Customer-controlled data. PubVault is a business tool used by publishers and authors to manage their own operations. When a customer uploads information about its authors, payees, contracts, sales, books, or other business contacts into the Service, the customer acts as the “controller” (or “business”) of that information, and we act as a “processor” (or “service provider”) handling it on the customer's behalf under our Terms of Service and any applicable data-processing agreement. Individuals whose information is uploaded by a customer (for example, authors or payees) should direct privacy requests to that customer first; we will assist the customer as required.
1. Information We Collect
1.1 Information you provide to us
- Account information. When you sign up, we collect your name, email address, username, password (stored as a hash), role (for example, Admin, Editor, or Viewer), display name, and preferences such as reporting currency.
- Billing information. When you subscribe, payment-card or bank details are collected and processed by our payment processor, Stripe, Inc. (“Stripe”), not by us. We receive a limited set of information from Stripe, such as the last four digits of the card, card brand, billing country, transaction amounts, and subscription status.
- Support and communications. If you email us or otherwise contact us, we receive the contents of your message, your contact details, and any information you choose to share.
1.2 Customer Data you upload
Customers upload information into their PubVault instance to run their publishing operations. This typically includes:
- Author and payee records (names, email addresses, phone numbers, payment information, and notes);
- Book and title metadata (titles, series, genres, cover images, release schedules);
- Sales and royalty data imported from reports such as Amazon KDP;
- Contracts and related documents (publishing, audiobook, webcomic, translation, film/TV, licensing), including uploaded files;
- Advertising-spend data imported from CSV files or via connected advertising accounts;
- Uploaded manuscripts, marketing assets, and other files stored in the file vault.
We treat this Customer Data as confidential and do not use it for our own purposes beyond providing, securing, and improving the Service, as described in Section 2.
1.3 Information collected automatically
- Log and usage data. Our servers automatically record information about your interactions with the Service, including IP address, browser type, device information, pages or endpoints accessed, actions taken, error events, and timestamps. The Service also maintains an in-app activity log that records user-initiated edits, uploads, and similar events.
- Session cookies. We use a strictly necessary session cookie to keep you signed in and protect your session. This cookie is set with the HttpOnly and SameSite=Lax attributes, and is marked Secure when the Service is accessed over HTTPS. We do not currently use third-party advertising or analytics cookies on the Service.
1.4 Information from third-party integrations
If you connect a third-party service to PubVault, we collect information you authorize that service to share with us, which may include:
- OAuth tokens used to access advertising platforms such as Amazon Ads and Meta/Facebook Ads on your behalf;
- Campaign, spend, and performance data returned by those platforms;
- Content of reports you import, such as Amazon KDP PDF sales reports.
Your use of a third-party service is subject to the terms and privacy policy of that service.
2. How We Use Information
We use the information described above to:
- Provide, operate, and maintain the Service, including account provisioning, instance setup, data imports, currency conversion, report generation, and file storage;
- Process subscriptions, payments, renewals, and refunds through Stripe;
- Authenticate users, enforce access controls, and protect against fraud, abuse, and security incidents;
- Respond to support requests, send service-related announcements, and provide technical assistance;
- Monitor, troubleshoot, debug, and improve the Service, including diagnosing errors and understanding feature usage in aggregate;
- Comply with legal obligations, respond to lawful requests from authorities, and enforce our Terms of Service;
- Send occasional administrative messages or, with your consent where required, product-update emails (you can opt out of non-essential emails at any time).
Our commitment to your data. We will not sell, rent, lease, license, distribute, or otherwise disclose Customer Data or any personal information contained in it to any third party, for any reason, without your express knowledge and consent. We will not use Customer Data for any purpose other than providing, securing, and improving the Service as described in these terms; if we ever wish to use your data for a new or materially different purpose, we will ask for your express, informed consent first. The limited disclosures we do make are (a) to the trusted service providers listed in Section 4 acting on our behalf under strict confidentiality obligations solely to operate the Service, (b) to third-party integrations you authorize (for example, by connecting an advertising account), and (c) where required by law or valid legal process. In each case, you will know about the disclosure: our subprocessors are identified in this policy, integrations happen only at your direction, and we will notify you of a legal demand where permitted. We do not “share” personal information for cross-context behavioral advertising as defined under California law, we do not use Customer Data to train artificial-intelligence or machine-learning models (our own or any third party's), and we do not build, or allow third parties to build, advertising profiles from Customer Data.
3. Legal Bases for Processing (EEA/UK Users)
If you are in the European Economic Area or the United Kingdom, we rely on the following legal bases to process personal information:
- Contract. To provide the Service you or your organization have subscribed to.
- Legitimate interests. To secure the Service, prevent fraud and abuse, improve and develop our product, and conduct routine business operations, where those interests are not overridden by your rights and freedoms.
- Legal obligation. To comply with laws, court orders, and regulatory requirements.
- Consent. Where required, for example for certain marketing communications. You may withdraw consent at any time.
4. How We Share Information
We share personal information only as described below:
- Service providers (subprocessors). We use a small, deliberately limited set of service providers to operate the Service on our behalf. They process information only under contractual obligations to protect it and only to provide services to us. Our current subprocessors are:
- Third-party integrations you authorize. When you connect an integration such as Amazon Ads or Meta/Facebook Ads, information flows between PubVault and that service as you direct.
- Legal and safety. We may disclose information if we reasonably believe it is necessary to comply with law, respond to valid legal process, enforce our agreements, or protect the rights, property, or safety of Company, our customers, or the public.
- Business transfers. If we are involved in a merger, acquisition, financing, reorganization, or sale of assets, information may be transferred as part of that transaction, subject to customary confidentiality protections.
