MyReportVault Privacy Policy

Effective date: 24 May 2026
Last updated: 24 May 2026

This Privacy Policy explains how Ian Paul Stapelberg t/a MyReportVault ("MyReportVault", "we", "us", or "our") collects, uses, shares, stores, transfers, and protects personal data when people visit https://myreportvault.com, use https://app.myreportvault.com, access a customer portal, receive secure document notifications, contact us, or otherwise interact with the MyReportVault service.

MyReportVault is an international, business-focused secure document-sharing software-as-a-service platform operated by a South Africa-based sole proprietor. It is designed to help customers share reports, documents, spreadsheets, and related files through controlled portals, access links, notifications, and application programming interfaces. The production Service infrastructure is configured outside South Africa as described in this Policy.

This Policy should be read together with the MyReportVault Terms of Service at https://myreportvault.com/terms.

1. Who we are

The Service is operated by:

Ian Paul Stapelberg t/a MyReportVault
Cedarwood House
Ballywood Office Park
33 Ballyclare Dr
Bryanston
Johannesburg
2191
South Africa

Website: https://myreportvault.com
Application: https://app.myreportvault.com
Privacy and support email: [email protected]

MyReportVault is operated by Ian Paul Stapelberg as a sole proprietor under the trading name "MyReportVault". It is not operated through a separate incorporated company unless we state otherwise in updated legal terms. The South African address above identifies the business operator and legal contact location; it is not a configured production hosting or storage location for the Service.

For privacy enquiries, data protection requests, complaints, or security concerns, contact [email protected].

2. Scope of this Privacy Policy

This Policy applies to personal data processed through or in connection with:

the MyReportVault public website;
the MyReportVault web application;
customer, agency, owner, administrator, staff, and invited viewer accounts;
branded or white-labelled customer portals;
uploaded reports, documents, spreadsheets, images, archives, and other files;
direct uploads, replacement-file workflows, API uploads, and integration workflows;
secure document links, login links, invite links, magic links, notifications, and scheduled digests;
customer workspace setup, agency subdomains, branding, roles, permissions, client groups, PIN settings, password-protection settings, file expiry settings, and access logs;
billing, subscription, checkout, customer billing portal, invoice, tax, refund, and account administration flows;
support, feedback, sales, privacy, security, and operational communications;
security monitoring, fraud prevention, access logging, abuse prevention, troubleshooting, service maintenance, and legal compliance.

This Policy covers personal data that MyReportVault processes for its own purposes and personal data that MyReportVault processes on behalf of business customers.

Where a customer uploads, configures, sends, stores, or makes available files, reports, client records, viewer details, access settings, expiry settings, portal content, or other customer-controlled content through MyReportVault, the customer normally decides why and how that data is processed. In those cases, MyReportVault normally acts as the customer’s processor, operator, or service provider.

3. Key terms

In this Policy:

"Customer" means the business, agency, organisation, professional, sole proprietor, or other person or entity that creates, owns, controls, pays for, or administers a MyReportVault workspace, account, portal, trial, or subscription.
"Customer Content" means files, reports, documents, records, spreadsheets, images, archives, client data, personal data, portal configuration, branding, metadata, recipient details, access settings, and other content uploaded, submitted, configured, transmitted, stored, shared, or processed by or for a Customer through the Service.
"Invited Viewer" means a client, client contact, recipient, viewer, internal staff member, contractor, representative, or other person invited or authorised to access Customer Content through a portal, link, account, email notification, or other access method.
"Service" means the MyReportVault website, application, portals, APIs, hosting, storage, notification, access-control, logging, support, billing, and related functionality.

The terms "personal data", "personal information", "processing", "controller", "processor", "responsible party", "operator", "business", "service provider", and similar terms have the meanings given to them under applicable privacy and data protection laws.

