Privacy Notice

This notice explains what data BlueVault Marketplace (operated by BlueVault Technologies, Inc.) collects from buyers, what we do with it, and what we deliberately don’t store. We try to keep our data footprint as small as regulation allows.

To verify your identity and let you transact, we collect:

• Identity: legal name, date of birth, government ID, confirmation of U.S. citizenship or lawful permanent residency.
• Contact: email address, optional phone number.
• Bank info (partial): the name of your bank, its routing number, and the last four digits of the account you’ll send USD from. We deliberately do not collect or store full account numbers — see Section 4.
• Receive wallet: the public address(es) you’ll receive crypto in, plus a one-time signed message proving you control each address.
• Transaction history: listings you commit to, payment reference codes, dates of deposit confirmation, on-chain transaction hashes.
• Standard server logs: IP address, browser/user-agent, request paths and timestamps, for security and abuse monitoring.

We use the information above to:

• Verify your eligibility to transact on the Marketplace.
• Coordinate purchases between you and sellers (generate payment references, relay deposit confirmations, route on-chain delivery).
• Investigate suspected fraud, abuse, or violations of our Terms of Service.
• Communicate with you about your account and transactions.
• Comply with subpoenas, court orders, and other lawful requests.

Some categories of data carry heightened regulatory obligations (PCI-DSS for full card/account data; CCPA category sensitivity; state money-transmitter rules). We narrow our footprint by not collecting:

• Full bank account numbers. We collect only the last four digits.
• Payment card data of any kind. We do not accept card payments.
• Social Security Numbers, except where required for identity verification and only to the extent required by our verification provider.
• Crypto wallet private keys, seed phrases, or any custody material. Your receive wallet is yours alone — we only know the public address.

USD never sits with us at any point: buyer-to-seller transfers go directly between your bank and the seller’s bank.

We share information only with:

• Verification providers who run identity checks on our behalf. These vendors are bound by data-protection agreements.
• Sellers, but only the minimum needed to settle a specific transaction: your name (so they can match the wire), the payment reference code, and the public address of your receive wallet. Sellers do not see your bank info, identity documents, or other transactions.
• Service providers that host our infrastructure (cloud hosting, email delivery, error monitoring). These are bound by industry- standard data-protection terms.
• Law enforcement and regulators, when required by valid legal process or to comply with applicable law.

We do not sell your personal information, and we do not share it for cross-context behavioral advertising.

We retain account and transaction records for as long as your account is active, and afterward for the period required by applicable financial-services recordkeeping rules (generally five years). Server logs are retained for a shorter period (typically 90 days for security/abuse review, longer if relevant to an open investigation).

Depending on your state of residence (e.g. California, Virginia, Colorado), you may have the right to:

• Access the personal information we have about you.
• Request correction of inaccurate information.
• Request deletion of your information, subject to our legal recordkeeping obligations.
• Opt out of certain processing.

To exercise any of these rights, email privacy@bluevault.dev. We may need to verify your identity before acting on your request.

We protect your information with administrative, physical, and technical safeguards appropriate to the data’s sensitivity (encryption in transit and at rest, access controls, audit logging). No system is perfectly secure; if a breach affecting your information occurs, we’ll notify you consistent with applicable law.

The Services are not directed to children under 18, and we do not knowingly collect personal information from anyone under 18.

We may update this notice from time to time. If we make material changes, we’ll notify you by email or via the Services.

Privacy questions? Email privacy@bluevault.dev.