Privacy Policy
Last updated: 12 June 2026
1. Introduction
VaultAir Systems (Pty) Ltd ("VaultAir", "we", "us", or "our") operates this website at vaultair.systems (the "Website") and builds privacy-first products such as Jan on Health and LenNotes. This Privacy Policy explains how we collect, use, store, share, and protect personal information when you visit the Website, submit our contact form, or otherwise interact with us.
We are committed to protecting your privacy and handling your information responsibly. This Policy is designed to comply with the Protection of Personal Information Act, 2013 (POPIA) in South Africa; the General Data Protection Regulation (GDPR) in the European Union and European Economic Area; the UK GDPR and Data Protection Act 2018; and other applicable data protection laws in countries where we operate.
This Policy covers the VaultAir corporate Website only. Our individual products are governed by their own privacy notices: Jan on Health at janonhealth.com/privacy, and LenNotes at vaultair.systems/lennotes/privacy. Please read this Policy together with our Terms of Service.
2. Who Is Responsible for Your Data
The data controller and responsible party for the Website is:
- VaultAir Systems (Pty) Ltd
- Company registration number: 2025/540482/07
- Registered address: Stellenbosch, 7600, Western Cape, Republic of South Africa
- Email: info@vaultair.systems
- Privacy requests: privacy@vaultair.systems
Information Officer (POPIA): Jan Pool, contactable at privacy@vaultair.systems with the subject line "Information Officer". POPIA requires responsible parties to register their Information Officer with the Information Regulator of South Africa.
EU/UK representative (GDPR Article 27 / UK GDPR): VaultAir does not currently maintain an establishment in the European Economic Area or United Kingdom. If you are in the EEA or UK, contact us at privacy@vaultair.systems with the subject line "EU/UK Privacy". Where applicable law requires us to appoint an EU or UK representative under Article 27, we will appoint one and publish their contact details on this page.
3. Information We Collect
We collect only the information we need to operate the Website and respond to you. We do not require you to create an account to browse the Website.
Information you provide: When you complete our contact form we collect your name, email address, subject, and the content of your message. If you contact us by email, we receive whatever information you include.
Technical and usage data: When you visit the Website we and our service providers may collect your IP address, browser and device type, pages viewed, and the date and time of access. We use your IP address to apply rate limiting and to help prevent abuse of our contact form.
Analytics data: With your consent, we use Google Analytics 4 to understand how visitors use the Website (for example, page views, approximate location, and device type). Analytics is loaded only after you accept analytics cookies in our consent banner.
Observability data: We use Pydantic Logfire to record error logs and performance traces so we can keep the Website reliable and secure. These logs may include technical identifiers such as an IP address.
We do not intentionally collect special categories of personal information (such as health data) through this corporate Website. Please do not include sensitive information in contact-form messages.
4. How We Use Your Information
We use personal information only for lawful purposes, including to:
- respond to your enquiries and provide support;
- operate, maintain, secure, and improve the Website;
- detect, prevent, and investigate abuse, fraud, and security incidents;
- understand aggregate usage so we can improve our content and services;
- comply with our legal obligations; and
- establish, exercise, or defend legal claims.
We do not sell your personal information, and we do not use the information you submit through the Website for third-party advertising. We do not use your contact-form messages for automated decision-making that produces legal or similarly significant effects on you.
5. Legal Bases for Processing
Depending on your location and the type of data, we rely on one or more of the following legal bases under GDPR Article 6 and the equivalent justifications under POPIA:
Consent: For analytics cookies and any optional communications, where consent is required.
Legitimate interests: To respond to your enquiries, secure the Website, prevent abuse, and improve our services, balanced against your rights and freedoms.
Legal obligation: To comply with tax, accounting, regulatory, and lawful requests from authorities.
Where we rely on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
6. How We Share Information
We share personal information only as described below. All service providers (operators/processors) are bound by contractual obligations to protect your data and to process it only on our instructions.
Amazon Web Services (AWS): Cloud hosting and transactional email delivery (Amazon SES) for the contact form, primarily in the eu-west-1 (Ireland) region.
Google (Google Ireland Limited / Google LLC): Website analytics via Google Analytics 4, loaded only with your consent.
Pydantic Logfire: Observability, logging, and error monitoring, hosted in the European Union.
Professional advisers: Legal, accounting, or compliance advisers when reasonably needed.
Authorities: Law enforcement or regulators when required by valid legal process.