4. Our data protection role

4.1 When MyReportVault acts as controller or responsible party

MyReportVault acts as a controller or responsible party for personal data that we collect and use for our own business, administrative, security, legal, billing, website, support, and service operation purposes. This includes personal data used for:

account registration and authentication;
customer account and workspace administration;
subscription, trial, billing, payment-status, invoice, tax, overage, cancellation, and refund administration;
support, sales, privacy, security, and operational communications;
website contact forms and enquiries;
service announcements, security notices, legal notices, and administrative updates;
security monitoring, fraud prevention, abuse prevention, bot prevention, and troubleshooting;
service reliability, debugging, maintenance, and basic product improvement;
legal compliance, dispute handling, and enforcement of our Terms of Service;
business administration, accounting, tax, audit, and recordkeeping.

4.2 When MyReportVault acts as processor, operator, or service provider

MyReportVault generally acts as a processor, operator, or service provider for Customer Content and customer-controlled data, including:

uploaded reports, documents, spreadsheets, images, archives, and other files;
financial records, operational records, client reports, audit reports, and other customer files;
invited viewer, client, staff, contractor, supplier, or business contact details;
customer-configured access permissions, groups, roles, and client records;
PIN settings, password-protection settings, and access requirements;
file expiry and deletion settings;
portal branding, agency subdomain, theme, and configuration;
audit and access logs created for the customer’s use;
document metadata, folder structures, file names, file types, file sizes, upload history, version history, and replacement-file history;
API upload instructions, API key metadata, and integration metadata.

For this data, the Customer is normally responsible for determining the lawful basis for processing, giving required notices, selecting correct recipients, configuring access controls appropriately, and deciding how long files should be retained or made available.

4.3 Agency customers and invited viewers

A MyReportVault Customer may be an agency, business, professional services provider, or other organisation. Its Invited Viewers may be the Customer’s own clients, client contacts, employees, contractors, representatives, suppliers, group members, or other authorised recipients.

Uploaded documents may contain personal data about third parties, including a Customer’s clients, employees, suppliers, contractors, shareholders, directors, representatives, or other individuals. MyReportVault does not decide the purpose of that Customer Content. We process it through the Service according to the Customer’s configuration, instructions, and applicable agreements.

5. Personal data we collect directly

5.1 Account owners, administrators, and agency users

We may collect and process:

name or business contact identity where provided;
email address;
agency, business, or organisation name;
phone number where provided for registration, verification, account checks, billing, or support;
password and authentication data, handled through our authentication provider and stored in protected form;
multi-factor authentication status and related authentication metadata where enabled or enforced;
workspace membership, role, permission, and invitation information;
agency subdomain, workspace identifier, and branding settings;
profile, account, session, and device data;
support, feedback, sales, privacy, security, and operational communications;
billing plan, trial status, subscription status, payment status, invoice status, tax status, refund status, overage status, and usage-limit information;
usage records such as storage usage, notification counts, API usage, client counts, administrator counts, file counts, and plan limits;
security events, login events, logout events, access events, IP address, browser/device information, request metadata, and technical logs.

5.2 Invited viewers and client contacts

When a Customer invites a viewer, creates a client/contact record, configures a group, or shares a document, we may process:

client or viewer name;
email address;
Customer-assigned client record, group membership, or workspace relationship;
access permissions and access history;
notification preferences and suppression settings;
access settings, including PIN or access-related configuration;
login-link, magic-link, invite, digest, or notification delivery records;
document access logs, including timestamps, action type, report/file identifier, actor name or identifier, and IP address;
browser, device, network, and session information generated during access;
information submitted to support if the viewer contacts us directly.

5.3 Website visitors and people who contact us

We may collect:

contact details submitted through forms or email;
sales, support, security, privacy, legal, or operational messages;
IP address, browser/device details, request metadata, and security logs;
cookie and session data needed to operate the website and application;
anti-abuse verification data when Cloudflare Turnstile or a similar bot-prevention tool is used.

