Skip to content

Privacy

Privacy Policy

Last Updated: March 16, 2026

1. Overview

This Privacy Policy describes how Empirevault LLC (“EmpireVault,” “we,” “us,” or “our“) collects, uses, stores, and protects information when you use the EmpireVault Cloud Suite, including:

  • Engage Plugin — chat widget, lead capture forms, waitlist/newsletter signups embedded on WordPress sites;
  • CRM — unified inbox (Google, Microsoft 365, IMAP), contacts, organizations, leads, and campaigns;
  • Tickets — AI-assisted service desk, knowledge base, customer portal, CSAT surveys, and feature request tracking;
  • Hub — administration, billing, single sign-on, permissions, and audit logging.

By accessing or using any part of the EmpireVault Cloud Suite (collectively, the “Service“), you agree to the practices described in this policy. If you do not agree, please do not use the Service.

2. Information We Collect

2.1 Account Data

When you create an account or are invited to a tenant workspace, we collect your name, email address, and role. Authentication is handled through WorkOS; we do not store passwords. Your account may be associated with one or more tenant organizations.

2.2 CRM Data

When you connect a mailbox (Google, Microsoft 365, or IMAP) or manually create records, we process:

  • Contacts, organizations, and leads (names, email addresses, phone numbers, notes);
  • Email messages synced from connected mailboxes (sender, recipients, subject, body, attachments);
  • Contact extraction data derived from email conversations.

2.3 Ticket Data

When tickets are created — by agents, customers, or through AI triage — we collect:

  • Ticket details (subject, description, priority, status, category, tags, custom fields);
  • Comments and internal notes;
  • CSAT survey responses (rating, feedback text);
  • Feature request submissions and votes;
  • SLA tracking data (response times, resolution times).

2.4 Chat Data

The Engage Plugin captures real-time chat interactions on your website:

  • Chat messages between visitors and operators;
  • Session identifiers (stored in the browser’s sessionStorage, not cookies);
  • Page URLs where the chat widget is displayed.

2.5 Optional Contact Information

Visitors may voluntarily provide their name, email address, and phone number through contact forms, lead capture widgets, or waitlist/newsletter signup forms. This information is collected only when initiated by the visitor.

2.6 Campaign Data

When you send email campaigns through the Service, we process:

  • Email content (subject, body, templates);
  • Recipient lists and segmentation data;
  • Open tracking events (recorded via a 1×1 tracking pixel);
  • Click tracking events (recorded via wrapped links);
  • Bounce and suppression status.

2.7 Attribution Data

We collect UTM parameters and referrer URLs associated with leads and form submissions for marketing attribution purposes.

2.8 Audit Logs

The Service records an immutable audit trail of user actions, including the action performed, the user who performed it, IP addresses, and timestamps.

2.9 AI Usage Logs

When AI-powered features are used (ticket triage, draft replies, summarization, translation, lead scoring), we log the feature type, token count, and model name for rate-limiting, billing, and quality purposes.

2.10 Billing Information

Payment processing is handled entirely by Stripe. We do not store credit card numbers or payment card data on our servers. We retain your Stripe customer ID and subscription status to manage your account.

3. How We Use Information

We use the information we collect to:

  • Provide the Service — operate and maintain CRM, ticketing, chat, campaign, and administrative features;
  • Authenticate users — verify identity and manage session state;
  • Process AI requests — triage tickets, draft replies, score leads, summarize conversations, and translate content;
  • Send transactional emails — verification links, password resets, campaign messages, and CSAT surveys;
  • Track campaign performance — record opens, clicks, and bounces to provide analytics;
  • Maintain audit trails — log user actions for security, compliance, and accountability;
  • Enforce rate limits — monitor AI and API usage per tenant;
  • Improve the Service — analyze aggregated, de-identified usage patterns;
  • Comply with legal obligations — respond to lawful requests and enforce our terms.

4. AI Data Processing

EmpireVault uses the OpenAI API to power AI-assisted features, including:

  • Automatic ticket triage and priority classification;
  • Draft reply generation;
  • Ticket and conversation summarization;
  • Content translation;
  • Ticket routing suggestions;
  • Lead importance scoring;
  • Periodic ticket insights and trend analysis.

Important safeguards:

  • Data sent to OpenAI is used solely to process your request and is not used to train OpenAI’s models, in accordance with OpenAI’s API data usage policy.
  • AI processing is subject to per-tenant rate limiting (daily and monthly caps) configured by your administrator.
  • All AI usage is logged (feature type, token count, model name) for transparency and cost control.
  • Tenant administrators can disable AI features entirely through the Ticket Settings panel.
  • AI suggestion feedback (helpful/incorrect) is collected to improve suggestion quality.

5. Data Sharing and Third Parties

We do not sell, rent, or trade your personal data. We share data only with the following categories of service providers, solely to operate the Service:

Provider Purpose Data Shared
WorkOS Authentication & SSO Name, email, organization ID
Stripe Payment processing & billing Email, subscription details
OpenAI AI-powered features Ticket/email content for processing
Civo Cloud hosting & object storage All Service data (infrastructure)

We may also disclose information when required by law, regulation, legal process, or governmental request, or to protect the rights, safety, or property of EmpireVault, our users, or the public.

