Privacy policy

1. Who we are & data controller details

Vault & Hide is a leather goods manufacturer and global exporter, registered and headquartered in Karachi, Sindh, Pakistan. We operate the website vaultandhide.com and all sub-pages associated with it.

For the purposes of the UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation (GDPR), Vault & Hide is the data controller — meaning we are responsible for deciding how and why personal data about you is processed.

We are not currently required to appoint a Data Protection Officer (DPO) under GDPR Article 37, as we do not carry out large-scale systematic monitoring of individuals or process special category data at scale. However, we have designated a privacy lead who is responsible for data protection compliance. You can reach them at [email protected].

Where required by UK GDPR Article 27, we have appointed a UK representative. Details are available on request.

2. What personal data we collect

We collect only the data necessary to provide our services, fulfil your orders, and improve your experience. The categories of personal data we may hold about you are:

Identity & contact data

• Full name, title, and date of birth (where provided)
• Billing address and delivery address
• Email address and telephone number
• Account username and encrypted password

Order & transaction data

• Order history, including products purchased, quantities, prices, and dates
• Payment method type (e.g. Visa, PayPal) — we never store full card numbers
• Transaction reference numbers and payment status
• Returns, refunds, and warranty claim history
• Bespoke design specifications, measurements, and configuration choices

Profile & preference data

• Saved sizes, wishlist items, and recently viewed products
• Currency and language preferences
• Vault Rewards points balance and redemption history
• Product reviews and ratings submitted by you

Technical & usage data

• IP address, browser type, operating system, and device type
• Pages visited, time spent on pages, clicks, and navigation paths
• Referral source (e.g. Google search, Instagram ad, direct)
• Session identifiers and cookie data (see our Cookie Policy)

Communications data

• Emails, live chat transcripts, and WhatsApp messages sent to or received from our team
• Customer service enquiry history and notes
• Survey responses and feedback submissions

Marketing data

• Your marketing consent status and communication preferences
• Email open and click data (where you have consented to marketing)
• Advertising interaction data — ad impressions, clicks, and conversions — via third-party pixels (subject to your cookie consent)

3. How we collect your data

We collect personal data through the following means:

• Directly from you — when you create an account, place an order, complete a bespoke design form, subscribe to our newsletter, submit a review, contact our support team, or enter a competition.
• Automatically — as you browse vaultandhide.com, we collect technical and usage data via cookies and similar technologies. See our Cookie Policy for full details.
• From third parties — we may receive data from payment processors (Stripe, PayPal) confirming transaction status; from shipping carriers confirming delivery; from advertising platforms (Meta, Google) when you interact with our ads; and from fraud detection services that flag suspicious activity.
• From your social media activity — if you tag us in a post, comment on our content, or contact us via a social platform, we receive the information you make available through those interactions.

4. Lawful basis for processing

Under GDPR Article 6, every processing activity must have a lawful basis. The table below maps each category of use to its legal ground. Where we rely on legitimate interests, we have conducted a Legitimate Interests Assessment (LIA) to confirm our interests do not override your rights.

5. How we use your data

We use the personal data we collect for the following purposes:

To fulfil and manage your orders

Processing your payment, confirming your order, managing production for bespoke items, arranging delivery, handling returns, processing refunds, and managing warranty claims.

To operate your account

Maintaining your account, storing your wishlist, saving your size preferences, tracking your Vault Rewards balance, and providing order history.

To communicate with you

Sending order confirmations, dispatch notifications, delivery updates, return acknowledgements, and responses to your customer service enquiries. These communications are transactional and cannot be opted out of while you have an active order or open case.

To improve our website and products

Analysing anonymised usage data to understand how customers navigate the site, which products generate interest, where users encounter friction, and how we can improve the overall experience. We also use this data to inform product development and purchasing decisions.

To protect against fraud and abuse

Monitoring for fraudulent orders, account takeover attempts, payment fraud, and misuse of our platform. We share flagged activity with our payment processors and, where necessary, law enforcement.

To comply with our legal obligations

Maintaining financial and tax records as required by applicable law, responding to valid legal requests, and discharging our obligations under consumer protection, anti-money-laundering, and customs and trade regulations.

To send marketing — only with your consent

If you have opted in, we use your email address and communication preferences to send you newsletters, new arrival announcements, promotional offers, style guides, and information about our Vault Rewards programme. See section 6 for full details and how to opt out.

6. Marketing communications

We operate a strict opt-in marketing policy. We will never send you marketing emails unless you have explicitly given us consent to do so — either by ticking the marketing opt-in box at checkout, subscribing via our newsletter form, or enabling marketing through your account settings.

When you consent to marketing, you may receive:

• New arrival and seasonal drop announcements
• Exclusive subscriber discounts and early access to sales
• Vault Rewards programme updates and reward notifications
• Leather care tips, style guides, and editorial content from our journal
• Occasional surveys and feedback requests

How to opt out

You can withdraw your marketing consent at any time by any of the following methods:

• Clicking the "Unsubscribe" link at the bottom of any marketing email.
• Updating your preferences in your account under Account → Communication preferences.
• Emailing [email protected] with the subject line UNSUBSCRIBE.

Opt-out requests are processed within 5 business days. You may continue to receive transactional emails (e.g. order confirmations) even after opting out of marketing — these are not marketing communications and are required for contract performance.