5.4 Billing and payment data

If you subscribe, start a paid plan, make a payment, request a refund, trigger an overage, or access a billing portal, payment and billing functionality may be provided by Lemon Squeezy or another payment provider acting as merchant of record or payment service provider. We may receive or process:

subscription status;
plan and order details;
customer billing profile information;
billing email address;
payment status and limited payment metadata;
invoice, receipt, tax, VAT/GST/sales tax, and refund information;
fraud, risk, chargeback, or compliance status information provided by the payment provider;
customer billing portal activity and subscription-management events.

MyReportVault does not need to store full card numbers where payment processing is handled by a payment provider. Payment providers may process payment data under their own terms and privacy notices.

6. Personal data processed on behalf of Customers

Customers may upload, configure, or generate data that includes:

reports;
financial records;
spreadsheets, PDFs, CSV files, Office documents, ZIP files, images, and other uploaded documents;
operational records;
client records;
contracts, board materials, strategy documents, proprietary business information, and confidential information;
file names, file paths, folder structures, descriptions, file types, file sizes, and versions;
recipient, client, employee, contractor, supplier, group, or business contact details;
group email addresses and group membership records;
notification and digest records;
document expiry settings;
access-control settings;
audit and access logs;
API upload metadata;
special category, sensitive, confidential, financial, tax, employment, health-related, children’s, criminal-offence, privileged, or regulated data if the Customer chooses to upload it.

Customers must only upload, share, and retain personal data where they have the legal right and appropriate basis to do so. Customers remain responsible for assessing whether MyReportVault is appropriate for the sensitivity, regulatory status, and risk profile of the Customer Content they choose to process through the Service.

7. Sources of personal data

We may receive personal data from:

you directly, when you register, log in, contact us, configure an account, subscribe, pay, request support, or use the Service;
a MyReportVault Customer, when the Customer creates a client/contact record, uploads files, invites you to a portal, configures your access, or sends notifications;
authorised users who administer a Customer workspace;
authentication, hosting, storage, email, payment, security, and infrastructure providers used to operate the Service;
device, browser, network, application, and server logs generated when you use the Service;
Lemon Squeezy or another payment provider, if you subscribe, pay, receive an invoice, request a refund, dispute a charge, or use a billing portal.

If your personal data was provided by a Customer, that Customer is normally responsible for providing you with its own privacy notice and explaining its lawful basis for uploading or sharing your data through MyReportVault.

8. How we use personal data

8.1 Controller/responsible-party purposes

When MyReportVault acts as controller or responsible party, we use personal data to:

create, authenticate, secure, and manage accounts;
provide access to customer workspaces and portals;
send magic links, invite links, onboarding links, password reset links, multi-factor authentication messages, account notices, and operational messages;
provide support and respond to enquiries;
manage subscriptions, trials, billing status, invoices, refunds, taxes, overages, and plan limits;
process payments, checkout, customer billing portal administration, refunds, receipts, chargebacks, and tax records through payment providers where applicable;
send service notices, security notices, administrative messages, legal notices, and operational updates;
monitor, secure, debug, maintain, and improve the Service;
detect, prevent, and investigate fraud, abuse, unauthorised access, spam, malware, phishing, credential compromise, security incidents, and misuse;
maintain internal business, tax, accounting, legal, compliance, and audit records;
enforce our Terms of Service and acceptable use rules;
respond to legal requests, regulatory requests, data subject requests, complaints, disputes, or claims;
understand basic service usage and improve reliability, performance, usability, and support.

8.2 Processor/operator/service-provider purposes

When MyReportVault acts as processor, operator, or service provider, we process customer-controlled data to:

host uploaded files and document metadata;
generate and operate customer portals;
enforce customer-configured access controls;
deliver secure login links, invite links, notifications, and document notices;
verify PINs and access requirements;
apply expiry and deletion settings;
generate pre-signed upload, open, preview, and download links;
maintain access logs and audit records;
support direct uploads and API-based integrations;
provide version history, replacement-file workflows, storage/account-limit functionality, and audit exports where enabled;
provide support, troubleshoot issues, maintain the Service, and comply with customer instructions and our agreements;
protect the Service from abuse, fraud, security threats, and unlawful activity.

