Data Protection

Privacy Policy

Last Updated: February 23, 2026

At VaultZero, we believe that privacy is a fundamental right and the foundation of trust. This policy outlines how we collect, protect, and handle your personal information with the same rigor we apply to enterprise security.

Section 01

Introduction

VaultZero Security ("VAT0", "we", "us", or "our") is a cybersecurity consultancy operated by Codezela Technologies (Pvt) Ltd, a company registered in Sri Lanka under company registration number PV00218349. We are committed to protecting your privacy and ensuring the security of your personal data.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website (vat0.lk), use our contact forms, or engage with us professionally. By accessing our services, you agree to the terms outlined in this policy.

As a cybersecurity-focused organization, we hold ourselves to the highest standards of data protection and privacy. Our practices are designed to comply with applicable data protection laws, including the Sri Lanka Personal Data Protection Act (PDPA) No. 9 of 2022 and the General Data Protection Regulation (GDPR) for our international clients.

Section 02

Information We Collect

Contact Form Data

When you submit an inquiry through our contact form, we collect the following personal information:

Name: Your full name for personalizing our response
Email Address: For correspondence regarding your inquiry
Phone Number: Optional, for direct communication if preferred
Company/Organization: To understand your business context
Service Interest: The service category you select in our contact form
Budget Range: Optional budget preference for project scoping
Message Content: Details about your cybersecurity needs
Security Verification Token: A Cloudflare Turnstile token used to prevent spam

Analytics Data

We use Google Analytics 4 (GA4) to understand how visitors interact with our website. This may include:

Pages visited and time spent on each page
Referral sources (how you found our website)
Device type and browser information (anonymized)
Geographic location (country/city level only)
Interaction events such as page views and scroll depth

GA4 is disabled by default and only activated after you grant analytics consent via our cookie banner. If you select "Essential Only," analytics tracking remains disabled.

Technical Data

Our servers automatically collect certain technical information when you visit our website, including your IP address, browser type, operating system, and the date/time of your visit. This data is used for security monitoring and to optimize website performance.

Section 03

How We Use Your Information

We use the information we collect for the following specific purposes:

Responding to Inquiries

To respond to your questions, provide information about our cybersecurity services, and communicate regarding potential business engagements.

Service Delivery

To provide cybersecurity consulting services, security assessments, penetration testing, and zero-trust architecture implementation for your organization.

Website Improvements

To analyze website usage patterns and improve user experience based on aggregated, anonymized analytics data.

Legal Compliance

To comply with legal obligations under Sri Lankan law, including tax and accounting requirements, and to protect our legal rights.

Section 04

Data Storage & Security

Form Submission Processing

Contact form submissions are processed through our secure API endpoint at /api/contact. Submission details are then sent to Brevo to deliver notification emails to our team. We also use Cloudflare Turnstile for spam prevention before a submission is accepted.

Security Measures

As a cybersecurity consultancy, we implement industry-leading security measures:

•All data in transit is encrypted using TLS 1.3
•Access to personal data is restricted to authorized personnel only
•Multi-factor authentication (MFA) protects all systems containing personal data
•Regular security assessments and penetration testing of our infrastructure

Data Retention

We retain contact form submissions for 2 years from the date of submission in our operational communication systems. Where submissions lead to an active client relationship, related records may be retained for up to 7 years to satisfy legal, tax, and accounting obligations. Analytics data is retained for up to 26 months, after which it is deleted or anonymized according to provider settings.

Section 05

Cookies & Tracking Technologies

Our website uses the following technologies that may store data on your device:

Lenis Smooth Scroll

We use the Lenis library for smooth scrolling animations. This library stores minimal session data in your browser's memory to provide a seamless scrolling experience. No personal data is collected or transmitted to external servers.

Framer Motion

We utilize Framer Motion for UI animations and transitions. This library operates entirely client-side and does not transmit any data to external servers or store persistent data on your device.

Google Analytics 4

We use Google Analytics 4 (GA4) to understand how visitors interact with our website. GA4 uses cookies and similar technologies to collect information about your device, browser, and website usage patterns. This data helps us improve our website and services. We have configured GA4 to disable ad personalization signals by default.

Your Choice: You can control Google Analytics tracking through our cookie consent banner. If you select "Essential Only", Google Analytics will be disabled. You can also opt-out of Google Analytics tracking by visiting the Google Analytics Opt-out Page.

For more information on how Google uses data, please refer to Google's Privacy Policy.

Section 06

Your Rights (GDPR / CCPA / Sri Lanka PDPA)

Depending on your location, you may have the following rights regarding your personal data:

Right to Access

Request copies of your personal data we hold

Right to Rectification

Request correction of inaccurate or incomplete data

Right to Erasure

Request deletion of your personal data ("Right to be Forgotten")

Right to Restrict Processing

Request limitation on how we use your data

Right to Data Portability

Receive your data in a structured, machine-readable format

Right to Object

Object to processing based on legitimate interests

Sri Lanka PDPA Rights

Under Sri Lanka's Personal Data Protection Act No. 9 of 2022, data subjects have the right to be informed about data collection, the right to access their personal data, the right to correct inaccuracies, the right to object to processing for direct marketing, and the right to lodge complaints with the Data Protection Authority of Sri Lanka.

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days as required by applicable law.

Section 07

Third-Party Services

We use the following third-party services that may process your data:

Brevo (formerly Sendinblue)

We use Brevo to send email notifications of contact form submissions. When you submit our contact form, your information is transmitted via Brevo's secure API to deliver the notification to our team. Brevo is GDPR compliant and stores data in the EU.

Vercel

Our website is hosted on Vercel's global edge network. Vercel may process technical data (IP addresses, request logs) as part of their hosting service. Vercel is SOC 2 Type 2 certified and GDPR compliant.

Google Fonts & Analytics

We use Google Fonts for typography and Google Analytics 4 for website analytics. Google Fonts API does not use cookies, but Google Analytics uses cookies to track usage patterns. Google's services are governed by their Privacy Policy. You can opt-out of Google Analytics via our cookie banner.

Cloudflare Turnstile

We use Cloudflare Turnstile to protect our contact forms from spam and abuse. Turnstile analyzes browser behavior to distinguish humans from bots without requiring traditional CAPTCHA challenges. Cloudflare may process technical data including your IP address and browser information for security purposes. See Cloudflare's Privacy Policy.

We do not sell your personal data to any third parties. We only share data with service providers necessary for operating our website and delivering our services.

Section 08

Legal Basis for Processing

Under the GDPR and Sri Lankan PDPA, we process your personal data based on the following legal grounds:

Consent

When you voluntarily submit our contact form, you consent to us processing your data to respond to your inquiry.

Contract

Processing necessary to enter into or perform a contract for our services with you or your organization.

Legal Obligation

Processing necessary to comply with our legal obligations under Sri Lankan tax, accounting, and company law.

Legitimate Interests

Processing necessary for our legitimate business interests, such as website analytics and security monitoring.

Section 09

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service offerings. When we make material changes, we will notify you by:

•Posting the updated policy on our website with a revised "Last Updated" date
•Displaying a prominent notice on our website for significant changes
•Sending an email notification to individuals with whom we have an ongoing business relationship

We encourage you to review this Privacy Policy periodically. Your continued use of our services after any changes constitutes acceptance of the updated policy.

Contact for Privacy Questions

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact our Data Protection Officer:

Email

[email protected]

Company

VaultZero Security
A division of Codezela Technologies (Pvt) Ltd
345/35, RIT Alles Mw
Colombo 08, 00800
Sri Lanka

Response Time

We aim to respond to all privacy-related inquiries within 48 hours.

Back to Home