9Vault, LLC, a South Dakota limited liability company ("9Vault", "we", "us", or "our"), operates the 9Vault web application at app.9vault.io. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service. It should be read together with our Terms of Service.
Controller vs. processor. For your account and billing information, we act as a data controller. For the Five9 configuration data and credentials you connect so we can manage your contact-center environment on your behalf, we act as a data processor under your instructions — you are the controller of that data.
1. Information We Collect
Account Information. When you register, we collect your name, email address, and a password (hashed and salted — never stored in plain text), along with your role, organization/team, and plan selection.
Five9 Credentials. If you store Five9 API credentials in 9Vault, their secret values are encrypted at rest using AES-256 with a user-specific derived key. We cannot read your Five9 passwords in plain text.
Configuration Data. When you connect an environment and use the Service, we read, process, and (when you direct it) store configuration from that environment — for example skills, campaigns, users, dispositions, IVR/Studio scripts, prompts, numbers/DNIS, and call lists — along with the backups, exports, comparisons, and manifests generated from it. This may include the business contact details of agents and administrators within your environment. We process it on your behalf to provide the Service.
Team & Invitation Data. Email addresses and roles of colleagues you invite, and the access and approval settings you configure.
Authentication Data. Multi-factor authentication (MFA) enrollment status and verification codes used at sign-in.
Usage & Audit Data. Records of actions taken in the Service (such as logins, backups, restores, edits, and policy changes), plus standard server logs including IP address, browser type, pages visited, and timestamps. These are used for security monitoring, audit, and service improvement.
Cookies & Session Data. We use session cookies to keep you authenticated and a bot-prevention challenge (Cloudflare Turnstile) during registration. See our Cookie Policy for details.
2. How We Use Your Information
- To provide, operate, and maintain the 9Vault service
- To authenticate you, enable MFA, and manage your account and team
- To connect to the Five9 API on your behalf using your stored credentials
- To execute the backup, export, restore, bulk, and other operations you configure or initiate
- To maintain audit logs and detect, prevent, and respond to security threats and abuse
- To send transactional emails (job notifications, invitations, password resets, account alerts)
- To administer plans, trials, and billing
- To improve and develop new features
We do not sell your personal information, and we do not use your configuration data for advertising.
3. Data Storage & Security
Your data is hosted on Google Cloud Platform (GCP) infrastructure. We implement industry-standard security measures including:
- AES-256 encryption for stored Five9 credentials, with a per-user derived key
- Salted password hashing — passwords are never stored in plain text
- HTTPS/TLS for all data in transit
- Server-side session management with secure, HTTP-only cookies
- Role-based access control, team and portfolio-access policies, optional approval workflows, and optional multi-factor authentication
- Activity and audit logging to support detection of unauthorized or unexpected actions
- Regular security updates and dependency audits
No method of transmission or storage is completely secure. You play a critical role in protecting your data: keep your credentials confidential, enable MFA, manage team roles carefully, review your audit logs, and notify us immediately at support@9vault.io if you suspect unauthorized access. As described in our Terms of Service, activity performed through valid credentials is treated as authorized by you.
4. Data Sharing & Third Parties
We do not sell, rent, or trade your personal information. We share data only with the service providers (subprocessors) needed to operate the Service, under confidentiality and data-protection obligations:
| Provider | Purpose | Data involved |
|---|---|---|
| Google Cloud Platform | Application hosting, database, and storage of backups, exports, and artifacts | Account data, configuration data, logs |
| Five9, Inc. | Performing the operations you request against your environment | Your credentials and configuration data (transmitted to the Five9 API) |
| Mailgun | Transactional email delivery | Email address, message content |
| Cloudflare (Turnstile) | Bot/abuse prevention during registration | IP address, device signals |
We may also disclose information if required by law, subpoena, or court order, to enforce our Terms, to protect the rights, safety, or security of users or the public, or in connection with a merger, acquisition, or sale of assets (subject to this Policy). Connected platforms such as Five9 are independent third parties governed by their own privacy terms; we are not responsible for their practices.
5. Data Retention
Account data is retained for as long as your account is active. Backup files are retained according to your configured retention policy and our operational and legal needs. When you delete your account, we remove your personal data and stored credentials within 30 days, except where retention is required by law or to resolve disputes. Anonymized usage statistics may be retained indefinitely. You can export data you wish to keep before closing your account.
6. Legal Bases (EEA/UK)
Where the EU/UK GDPR applies, we rely on: performance of a contract (to provide the Service); legitimate interests (to secure, support, and improve the Service and prevent abuse); consent (where required); and legal obligation (to comply with law). For configuration data processed on your behalf, you are the controller and we act on your instructions as processor.
7. Your Rights
Depending on where you live, you may have the right to:
- Access the personal data we hold about you
- Correct inaccurate information
- Request deletion of your account and associated data
- Export your data in a portable format
- Restrict or object to certain processing, and withdraw consent for optional processing
Residents of the EEA/UK have rights under the GDPR; California residents have rights under the CCPA/CPRA, including the right to know, delete, and correct, and to not be discriminated against for exercising those rights (we do not sell or "share" personal information for cross-context behavioral advertising). To exercise any of these rights, contact us at privacy@9vault.io. If you are a member of a team, certain requests may be directed to your account owner (controller). You may also lodge a complaint with your local data-protection authority.
8. International Data Transfers
We and our subprocessors may process information in countries other than your own, including the United States. Where required, we use appropriate safeguards (such as Standard Contractual Clauses) for cross-border transfers. By using the Service, you understand that your information may be transferred to and processed in these locations.
9. Children's Privacy
9Vault is intended for business use by adults and is not directed at individuals under 18. We do not knowingly collect personal information from minors.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date, and, where appropriate, by email or in-app notice. Continued use of the service after changes constitutes acceptance.
11. Contact Us
If you have questions about this Privacy Policy, please contact us at privacy@9vault.io.