9. Lawful bases and legal grounds

Where EU GDPR or UK GDPR applies and MyReportVault acts as controller, we rely on the following lawful bases:

Purpose	Typical lawful basis
Account creation, login, workspace access, subscriptions, plan limits, support related to the Service, and service delivery	Performance of a contract or steps prior to entering into a contract
Sending service, security, account, onboarding, magic-link, invite, password-reset, document-access, and operational emails	Performance of a contract; legitimate interests in operating and securing the Service
Billing, payment status, refunds, chargebacks, tax records, invoices, accounting records, overage administration, and customer billing portal administration	Performance of a contract; legal obligation; legitimate interests in business administration
Security monitoring, access logs, abuse prevention, fraud prevention, bot prevention, troubleshooting, and system integrity	Legitimate interests in protecting the Service, Customers, Invited Viewers, data, and infrastructure
Product improvement, reliability monitoring, basic usage review, and internal administration	Legitimate interests in improving and administering the Service
Responding to legal requests, regulatory requests, disputes, complaints, or compliance obligations	Legal obligation; legitimate interests in establishing, exercising, or defending legal rights
Optional marketing emails, newsletters, optional analytics, or non-essential cookies if introduced	Consent, or legitimate interests where permitted by law and appropriate opt-out rights are provided

Where South Africa’s Protection of Personal Information Act, 2013 ("POPIA") applies because MyReportVault is operated by a South Africa-based business, or because POPIA otherwise applies to a specific processing activity, we process personal information in accordance with the lawful processing conditions under POPIA, including accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards, and data subject participation. POPIA references in this Policy address applicable South African legal obligations; they do not mean that Customer Content or core production Service data is configured to be hosted or stored in South Africa.

Where we rely on legitimate interests, our interests include keeping the Service secure, preventing misuse, supporting Customers, maintaining reliable infrastructure, improving the product, administering our business, and protecting legal rights. We balance these interests against the rights and expectations of affected individuals.

For Customer-controlled content, the Customer is responsible for determining the lawful basis or legal ground for processing its own client, viewer, employee, contractor, supplier, and third-party data.

10. Whether personal data is required

Some personal data is required to provide the Service. For example, account email addresses, authentication data, workspace membership information, client/viewer email addresses, technical security data, and relevant billing data are needed to create accounts, send secure links, provide access, process subscriptions, and protect the Service.

If required information is not provided, we may not be able to create an account, provide access, send notifications, process payments, troubleshoot problems, or comply with legal obligations.

Customers decide what Customer Content to upload and which recipients to invite. Customers should avoid uploading unnecessary personal data.

11. Cookies, local storage, and similar technologies

The Service may use cookies, local storage, and similar technologies for:

authentication and session management;
remembering workspace, portal, and interface state;
security, fraud prevention, abuse prevention, and bot detection;
preserving user preferences;
application reliability and debugging.

Cloudflare Turnstile or similar anti-abuse tools may be used to distinguish legitimate users from automated abuse.

As of the Last updated date, MyReportVault does not intentionally use third-party advertising cookies or behavioural advertising pixels in the Service. If we introduce optional analytics, marketing cookies, advertising pixels, or similar non-essential tracking, we will update this Policy and provide consent or opt-out controls where required by law.

We may share personal data with:

Customers that control the relevant workspace, portal, files, client records, access settings, or viewer records;
Authorised Users within a Customer workspace according to that Customer’s configuration;
Invited Viewers or recipients selected by the Customer;
service providers and subprocessors that help operate the Service;
payment providers, merchant-of-record providers, banks, tax processors, and fraud-prevention providers for billing and payment administration;
hosting, database, authentication, storage, email, network, security, monitoring, and infrastructure providers;
support or professional advisers, such as accountants, legal advisers, or auditors, where reasonably necessary;
regulators, courts, law enforcement, public authorities, or other parties where required or permitted by law;
parties involved in a dispute, claim, investigation, business transfer, restructuring, or enforcement matter, where reasonably necessary and lawful.

