obligations.
  • To improve the Service — for example, to analyze aggregated usage trends and fix bugs. We do not use the contents of your documents to train generative AI models.

4. Legal bases (for users in the EEA / UK)

If you are in the European Economic Area or the United Kingdom, we process your personal information under one or more of the following legal bases:

  • Contract — to provide the Service you have signed up for.
  • Legitimate interests — to secure the Service, prevent abuse, and improve the product, balanced against your rights.
  • Legal obligation — to comply with tax, accounting, or lawful requests from public authorities.
  • Consent — where you have given it (for example, optional marketing emails you can unsubscribe from at any time).

5. Automated processing (AI extraction)

When you upload a document, we may send the document or its text contents to a third-party AI provider strictly to extract structured fields (dates, amounts, policy numbers, parties). The AI provider acts as our sub-processor under a data-processing agreement that prohibits them from using your content to train their models. We do not make employment, credit, or other legally significant decisions about you based on automated processing; the extraction is a convenience feature and you can always review, edit, or delete the extracted fields.

6. SMS / text messaging

If you provide a phone number and opt in to SMS communications, we may send you text messages for account verification codes and time-sensitive compliance alerts (such as license expirations). We will not send marketing or promotional messages via SMS.

  • Consent — you must affirmatively check the SMS consent box when providing your phone number. You can withdraw consent at any time by replying STOP to any message, removing your phone number from your Account page, or contacting us.
  • Message frequency — varies based on your account activity. Verification codes are sent once per sign-in attempt. Compliance alerts are sent only when action is required (e.g., a license is approaching expiration).
  • Costs — message and data rates may apply based on your mobile carrier plan. BlueRock Vault does not charge for SMS messages.
  • Carriers — carriers are not liable for delayed or undelivered messages.
  • Help — reply HELP to any message or contact us through the contact form for assistance.

SMS messages are delivered through our messaging provider (Telnyx or Twilio) under a data-processing agreement. Your phone number is shared only with that provider for the purpose of delivering messages and is not shared with any other third party for marketing purposes.

7. Sharing and sub-processors

We do not sell your personal information, and we do not share it with third parties for their own marketing. We share information only with the sub-processors who help us run the Service, each under a contract with confidentiality and security obligations:

  • Hosting & database — Supabase and Amazon Web Services (United States).
  • Object storage — Amazon S3 (United States) for document files.
  • Payments — Stripe, Inc. (United States).
  • Transactional email — our email delivery provider (SMTP relay configured by us; the active provider is identified in our internal sub-processor list available on request).
  • AI extraction — Anthropic and/or OpenAI, used only to process documents you upload; content is not used to train their models.
  • SMS messaging — Telnyx or Twilio (United States) for delivering verification codes and compliance alerts via text message.

We may also disclose information (a) to comply with a subpoena or other lawful process, (b) to protect the rights, property, or safety of BlueRock Vault, our customers, or others, and (c) in connection with a merger, acquisition, or sale of assets, in which case we will require the successor to honor this Policy or notify you of material changes.

8. Data retention

We retain your account information and documents for as long as your account is active. If you cancel your subscription, your documents remain available in a read-only state for 30 days and are then permanently deleted from active systems. Backup copies are retained for up to 90 additional days before being overwritten. Audit logs are retained for at least one year to support security investigations. You can request earlier deletion through the contact form, subject to any legal obligations we have to retain certain records (for example, tax or accounting records).

9. Security

We use commercially reasonable technical and organizational measures to protect your information, including TLS encryption in transit, AES-256 encryption at rest, role-based access control, audit logging, and least-privilege administrative access. No system is perfectly secure, and we cannot guarantee that unauthorized access will never occur. If we become aware of a breach that affects your personal information, we will notify you and, where required, regulators within the time frames set by applicable law.

10. Your rights

10.1 All users

You can access, correct, export, or delete most account data directly from within the Service. For anything you cannot do yourself, you can contact us through the contact form.

10.2 California residents (CCPA / CPRA)

If you are a California resident, you have the right to (a) know what personal information we collect and how we use it, (b) request a copy of that information, (c) request correction or deletion, (d) opt out of "sales" or "sharing" of personal information — we do neither, and (e) be free from discrimination for exercising these rights. To exercise these rights, submit a request through the contact form. We may verify your identity by matching the request to information already on your account.

10.3 EEA / UK residents (GDPR)

If you are in the EEA or UK, you additionally have the right to object to or restrict processing, to data portability, to withdraw consent where we rely on consent, and to lodge a complaint with your local supervisory authority. For EEA residents we act as the data controller for your account data and as a data processor for the documents you upload.

11. International transfers

The Service is hosted in the United States. If you access the Service from outside the United States, you understand that your information will be transferred to, stored, and processed in the United States. Where required, we rely on the EU Standard Contractual Clauses (or equivalent UK mechanisms) to protect transfers from the EEA / UK.

12. Third-party links

The Service may contain links to third-party websites that we do not control. This Policy does not apply to those sites, and we encourage you to review their privacy policies.

13. Children's privacy

The Service is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, contact us and we will delete it.

14. Changes to this Policy

We may update this Policy from time to time. If we make material changes we will update the "Effective" date above and notify you by email or an in-app notice before the change takes effect, where practical.

15. Contact

Questions or requests? Use the contact form. A postal address is available on request and for the exercise of privacy rights.