Legal

Privacy Policy

Last Modified: February 2026

1. Introduction and Controller Information

This Privacy Policy explains how Starbox Group GmbH ("Starbox", "we", "us", or "our"), a Swiss company, collects, uses, and protects your personal data when you use our Vaultbrix database-as-a-service platform. Vaultbrix is a branded application of Starbox Group GmbH.

Data Controller:
Starbox Group GmbH
1288 Geneva, Switzerland
CHE-XXX.XXX.XXX (UID)
Email: privacy@starbox-group.com

2. Data Residency and Sovereignty

Swiss Data Sovereignty

All customer data is hosted exclusively in Switzerland on Infomaniak infrastructure in Geneva. Your data never leaves Swiss jurisdiction - not for backups, not for disaster recovery, not for any reason.

As a Swiss company, Vaultbrix is subject to the Swiss Federal Act on Data Protection (nFADP) and is not subject to the US CLOUD Act or similar foreign data access laws. We are committed to GDPR compliance for EU customers.

3. Information We Collect

3.1 Account Information

  • Email address
  • Name and organization details
  • Payment information (processed via Stripe)

3.2 Technical Information

  • IP addresses and access logs
  • Browser and device information
  • API usage logs

3.3 Analytics (Cookie-Free)

We use Umami, a privacy-focused analytics platform that does not use cookies or track personal data:

  • Page views and referrers (aggregated, anonymized)
  • Browser and device type (no fingerprinting)
  • Country-level location (no IP storage)

Umami is GDPR compliant and does not require cookie consent as it does not store any personal identifiers.

3.4 Customer Data (Databases)

Customer databases are fully owned by the customer. We process this data solely to provide the service. This includes:

  • Database contents stored in your schemas
  • Object storage files
  • Edge function code

3.5 AI Context Engine (Snipara) Data

Our AI Context Engine processes the following to enable AI-native features:

  • Schema metadata: Table names, column names, types, relationships, and indexes
  • Agent Memory: Persistent conventions and decisions stored by AI tools
  • Context queries: Requests from connected AI tools (Claude Code, Cursor, etc.)

Important: The AI Context Engine does NOT access or process the actual data content in your tables - only structural metadata.

4. How We Use Your Information

  • Providing and maintaining the Vaultbrix platform
  • Processing payments (via Stripe)
  • AI Context Engine schema introspection and optimization
  • Service improvements and analytics
  • Security monitoring and fraud prevention
  • Legal compliance

5. Legal Basis for Processing

Under Swiss LPD and EU GDPR, we process your data based on:

  • Contract performance: To provide the services you requested
  • Legitimate interests: For security, fraud prevention, and service improvement
  • Legal obligations: To comply with applicable laws
  • Consent: For optional features where applicable

6. Data Sharing

6.1 Service Providers (Sub-Processors)

  • Infomaniak: Swiss cloud infrastructure (Geneva) - Database hosting, backups
  • Stripe: Payment processing (PCI-DSS compliant, EU)
  • Resend: Transactional email delivery (EU)
  • Sentry: Error monitoring and performance (EU)
  • Umami: Privacy-focused analytics (EU) - No cookies, no personal data, anonymous page views only

For a complete list of sub-processors and their data handling, see our Data Processing Agreement.

6.2 No Sale of Data

We do not sell, rent, or trade your personal data.

6.3 Legal Requirements

We may disclose data only in response to valid Swiss legal processes (Swiss court orders, regulatory requirements under Swiss law).

7. International Data Transfers

Customer database data is never transferred outside of Switzerland. Administrative data may be processed by service providers with appropriate safeguards (Standard Contractual Clauses where applicable).

8. Data Retention

  • Account data: Duration of account plus 30 days after termination
  • Customer databases: During subscription, plus 30 days post-termination
  • Billing records: 10 years (Swiss tax law OR 958f)
  • Access logs: 90 days
  • Audit logs: 1 year (SOC 2 compliance)
  • Backups: According to your plan (7-90 days)

For detailed retention periods by data category, see our Data Retention Policy.

9. Security Measures

  • AES-256 encryption at rest
  • TLS 1.3 encryption in transit
  • Role-based access controls
  • Regular security audits
  • SOC 2 Type II certification (in progress)

10. Your Rights

Under Swiss LPD:

  • Right to information about data processing
  • Right to access your data
  • Right to rectification
  • Right to erasure
  • Right to data portability
  • Right to object to processing

Under EU GDPR (for EEA residents):

All rights above, plus the right to lodge a complaint with your national supervisory authority.

To exercise your rights, contact us at privacy@starbox-group.com.

11. Cookies

We use essential cookies only for authentication and session management. We do not use advertising or tracking cookies.

12. Children's Privacy

Vaultbrix is not intended for users under 16 years of age. We do not knowingly collect data from children.

13. Changes to This Policy

We will notify you of material changes via email or through the Vaultbrix dashboard. Continued use after changes constitutes acceptance.

14. Supervisory Authority

Swiss: Federal Data Protection and Information Commissioner (FDPIC)
EU: Your relevant national data protection authority

15. Contact

For privacy inquiries:
Email: privacy@starbox-group.com
Address: Starbox Group GmbH, 1288 Geneva, Switzerland

16. Related Documents