We do not sell Customer Content. We do not use Customer Content for advertising. We do not use Customer Content to train public or general-purpose artificial intelligence models.

Customers decide who may access Customer Content through the Service. Customer actions may result in data being shared with:

invited clients or viewers;
internal staff or administrators;
groups configured by the Customer;
recipients of notifications, magic links, digests, and access links;
third-party tools or systems integrated by the Customer;
optional external viewers or processors enabled by the Customer.

Customers are responsible for selecting correct recipients, configuring groups and permissions accurately, setting appropriate expiry periods, and ensuring that access links, API keys, credentials, and PINs are protected.

14. Providers, subprocessors, and processing locations

As of 24 May 2026, MyReportVault uses or may use the following providers to operate the Service. The Service is international-first and its core production hosting, database, object-storage, and email-dispatch configuration is outside South Africa. Provider regions are based on the current configuration stated by MyReportVault and the provider’s available region model. Region settings may not cover every provider system, support process, billing system, control plane, security log, email log, or metadata store.

Provider	Purpose	Configured region / location	Important notes
Supabase	Database, authentication, backend services, account/session infrastructure, and related platform services	West EU, Ireland, `eu-west-1`	Project data is configured in the West EU / Ireland region. Provider account, support, security, telemetry, and control-plane processing may occur outside that region according to Supabase’s terms and infrastructure.
Vercel	Application hosting, deployment, serverless/application infrastructure, and related platform services	Dublin, Ireland, `dub1` / `eu-west-1`	Runtime infrastructure is configured for Dublin where applicable. Builds, logs, edge/network routing, platform analytics, support, and control-plane processing may occur outside that region according to Vercel’s terms and infrastructure.
Cloudflare	DNS, network, security, content delivery, anti-abuse, and related infrastructure services	Global network	Cloudflare operates a globally distributed network. Requests may be routed through Cloudflare locations outside the Customer’s or user’s country.
Cloudflare R2	Object storage and related file storage infrastructure for uploaded files	Western Europe, `WEUR`	R2 bucket placement is configured with a Western Europe location hint/placement. Provider metadata, control-plane, support, and security processing may occur outside that location according to Cloudflare’s terms and infrastructure.
Cloudflare Turnstile	Bot detection, anti-abuse checks, and security verification	Global / provider-controlled	Used to protect signup, login, forms, or other abuse-sensitive flows where enabled.
Resend	Transactional email delivery, magic links, invite links, service notices, document notifications, digests, and related email infrastructure	Email dispatch from Ireland, `eu-west-1`	Region selection controls where emails are routed/sent from. Resend account data, email metadata, logs, and API records may be stored in the United States or other provider-controlled locations regardless of the sending region.
Lemon Squeezy	Checkout, merchant-of-record functions, billing portal, subscriptions, invoices, taxes, payment status, refunds, chargebacks, and related payment administration	Provider-controlled	Payment data is processed under Lemon Squeezy’s own terms and privacy notice. Lemon Squeezy may act as an independent controller/merchant of record for some payment data.
Microsoft Office Online Viewer / Microsoft 365 viewer services	Optional external rendering of supported unprotected Office/spreadsheet files when enabled by a Customer	Provider-controlled	Only used where the Customer enables external Office/spreadsheet viewing or where a user chooses an external viewer. A pre-signed file URL and the file contents may be provided to Microsoft for rendering. Customers should not enable this for files that must not be processed by Microsoft.