We may also share information in connection with a merger, acquisition, or sale of assets, with notice where required by law. A current list of service providers is available on request at privacy@vaultair.systems.
7. International Data Transfers
VaultAir is based in South Africa. Your information may be processed in South Africa, the European Union, the United States, and other countries where our service providers operate.
Where personal data is transferred from the EEA, UK, or other jurisdictions that require safeguards, we rely on appropriate mechanisms such as the European Commission Standard Contractual Clauses (SCCs), the UK International Data Transfer Agreement or Addendum, adequacy decisions where available, or your explicit consent where required. You may request a copy of the applicable transfer safeguards by contacting us.
8. Data Retention
We retain personal information only for as long as necessary for the purposes described in this Policy, unless a longer period is required by law.
Contact-form and email correspondence: Retained for as long as needed to handle your enquiry and for a reasonable period afterwards for record-keeping, typically up to 24 months.
Analytics data: Retained according to our Google Analytics configuration and Google’s retention controls.
Logs and observability data: Retained for a limited period for troubleshooting and security.
When data is no longer needed, we delete or anonymise it in accordance with our retention practices.
9. Data Security
We implement appropriate technical and organisational measures to protect your personal information, including:
- encryption in transit using HTTPS/TLS;
- encryption at rest where supported by our cloud provider;
- access controls and authentication for internal systems;
- rate limiting and abuse protection on the contact form;
- limited retention of logs and personal data; and
- due-diligence assessment of service providers that handle personal data.
No system is completely secure. While we work hard to protect your information, we cannot guarantee absolute security.
10. Your Rights
Depending on where you live, you may have the following rights regarding your personal information:
Access: Request a copy of the personal information we hold about you.
Rectification: Correct inaccurate or incomplete information.
Erasure: Request deletion of your personal information ("right to be forgotten").
Restriction: Ask us to limit processing in certain circumstances.
Portability: Receive your data in a structured, machine-readable format where applicable.
Objection: Object to processing based on legitimate interests.
Withdraw consent: Withdraw consent at any time where processing is based on consent.
Complaint: Lodge a complaint with a supervisory authority.
To exercise your rights, email privacy@vaultair.systems with the subject line "Privacy Request". We may need to verify your identity. We aim to respond within 30 days, or sooner where required by law (such as one month under GDPR).
South Africa (POPIA): You may also complain to the Information Regulator (South Africa) at inforegulator.org.za. European Union (GDPR): You may contact your local data protection authority; a list is available at edpb.europa.eu. United Kingdom (UK GDPR): You may contact the Information Commissioner’s Office (ICO) at ico.org.uk.
11. Cookies and Analytics
When you visit our Website, we and our service providers may use cookies, local storage, and similar technologies. You can manage your choices through our cookie consent banner and your browser settings.
Essential cookies and storage: Necessary for the Website to function, including remembering your cookie preferences. These are always active and do not require consent.
Analytics cookies: Google Analytics 4 helps us understand how visitors use the Website. These load only after you accept analytics cookies in our consent banner.
You can change your preferences at any time by clearing site data in your browser, or by clearing the "cookie-consent-preferences" entry from local storage to see the banner again. Disabling essential cookies may affect Website functionality.
12. Children’s Privacy
The Website is intended for users aged 18 and over. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us at privacy@vaultair.systems and we will delete it promptly.
13. Data Breach Notification
If a personal data breach (a "security compromise" under POPIA) is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority and affected individuals as required by law. Where GDPR or UK GDPR applies, we aim to notify the competent authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Under POPIA, we notify the Information Regulator and affected data subjects as soon as reasonably possible after discovery.
14. Third-Party Links and Products
Our Website links to third-party sites and to our own products, including Jan on Health and LenNotes, which have their own privacy notices and terms. We are not responsible for the privacy practices of third-party sites. Please review the relevant privacy policy before providing personal information.
15. Changes to This Policy
We may update this Privacy Policy from time to time. We will update the "Last updated" date above and, where changes are material, take reasonable steps to notify you. Where applicable law requires renewed consent, we will ask for it before applying the changes.
16. Contact Us
For privacy questions, rights requests, or complaints, contact:
- VaultAir Systems (Pty) Ltd
- Company registration number: 2025/540482/07
- Registered address: Stellenbosch, 7600, Western Cape, Republic of South Africa
- Information Officer: Jan Pool
- Email: privacy@vaultair.systems (subject: "Privacy Request" or "Information Officer")
- General enquiries: info@vaultair.systems