6. Cookies and Session Management

6.1 Platform Application

The EmpireVault web application uses session cookies (HttpOnly, Secure) strictly for authentication and session management. These cookies are essential to the operation of the Service and cannot be disabled while using the platform. We do not use advertising or third-party tracking cookies.

6.2 Engage Plugin

The Engage Plugin embedded on WordPress sites uses the browser’s sessionStorage API — not cookies — to maintain chat session state. Session data is automatically cleared when the browser tab is closed.

7. Data Security

We implement industry-standard security measures to protect your data:

  • Encryption at rest: All sensitive database fields (email bodies, ticket descriptions, contact details, system settings) are encrypted using AES-256-GCM via ActiveRecord Encryption.
  • Encryption in transit: All data transmitted between your browser and our servers is protected by TLS (HTTPS) on every endpoint.
  • Infrastructure security: The Service runs on Kubernetes with container isolation, network policies, and managed secrets.
  • Access control: Role-based permissions (owner, admin, sales, readonly) restrict access to data and features. All access is logged in the audit trail.
  • Authentication: Single sign-on via WorkOS with no locally stored credentials.

While we strive to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

8. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Specific retention policies include:

  • Email messages: Subject to configurable retention periods set by your tenant administrator. Expired messages are automatically purged on a recurring schedule.
  • Chat messages: Retained for up to 90 days from the session date.
  • Audit logs: Retained indefinitely for compliance and security purposes.
  • Resolved tickets: Automatically closed after a configurable period, as set by the tenant administrator.
  • AI usage logs: Retained for rate-limiting, billing, and operational monitoring.
  • Account data: Retained until the account or tenant is deleted.

Upon account deletion, we will remove your personal data within a reasonable time frame, except where retention is required by law.

9. Multi-Tenant Data Isolation

EmpireVault is a multi-tenant platform. All customer data is scoped to the tenant organization at the database level. This means:

  • Each tenant’s data (contacts, tickets, emails, campaigns, settings) is logically isolated from all other tenants.
  • Users who belong to multiple organizations see only the data for their currently active tenant.
  • Tenant administrators control user roles, permissions, and feature settings independently.
  • Cross-tenant data access is architecturally prevented by application-level scoping.

10. Email Compliance

EmpireVault is designed to help you comply with applicable email regulations, including the CAN-SPAM Act:

  • Unsubscribe: All marketing emails include a one-click unsubscribe mechanism and List-Unsubscribe headers.
  • Physical address: Campaign emails include the sender’s mailing address in the footer.
  • Bounce suppression: Bounced email addresses are automatically suppressed to prevent further delivery attempts.
  • Double opt-in: Waitlist and newsletter signups use a two-step confirmation process to verify consent and prevent abuse from automated link scanners.

Tenant administrators are responsible for ensuring their use of email features complies with all applicable laws in their jurisdiction.

11. User Rights (GDPR / CCPA)

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Right of access: Request a copy of the personal data we hold about you.
  • Right to correction: Request correction of inaccurate or incomplete data.
  • Right to deletion: Request deletion of your personal data, subject to legal retention requirements.
  • Right to data portability: Request your data in a structured, machine-readable format.
  • Right to object: Object to processing of your data for certain purposes.
  • Right to restrict processing: Request that we limit how we use your data.
  • Right to opt out of sale: We do not sell personal data. If this changes, we will provide an opt-out mechanism as required by the CCPA.

To exercise any of these rights, contact us at privacy@empirevault.com. We will respond within 30 days (or the timeframe required by applicable law). We may ask you to verify your identity before processing your request.

If you are a customer of one of our tenants and wish to exercise your rights, please contact the tenant organization directly, as they are the data controller for information collected through their use of the Service.

12. Children’s Privacy

The EmpireVault Cloud Suite is not directed at children under the age of 13 (or 16 in the European Economic Area). We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected data from a child, we will take prompt steps to delete it. If you believe a child has provided us with personal data, please contact us at privacy@empirevault.com.

13. International Data Transfers

The Service is hosted in the United States (Civo cloud, NYC1 region). If you access the Service from outside the United States, your data will be transferred to and processed in the US. We implement appropriate safeguards — including encryption, access controls, and contractual protections with our service providers — to protect your data in accordance with applicable data protection laws.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes to our practices, technology, legal requirements, or other factors. When we make material changes, we will:

  • Update the “Last Updated” date at the top of this page;
  • Notify active account holders by email or in-app notice where required.

Your continued use of the Service after changes are posted constitutes acceptance of the updated policy. We encourage you to review this page periodically.

15. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Empirevault LLC
Houston, TX
General inquiries: info@empirevault.com
Privacy inquiries: privacy@empirevault.com

Chat with us

Scroll to Top