We may add or replace providers where reasonably necessary to operate, secure, improve, or support the Service. Where a provider processes Customer-controlled personal data as a subprocessor, MyReportVault uses contractual terms requiring appropriate data protection and confidentiality protections.

Customers that require a subprocessor review, transfer assessment, vendor assessment, or data processing agreement should contact [email protected] before uploading high-risk or regulated data. A DPA may be provided on request where reasonably required for the Customer’s use of the Service.

15. International transfers

MyReportVault is an international Service operated by a South Africa-based business. The South African connection is the operator’s place of business and legal contact location; South Africa is not a configured production hosting, database, object-storage, or email-dispatch region for the Service.

The core production configuration for the Service is intended to use EU/Western Europe infrastructure for the primary database, application, and object-storage stack as described above. Transactional email dispatch is configured from Ireland where supported by the email provider. This configuration is not an absolute data-residency guarantee for all systems. Email metadata/logs, billing data, provider control-plane data, security telemetry, support data, network traffic, and optional external viewers may involve processing outside the EU/Western Europe, including in the United States or other provider-controlled locations.

Where EU GDPR, UK GDPR, POPIA, or another data protection law requires safeguards for an international transfer, we use appropriate transfer mechanisms to the extent required by law. These may include adequacy decisions, standard contractual clauses, the European Commission Standard Contractual Clauses, the UK International Data Transfer Agreement, the UK Addendum to the European Commission Standard Contractual Clauses, transfer risk assessments, provider data processing terms, and supplementary safeguards.

Customer-controlled transfers may also depend on the Customer’s location, the location of Customer users and Invited Viewers, the content uploaded by the Customer, the Customer’s own legal role, and optional features enabled by the Customer. Customers are responsible for assessing their own transfer obligations for Customer Content and recipient access.

16. Retention

We retain personal data for as long as reasonably necessary for the purposes described in this Policy, unless a longer retention period is required or permitted by law.

Retention depends on the type of data, the Customer’s configuration, the applicable plan, legal requirements, security requirements, backup cycles, dispute needs, provider limitations, and operational requirements.

Current retention principles include:

Account and workspace data: retained while the account or workspace is active and for a reasonable period after closure for administration, security, dispute, backup, and legal purposes.
Account deletion and data export: when an account or workspace is deleted, MyReportVault may permanently delete the account, workspace, and Customer Content in accordance with the deletion request and available Service functionality. During the deletion process, the Customer may submit a request for an export or copy of all available Customer Content and account data where reasonably available and not restricted by law, security requirements, other users’ rights, or provider limitations.
Customer files and Customer Content: retained according to customer configuration, deletion instructions, expiry settings, subscription status, legal requirements, and Service functionality, subject to backup, security, audit-log, and deletion-cycle limitations.
Soft-deleted files: files placed into deletion/quarantine are kept for 30 days before they are permanently purged from active storage, subject to operational, backup, provider, legal, and security limitations.
Expired trials: Customer Content in a trial-expired workspace may be permanently deleted after the applicable grace period shown in the Service or plan terms. The current operational purge window is approximately 14 days after trial expiry, subject to operational, legal, backup, and provider limitations.
Deleted or expired content: may remain temporarily in backups, deletion queues, security logs, audit logs, email logs, or provider systems before deletion or overwriting in the ordinary course.
Audit and access logs: Customer-facing audit logs may be accessed through the Service where available and are retained for 2 years. Audit and access logs may also be used for customer auditability, security, troubleshooting, abuse prevention, compliance, dispute handling, and legal record purposes. Some audit data may be retained after files are deleted to preserve security and compliance records.
Generated audit exports: retained according to the export settings and any expiry windows shown in the Service, subject to deletion queues, backups, and provider limitations.
Billing, tax, payment, and accounting records: retained for the periods required or permitted by tax, accounting, payment, merchant-of-record, anti-fraud, chargeback, and legal obligations.
Support, sales, privacy, and security communications: retained as needed to handle the request, maintain service records, improve the product, investigate issues, protect rights, and comply with legal obligations.
Security logs: retained as needed to protect the Service, investigate abuse, debug issues, detect fraud, and maintain reliable operations.
Backups: retained and overwritten according to provider and operational backup cycles, and are not used as live production records.