- With your direction. We share information with third parties at your direction or with your consent.
5. International Transfers
We are based in the United States, and our service providers may operate in the United States and other countries. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States or other jurisdictions that may have different data-protection laws than those in your country. Where required, we use appropriate safeguards for such transfers, such as standard contractual clauses or equivalent mechanisms.
6. Data Retention
We retain personal information for as long as needed to provide the Service, comply with our legal and tax obligations, resolve disputes, and enforce our agreements. Specifically:
- Account and account-related records are retained while your subscription is active;
- Customer Data is retained in your instance while your subscription is active and for up to thirty (30) days after termination to allow export, after which it may be deleted from active systems;
- Residual copies may remain in routine backups for a limited period before expiring;
- Billing and tax records are retained for the period required by applicable law.
You or your administrator may delete most Customer Data at any time through the Service. We will delete or return Customer Data upon written request from the customer, subject to our legal-retention obligations.
7. Security
We take the security of your data seriously and have designed the Service around the following commitments. These are ongoing obligations, not aspirational statements.
7.1 Encryption in transit
All connections between your browser or API client and the Service are protected by Transport Layer Security (TLS), using modern cipher suites and HTTPS only. We do not permit unencrypted access to the Service. Session cookies are transmitted with the Secure, HttpOnly, and SameSite attributes to protect against interception and cross-site request forgery. OAuth tokens used to connect third-party integrations are exchanged over encrypted channels and stored in encrypted form.
7.2 Encryption at rest
All Customer Data, including uploaded files, contracts, manuscripts, author and payee records, sales data, and database records, is stored in encrypted form at rest on the infrastructure used to host the Service. Backups of your database are likewise encrypted at rest. Account passwords are never stored in plaintext; they are stored as salted one-way hashes using a modern, industry-standard hashing algorithm.
7.3 Per-customer instance isolation
PubVault is architected so that each customer receives a dedicated, single-tenant instance of the Service, with its own isolated application environment and its own dedicated database. Customer Data is never commingled across customers in a shared database or shared storage. A user with credentials for one customer's instance cannot access, query, or enumerate the data of any other customer. Administrative credentials used by us for operations and support are separately managed and scoped; we do not use customer credentials to access customer instances.
7.4 Access controls
Access to production systems and Customer Data by our personnel is restricted to the minimum number of individuals required to operate and support the Service, is protected by strong authentication, and is logged. Within your instance, we provide role-based access controls (Admin, Editor, Viewer) so you can limit what your own users can see and do. Administrators are required to change default passwords on first login.
7.5 Breach notification
If we become aware of a security incident that has resulted in, or is reasonably likely to have resulted in, unauthorized access to, disclosure of, or loss of Customer Data or personal information, we will notify affected customers within twenty-four (24) hours of confirming the incident. Our notification will describe, to the extent then known, the nature of the incident, the categories of data affected, the steps we are taking to investigate and remediate, and the steps you can take to protect yourself. Where we are still investigating, our initial notification will say so, and we will provide follow-up updates as additional information becomes available. We will cooperate reasonably with customers to meet their own notification obligations under applicable law.
7.6 Our limits
No system is perfectly secure, and we cannot guarantee absolute security. You are responsible for protecting the credentials used to access your instance, for managing the users and permissions within your instance, and for reviewing the activity log the Service makes available to you. If you believe your account or any Customer Data has been compromised, please contact us at the address in Section 13 as soon as possible.
8. Your Rights and Choices
8.1 Access, correction, deletion, portability
Depending on where you live, you may have rights to request access to, correction of, deletion of, or a portable copy of the personal information we hold about you, to object to or restrict certain processing, or to withdraw consent. You can exercise many of these rights directly within the Service (for example, by editing your account settings or deleting records in your instance). If you cannot do so, contact us at the address in Section 13, and we will respond within the timeframe required by applicable law.
If your information was uploaded to a customer's instance by that customer (for example, because you are an author managed by a publisher using PubVault), please contact the customer first. We will assist the customer in responding to your request.
8.2 California residents
Under the California Consumer Privacy Act, as amended (“CCPA/CPRA”), California residents have the right to know, correct, delete, and limit certain uses of personal information, and to be free from discrimination for exercising those rights. We do not sell personal information or share it for cross-context behavioral advertising. Categories of personal information we have collected in the last twelve months include identifiers, commercial information, internet or network activity information, and inferences, as further described in Section 1. We retain information for the periods described in Section 6.
You may submit a request by emailing the address in Section 13. We will verify your request using information associated with your account. You may designate an authorized agent to act on your behalf, subject to verification.
8.3 EEA/UK residents
Residents of the European Economic Area and the United Kingdom may lodge a complaint with their local data-protection authority. We ask that you contact us first so we can try to resolve your concern.
8.4 Marketing choices
You may opt out of marketing emails at any time using the unsubscribe link in the email. Service-related communications, such as security alerts and billing notices, are not marketing messages.
9. Children
The Service is intended for business use and is not directed to individuals under 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will take appropriate steps to delete it.
10. Third-Party Sites and Services
11. Automated Decision-Making
The Service performs automated calculations, such as royalty splits, advance earn-out tracking, and currency conversions. These calculations do not produce legal or similarly significant effects on individuals without human review; customers are responsible for reviewing and approving outputs before acting on them. We do not otherwise engage in automated decision-making that produces legal or similarly significant effects on individuals.
12. Changes to This Privacy Policy
13. Contact Us
NextPanel Studios, LLC d/b/a PubVault
Attn: Privacy
1805 Crystal Drive #908S
Arlington, VA 22202
Email: support@pubvault.co