Privacy Policy

Last updated: April 7, 2026

1. Introduction

This Privacy Policy describes how Enigma Vault ("Company," "we," "our," or "us") collects, uses, and shares information in connection with your use of the NOI website (www.nopii.co), documentation site (docs.nopii.co), admin console (app.nopii.co), and PII tokenization proxy service (collectively, the "Service"). This policy applies to all users of the Service, including website visitors, account holders, and API consumers.

2. Our Role: Controller and Processor

Enigma Vault acts in two distinct roles:

  • As a data processor, with respect to content (including any personal data) that you transmit through the proxy. You are the controller of that content; we process it solely on your instructions to provide the Service.
  • As a data controller, with respect to account information, billing data, usage metadata, and website analytics that we collect directly from you or your authorized users.

This distinction governs which provisions of this policy apply to which data. Customers who require a Data Processing Addendum (DPA) incorporating Standard Contractual Clauses may request one at support@enigmavault.io.

3. Information We Collect

3.1 Information You Provide

We collect information you provide directly, including:

  • Account registration details (name, email address, company name, job title)
  • Organization and team configuration
  • PII detection settings and preferences
  • Communications you send to us (support requests, feedback)

3.2 Information Collected Automatically

When you use the Service, we automatically collect:

  • Usage data: Token counts (prompt, completion, overhead), request timestamps, HTTP status codes, response latency, LLM provider and model used, number of PII entities detected per request
  • Audit data: Categories of detected entities (e.g., person names, email addresses), vault tokens (not plaintext PII), detection confidence scores, masked values (e.g., "****6789")
  • Technical data: IP address, browser type, operating system, referring URLs
  • Session identifiers: Randomly generated UUIDs used to maintain tokenization consistency within a conversation

3.3 Transient Data We Do Not Persist

The following categories of data pass through the Service but are not stored or persisted in any durable form:

  • Plaintext PII transmitted through the proxy. Plaintext PII is processed in volatile memory for the minimum time required to detect, tokenize, and forward requests. It may be held in in-memory session caches to maintain tokenization consistency within a conversation, for a maximum of one hour from last access. Plaintext PII is never written to disk, never transmitted to any LLM provider, and is lost on Service restart. (Note: the vault tokens produced from your plaintext PII are persisted separately by the Enigma Vault Data Vault to enable detokenization of future responses. Vault tokens are retained for a minimum of one day, with longer or indefinite retention available by configuring the token time-to-live (TTL). See Section 6 for details.)
  • Your LLM API keys. Passed through to providers on each request, never persisted.
  • LLM request and response content. Not stored unless you explicitly enable debug mode, in which case sanitized content is retained temporarily as described in Section 6.

4. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Service, including PII detection, tokenization, and detokenization
  • Calculate and enforce usage limits and billing
  • Generate audit logs for your compliance needs
  • Respond to your requests, comments, and questions
  • Send transactional messages (account invitations, billing notifications, security alerts)
  • Monitor and analyze usage trends and Service performance
  • Detect, investigate, and prevent security incidents and abuse
  • Comply with legal obligations

We do not use your data to train machine learning models. We do not use the content of your API requests for any purpose other than providing the Service.

5. Data Sharing and Sub-Processors

We do not sell your personal information. We share information only in the following circumstances:

  • Enigma Vault Data Vault: The Data Vault is an affiliated service operated by Enigma Vault under common ownership with the Service. Plaintext PII values are sent to the Data Vault solely for tokenization. The Data Vault stores encrypted token-to-plaintext mappings. No other context (your identity, use case, or conversation content) is shared.
  • LLM Providers: Your chosen LLM provider receives sanitized requests with vault tokens in place of PII. No plaintext PII is sent to any LLM provider.
  • Cloud infrastructure provider: Our infrastructure provider hosts the database, secrets storage, authentication, and compute environment. Data is processed in the United States.
  • Payment processor (Stripe): Billing and payment data, including usage meter events, is shared with Stripe for payment processing.
  • Langfuse (if enabled by you): If you enable the optional Langfuse integration, tokenized (not plaintext) request and response content is sent to Langfuse for observability.
  • Legal requirements: We may disclose information if required by law, subpoena, court order, or governmental request.
  • Protection of rights: We may disclose information to protect the rights, property, or safety of Enigma Vault, our users, or the public.

A current list of sub-processors is maintained at www.nopii.co/sub-processors. We will provide at least 30 days' advance notice of material changes to our sub-processor list via email to account administrators.

6. Data Retention

  • Account data: Retained for the duration of your account, and for up to 12 months after account closure for legal, tax, and accounting purposes, after which it is deleted or anonymized.
  • Audit logs: Retained per your Organization's configuration, with a default retention of 13 months. Audit entries for purged tokens are scrubbed (token values set to null) and stamped with purge metadata for compliance audit trails.
  • Request logs: Retained for 13 months for billing reconciliation and analytics purposes.
  • Session data: Held in volatile memory only for up to one hour from last access. Not persisted to disk. Lost on Service restart.
  • Vault tokens: Subject to configurable TTL (time-to-live). Free plan: 1-day expiration. Pro plan: configurable from 1 day to permanent. Expired tokens are automatically and permanently deleted from the Enigma Vault Data Vault.
  • Debug data: If debug mode is enabled, sanitized request/response bodies are retained in request logs (truncated to 64KB).

7. Security

We implement technical and organizational measures to protect information, including:

  • TLS encryption for all data in transit
  • Encryption at rest for databases and secrets storage
  • Vault credentials stored in a managed secrets service, accessible only via scoped service roles
  • Authentication with support for SSO, MFA, and social login
  • Rate limiting on all API endpoints
  • Fail-safe architecture: if tokenization is unavailable, requests are blocked rather than forwarded with unprotected PII
  • Security headers enforced (HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy)
  • Structured logging and continuous monitoring

No security system is perfect. While we take commercially reasonable measures to protect your data, we cannot guarantee absolute security.