Customers are responsible for configuring expiry, deletion, export, and retention settings appropriately for their own data and legal obligations. Customers should keep independent backups or exports where required for legal, professional, accounting, or business-continuity purposes.

17. Security

MyReportVault uses technical and organisational measures designed to protect personal data against unauthorised or unlawful processing and accidental loss, destruction, damage, alteration, or disclosure.

Security measures may include:

encrypted transport using HTTPS/TLS;
authentication and session management;
password-based authentication, magic-link authentication, invite-link flows, and password-reset flows;
multi-factor authentication settings for agency users where available;
role-based workspace access for owners, administrators, and clients/viewers;
customer-configured client groups and access permissions;
PIN protection for selected files where configured;
password-protected file handling and encrypted protected-file copies for supported file types where configured;
pre-signed upload, preview, open, and download links with expiry windows;
file expiry and deletion settings;
access logs for login, download, open, and related events;
API keys for direct uploads, with Customers responsible for protecting secrets;
Cloudflare Turnstile or similar anti-abuse protection;
provider-level security controls from hosting, database, storage, email, payment, and network providers;
restricted administrative access based on operational need;
incident response and investigation procedures appropriate to the size and nature of the Service.

No SaaS service can guarantee absolute security. Customers must configure access controls carefully, protect credentials and API keys, select recipients correctly, use appropriate PIN/password/expiry settings, maintain their own device and email security, and ensure that uploaded content is lawful and suitable for sharing through the Service.

18. Personal data breaches and security incidents

If we become aware of a personal data breach affecting data for which MyReportVault is controller or responsible party, we will take steps required by applicable law, which may include investigating, mitigating, documenting, and notifying affected individuals or regulators where required.

If we become aware of a personal data breach affecting Customer-controlled personal data for which MyReportVault acts as processor, operator, or service provider, we will notify the relevant Customer without undue delay and provide information reasonably available to us. Where POPIA applies to MyReportVault as an operator, we will notify the responsible party immediately where there are reasonable grounds to believe that personal information has been accessed or acquired by an unauthorised person, as required by POPIA.

The Customer is responsible for determining whether notice to regulators, affected individuals, clients, insurers, professional bodies, contractual counterparties, or other parties is required for Customer-controlled data.

Security notices may be sent to the account owner, workspace administrators, billing contact, security contact, or other contact details available to us.

19. Automated decision-making and profiling

MyReportVault does not use solely automated decision-making that produces legal or similarly significant effects for individuals.

The Service may use automated security, anti-abuse, authentication, rate-limit, plan-limit, trial-expiry, notification, expiry, deletion, storage-limit, and access-control logic. These controls help operate and secure the Service, enforce Customer settings, and prevent misuse. They are not intended to make legal decisions about individuals.

20. Children

MyReportVault is intended for business and professional use. It is not directed at children.

Customers must not use MyReportVault to intentionally collect, upload, or share children’s personal data unless they have a lawful basis, appropriate notices, required permissions, and appropriate safeguards under applicable law. If we become aware that a child has created an account or submitted personal data directly without appropriate authority, we may delete or restrict that data.

21. Special category, sensitive, and regulated data

Customers may choose to upload confidential, financial, tax, employment, health-related, children’s, criminal-offence, professional, privileged, or other sensitive or regulated data. MyReportVault does not determine whether Customer Content is sensitive, regulated, lawful, accurate, authorised, or suitable for the Service.

Customers are responsible for:

confirming that they have a lawful basis or legal ground to upload, store, and share the data;
providing required notices and obtaining required consents or authorisations;
selecting appropriate recipients and access controls;
completing any required data protection impact assessment, transfer assessment, vendor assessment, or professional compliance assessment;
ensuring that use of the Service complies with applicable laws, professional duties, confidentiality obligations, contractual duties, and regulator requirements.