7. Who we share your data with

We do not sell, rent, or trade your personal data to any third party. We share data only where necessary to provide our services, fulfil legal obligations, or protect legitimate interests. All third-party processors are bound by Data Processing Agreements (DPAs) and are required to handle your data securely and lawfully.

We may also share data with professional advisers — lawyers, accountants, and auditors — who are bound by confidentiality obligations, and with any acquirer in the event of a merger, acquisition, or sale of all or part of our business (in which case you will be notified in advance).

8. International data transfers

Vault & Hide is based in Pakistan and serves customers globally. Some of the third-party processors we use are located outside the European Economic Area (EEA) and the United Kingdom, most commonly in the United States.

Where we transfer personal data outside the EEA or UK, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) — approved by the European Commission and adopted under the UK GDPR — with all US-based processors.
• UK International Data Transfer Agreements (IDTAs) where required for transfers from the UK.
• Adequacy decisions — for transfers to countries the European Commission has recognised as providing an adequate level of protection.

Pakistan does not currently have an EU or UK adequacy decision. Where data is transferred from the EEA or UK to our servers or staff in Pakistan for operational purposes, we rely on SCCs and implement additional technical safeguards including encryption at rest and in transit, access controls, and staff data protection training.

9. Your rights

Depending on your location, you have the following rights over your personal data. We honour these rights for all customers globally, not only those in GDPR jurisdictions. All requests are free of charge and will be responded to within 30 days.

We will respond to all valid rights requests within 30 calendar days. Where a request is complex or numerous, we may extend this to 90 days, in which case we will notify you within the initial 30 days and explain the reason for the extension. We may need to verify your identity before processing a request to protect against fraud.

10. How long we keep your data

We retain personal data only for as long as necessary to fulfil the purpose for which it was collected, comply with legal obligations, and resolve disputes. The table below sets out our standard retention periods.

When data reaches the end of its retention period, it is securely deleted or irreversibly anonymised. Anonymised data (from which you cannot be identified) may be retained indefinitely for statistical and research purposes.

11. Security

We take the security of your personal data seriously and have implemented technical and organisational measures appropriate to the risk, including:

• Encryption: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher. Data stored on our servers is encrypted at rest using AES-256.
• Access controls: Personal data is accessible only to staff who need it to perform their job. All staff with data access complete annual data protection training.
• Payment security: We are PCI-DSS compliant through our payment processors. Full card numbers are never stored on our systems.
• Infrastructure security: Our hosting infrastructure is protected by firewalls, intrusion detection systems, and regular vulnerability assessments.
• Breach response: We have a data breach response plan. In the event of a breach that poses a risk to your rights, we will notify the relevant supervisory authority within 72 hours and notify affected individuals without undue delay, as required by GDPR Article 33.

While we take every reasonable precaution, no method of transmission over the internet or electronic storage is completely secure. You are responsible for keeping your account password confidential. If you believe your account has been compromised, contact us immediately at [email protected].

12. Children's privacy

Our website, products, and services are not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16. If we become aware that we have inadvertently collected data from a person under 16 without verifiable parental consent, we will delete it promptly.

If you are a parent or guardian and believe your child has submitted personal data to us, please contact us at [email protected] and we will act immediately.

13. Cookies & tracking technologies

We use cookies and similar tracking technologies to operate the website, remember your preferences, understand how you use the site, and — where you consent — to deliver relevant advertising. The full details of every cookie we set, its purpose, duration, and the controls available to you are set out in our dedicated Cookie Policy.

Your cookie preferences can be updated at any time via the cookie preference centre, accessible from the footer of every page of our website. You do not need to accept non-essential cookies to use the website or make a purchase.

14. California residents — CCPA rights

If you are a resident of California, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you specific rights in addition to those described in section 9.

What we collect, use, and disclose

In the preceding 12 months, we have collected the categories of personal information listed in section 2 of this policy. We have disclosed personal information to the categories of third parties listed in section 7, for the business purposes listed in section 5. We have not sold or shared personal information as defined by the CCPA.

Your California rights

• Right to know: Request disclosure of the categories and specific pieces of personal information we have collected, used, disclosed, or sold about you in the past 12 months.
• Right to delete: Request deletion of personal information we have collected, subject to certain exceptions.
• Right to correct: Request correction of inaccurate personal information.
• Right to opt out of sale or sharing: We do not sell or share personal information. No opt-out is required, but you may submit a preference regardless at [email protected].
• Right to limit use of sensitive personal information: We do not process sensitive personal information beyond what is strictly necessary for the purposes described in this policy.
• Right to non-discrimination: You will not receive a different level of service or pricing as a result of exercising any CCPA right.

To submit a CCPA request, email [email protected] with subject line CCPA REQUEST. We will verify your identity and respond within 45 calendar days. You may designate an authorised agent to submit requests on your behalf.

15. Changes to this policy

We may update this privacy policy from time to time to reflect changes in our data practices, the services we use, or applicable law. When we make material changes, we will:

• Update the "last reviewed" date at the top of this page.
• Display a prominent notice on the website for at least 30 days.
• Notify registered account holders by email where changes materially affect how we use their data.
• Where changes require fresh consent — for example, a new processing purpose — we will seek that consent before proceeding.

We encourage you to review this policy periodically. Previous versions are available on request by emailing [email protected].

16. Contact & complaints

For all privacy-related requests, questions, or concerns — including Subject Access Requests, erasure requests, and marketing opt-outs — please contact our privacy team directly. Do not use our general customer support channel for data protection matters.