8. Breach Notification

In the event of a personal data breach affecting your data, we will notify affected customers without undue delay after confirming the breach. Notifications will include, to the extent known at the time of notification, the nature of the breach, the categories and approximate number of records affected, likely consequences, and the measures taken or proposed to address the breach. This notice is intended to support your own regulatory notification obligations where you act as a data controller, including obligations under Article 33 of the GDPR. We will provide additional information as our investigation progresses.

9. International Data Transfers

The Service is hosted in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States. We rely on Standard Contractual Clauses and other appropriate safeguards for transfers from the European Economic Area, United Kingdom, and Switzerland.

10. Regulated Data and HIPAA

The Free and Pro plans are not intended for the processing of Protected Health Information (PHI) subject to HIPAA. If you are a HIPAA Covered Entity or Business Associate and wish to route PHI through the Service, you must first enter into a Business Associate Agreement (BAA) with Enigma Vault, which is available on the Enterprise plan. Contact support@enigmavault.io for BAA inquiries. Transmitting PHI through the Service without an executed BAA is a violation of our Terms of Service.

11. Your Rights Under GDPR

This section applies to personal data we process as a controller in connection with our direct relationships (for example, account holders, billing contacts, website visitors, and support correspondents). Where we process personal data as a processor on behalf of a business customer (for example, end-user data transmitted through the proxy), data subjects should exercise their rights with that customer, who acts as the controller. We will support our customers in responding to such requests as required by applicable law and any Data Processing Addendum in place.

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights under applicable data protection laws:

  • Right of access: Request a copy of the personal data we hold about you.
  • Right to rectification: Request correction of inaccurate personal data.
  • Right to erasure: Request deletion of your personal data. For PII that has been tokenized by the Service, you can use the Token Purge feature in the admin console to delete vault tokens, scrub audit log entries, and invalidate session caches.
  • Right to restriction: Request that we restrict processing of your personal data.
  • Right to data portability: Request a copy of your data in a structured, machine-readable format.
  • Right to object: Object to processing of your personal data for certain purposes.
  • Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time.

To exercise these rights, contact us at support@enigmavault.io. We will respond within one month of receipt of your request. This period may be extended by up to two additional months where necessary, taking into account the complexity and number of requests, in which case we will inform you of the extension within one month of receipt. You also have the right to lodge a complaint with your local supervisory authority.

Legal basis for processing: We process personal data on the following bases: performance of our contract with you (providing the Service), legitimate interests (security, analytics, service improvement), compliance with legal obligations, and consent (where applicable).

EU and UK Representatives: Where required under Article 27 of the GDPR or the UK GDPR, our appointed representatives can be contacted at support@enigmavault.io. Contact details for our representatives are maintained at www.nopii.co/legal/representatives.

12. Your Rights Under CCPA/CPRA

This section applies to personal information we collect as a controller directly from California residents in connection with their use of our website, admin console, and business communications (for example, account holders, billing contacts, website visitors, and support correspondents). It does not apply to end-user data that our business customers transmit through the proxy, for which the customer is the controller and should be contacted directly.

If you are a California resident, you have the following rights under the California Consumer Privacy Act and California Privacy Rights Act:

  • Right to know: Request disclosure of the categories and specific pieces of personal information we have collected.
  • Right to delete: Request deletion of your personal information.
  • Right to correct: Request correction of inaccurate personal information.
  • Right to opt-out of sale or sharing: We do not sell or share personal information for cross-context behavioral advertising.
  • Right to non-discrimination: We will not discriminate against you for exercising your rights.

We honor Global Privacy Control (GPC) signals transmitted by your browser as a valid opt-out preference signal.

To exercise these rights, contact us at support@enigmavault.io.

13. Cookies and Tracking Technologies

13.1 Website (www.nopii.co)

We use cookies and similar technologies on our marketing website for:

  • Essential cookies: Required for site functionality (session management, CSRF protection). These are set without consent as they are strictly necessary to deliver the site.
  • Analytics cookies: To understand how visitors interact with the site (page views, traffic sources). Analytics cookies are non-essential.

Consent for non-essential cookies. Visitors from the European Economic Area, United Kingdom, and Switzerland are presented with a cookie consent banner on first visit. Non-essential cookies (including analytics) are loaded only after affirmative consent is given. You may withdraw or change your consent at any time through the cookie preferences link in the site footer. Visitors from other jurisdictions can manage cookie preferences through the same link or through their browser settings.

13.2 Admin Console (app.nopii.co)

The admin console uses authentication cookies to maintain your login session. These are essential for the console to function.

13.3 Proxy Service

The proxy API does not use cookies. Authentication is performed via API key headers on each request.

13.4 Managing Cookies

You can manage cookie preferences through your browser settings. Disabling essential cookies may prevent the website or admin console from functioning correctly.

14. Children's Privacy

The Service is a business-to-business product intended for use by organizations and their authorized personnel. It is not directed to children, and we do not knowingly allow individuals under 16 (or the minimum age in their jurisdiction, whichever is higher) to register for accounts or provide personal information through our website. If we learn that we have inadvertently collected personal information from a child in connection with our direct relationships (website visitors, account signups, support communications), we will delete it promptly. If you believe a child has provided us with personal information, please contact us at support@enigmavault.io.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page, updating the "Last updated" date, and, for material changes, notifying you via email. Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.

16. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at support@enigmavault.io, or by mail at the address below.

Enigma Vault

30 Broad St., Suite 14114

New York, NY 10004

Phone: (877) 977-2083

Privacy Policy