Unless expressly agreed in a signed written agreement, the Service is not designed for raw payment card data requiring PCI DSS compliance, emergency services, life-critical operations, medical treatment decisions, consumer credit decisioning, public file hosting, or use where failure of the Service could reasonably be expected to cause death, personal injury, severe financial loss, or unlawful denial of essential rights.

22. Your privacy rights

Depending on where you are located and which law applies, you may have rights including:

the right to be informed about how personal data is used;
the right to access personal data;
the right to correct inaccurate or incomplete personal data;
the right to request deletion of personal data;
the right to restrict processing;
the right to object to processing based on legitimate interests or direct marketing;
the right to data portability;
the right to withdraw consent where processing is based on consent;
rights relating to automated decision-making where applicable;
the right to complain to a supervisory authority or privacy regulator.

For personal data that MyReportVault controls for its own purposes, you may contact us directly.

For data uploaded, configured, or shared by a MyReportVault Customer, the Customer is usually the controller or responsible party. In that case, we may refer your request to the relevant Customer or assist the Customer in responding to your request.

Privacy rights are subject to exceptions, limitations, identity verification, competing legal obligations, security requirements, technical feasibility, and the rights of others.

23. How to exercise your rights

To exercise privacy rights or ask a privacy question, contact:

[email protected]

Please include enough information for us to understand and verify your request. We may request additional information to confirm your identity, confirm your relationship to a Customer workspace, locate relevant records, prevent fraud, or protect other users’ data.

If your request relates to files or records controlled by a Customer, we may ask you to contact that Customer directly or coordinate with the Customer where required or appropriate.

24. Complaints

We encourage you to contact us first at [email protected] so we can try to resolve your concern.

If South African data protection law applies, you may contact the Information Regulator (South Africa).

If EU GDPR applies, you may complain to your local EU/EEA data protection supervisory authority.

If UK GDPR applies, you may complain to the UK Information Commissioner’s Office.

25. Data protection contact, Information Officer, DPO, and representatives

MyReportVault’s privacy contact and data protection lead is:

Ian Paul Stapelberg t/a MyReportVault
Email: [email protected]

For South African POPIA purposes, Ian Paul Stapelberg is the appropriate contact for information officer-related privacy matters for MyReportVault.

MyReportVault has not appointed a separate Data Protection Officer. If the law requires a Data Protection Officer, EU representative, UK representative, or other local representative for a specific processing activity, MyReportVault will take the steps required by applicable law before conducting that processing activity or will rely on an applicable exemption.

Customers planning to use the Service for large-scale processing of EU/UK personal data, special category data, criminal-offence data, children’s data, or other high-risk regulated data should contact MyReportVault before doing so to ensure appropriate contractual, representative, transfer, and risk-assessment arrangements are in place.

26. Links, third-party services, and external viewers

The Service may contain links to third-party websites, billing portals, provider pages, external viewers, or external resources. Those third parties are responsible for their own terms, privacy notices, security practices, availability, and processing locations. You should review their privacy notices before providing personal data to them or enabling optional third-party functionality.

Where a Customer enables optional external Office/spreadsheet viewing, supported unprotected files may be opened through Microsoft Office Online Viewer or similar Microsoft services. This may disclose a pre-signed file URL and file contents to Microsoft for rendering. Customers should disable or avoid external viewing for files that must not be processed by Microsoft or by external viewers.

27. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes to the Service, providers, regions, law, security practices, or business operations. The updated version will be posted on the website or in the Service with a revised effective or last updated date.

Where changes materially affect Customers or users, we will take reasonable steps to notify affected Customers or users, such as through the Service, by email, or by other appropriate means. Continued use of the Service after the updated Policy takes effect means that the updated Policy applies from its effective date.

28. Contact