Back to vukorix.com

Privacy Policy

Effective date: 18 April 2026  ·  Last updated: 29 April 2026

Our privacy promise in plain English: Vukorix is built around the principle that you control your documents, not us. File contents are encrypted at rest with AES-256-GCM, with encryption keys managed so that under normal operation our staff cannot read the files you share. We collect the minimum personal information we need to run your account, we never sell it, and we give you clear rights to access, correct, and delete it. The full policy follows below.
Contents
  1. Who we are
  2. Scope of this policy
  3. What information we collect
  4. How we collect information
  5. How we use information
  6. Legal bases (GDPR / UK GDPR)
  7. Sharing and sub-processors
  8. International transfers
  9. How long we keep information
  10. Security
  11. Cookies and analytics
  12. Your rights
  13. Data breach notification
  14. Children's privacy
  15. Automated decision-making
  16. Changes to this policy
  17. Complaints and contact

1.Who we are

This Privacy Policy explains how Osmicro Networks Pty Ltd (ACN 642 841 638 / ABN 70 642 841 638), trading as Vukorix (Vukorix, we, our, or us), handles personal information in connection with the Vukorix secure file sharing platform at vukorix.com and app.vukorix.com.

For the purposes of the EU General Data Protection Regulation (GDPR) and the UK GDPR, Vukorix is the controller of personal information about our account holders (you), and a processor of personal information that you upload into the Service about your clients or recipients.

Our registered office is in New South Wales, Australia. Our Privacy Officer can be reached at [email protected].

2.Scope of this policy

This policy covers personal information collected when you:

  • visit the Vukorix marketing site at vukorix.com;
  • sign up for the Vukorix private beta or join our waitlist;
  • create or use a Vukorix account at app.vukorix.com;
  • receive a Secure Send link, use a Secure Receive portal, participate in a Secure Exchange, or sign a document issued through Vukorix;
  • contact us by email, form, or other means.

This policy does not cover third-party websites, applications, or services that are linked to from the Service. Please review their own privacy policies before using them.

3.What information we collect

3.1 Information you provide

  • Account information: name, email address, firm or company name, role, phone number (optional), and password (stored hashed — we never see it in plain text).
  • Waitlist and beta enquiries: email address and anything you choose to include in a message.
  • Billing information (post-beta): billing contact, billing address, and payment token from our payment processor. We do not store full credit card numbers on our servers.
  • Communications: the content of emails and support requests you send to us.
  • Customer Content: the files, document metadata, recipient email addresses, and messages you upload to the Service. Customer Content is encrypted and we treat it as your data; we act as a processor for it (see section 1).

3.2 Information collected automatically

  • Device and connection data: IP address, device type, browser, operating system, approximate location derived from IP, referrer URL, time zone.
  • Usage data: pages viewed, features used, buttons clicked, links created, timestamps. Used to operate, secure, and improve the Service.
  • Audit logs: records of who accessed which file, when, from which IP, and what action they took (upload, download, signature, deletion). These are retained for security and compliance purposes.
  • Cookies and similar technologies: see section 11.

3.3 Information from third parties

  • Information from our payment processor confirming or declining a payment.
  • Anti-fraud and anti-abuse signals from our hosting and virus-scanning providers.
  • Public information you have provided through integrations you explicitly connect.

3.4 Sensitive information

We do not seek sensitive information (such as information about health, race, political opinions, or religious beliefs) as part of your account or billing data. You may choose to include such information in Customer Content. If you do, it is stored encrypted and treated with the same protections as other Customer Content, but you are responsible for obtaining any consents required to upload it.

4.How we collect information

We collect information directly from you when you sign up, complete a form, upload content, or communicate with us. We collect information automatically through your device and browser when you use the Service. We may also receive information from our sub-processors (section 7), or from third parties who have a lawful basis to share it with us, for example to comply with legal obligations or prevent fraud.

5.How we use information

We use personal information for the following purposes:

  • Provide the Service: authenticate you, host encrypted files, deliver Secure Send / Secure Receive / Secure Exchange and e-signature flows, run virus scanning, and send operational notifications.
  • Support: respond to your enquiries and resolve issues.
  • Security: detect, investigate, and prevent fraud, abuse, unauthorised access, and security incidents; maintain audit logs.
  • Billing (post-beta): process payments, issue invoices, recover unpaid fees, and keep financial records.
  • Product improvement: understand how the Service is used, diagnose errors, and develop new features. We rely on aggregated and de-identified data wherever possible.
  • Communications: send service-related messages (required), and (with your consent or where otherwise permitted) beta updates, product announcements, and marketing emails from which you can unsubscribe at any time.
  • Legal compliance: comply with laws, respond to lawful requests from regulators or courts, and enforce our Terms.

6.Legal bases (GDPR / UK GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases to process your personal information:

  • Performance of a contract — to deliver the Service you have signed up for.
  • Legitimate interests — to secure the Service, prevent fraud, improve our product, and run our business, where those interests are not overridden by your rights.
  • Consent — for optional cookies and for marketing emails where required. You may withdraw consent at any time.
  • Legal obligation — to meet tax, accounting, anti-money-laundering, and similar requirements.

7.Sharing and sub-processors

We do not sell your personal information. We do not share your personal information with advertisers.

We share personal information only with the categories of recipients below, each under written contracts requiring appropriate data protection:

  • Sub-processors that help us deliver the Service (see the table below);
  • Professional advisers (lawyers, accountants, auditors) bound by duties of confidentiality;
  • Authorities where we are required to disclose by law, a court order, or a lawful regulatory request;
  • Acquirers in connection with a merger, acquisition, financing, or sale of assets — in which case we will require the acquirer to honour this policy, or we will notify you of any changes.

7.1 Current key sub-processors

ProviderPurposeLocation
DigitalOcean, LLCApplication hosting and marketing-site hostingAustralia (Sydney SYD1)
Formspree, Inc.Processing waitlist and contact form submissionsUnited States
Google LLC (Google Analytics 4)Aggregated website analytics with IP anonymisationUnited States / global
Transactional email providerDelivery of operational emails (account, Secure Send notifications)United States / EU
Payment processor (post-beta)Card tokenisation and subscription billingUnited States / global
Virus-scanning providerMalware scanning of uploaded files (the Warden engine)Australia / global

We will keep this list up to date as our sub-processors change. Material additions to this list will be communicated to beta participants and paying customers by email or through the Service before they take effect, so that customers can raise concerns.

8.International transfers

Personal information is primarily hosted in Australia (Sydney), but some sub-processors (for example Formspree, Google Analytics, and our transactional email provider) process data in the United States or other countries.

Where personal information is transferred out of the country in which you are located, we rely on appropriate safeguards, such as the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum, where applicable), or on exemptions permitted by applicable law (for example, transfers necessary to perform our contract with you).

For personal information of individuals in Australia, transfers out of Australia are made in accordance with Australian Privacy Principle 8, and we take reasonable steps to ensure the overseas recipient handles the information consistently with the Australian Privacy Principles.

9.How long we keep information

CategoryRetention
Account details (name, email, firm)For as long as the account is active, then up to 12 months after closure for legal and accounting purposes, then deleted or anonymised.
Waitlist / beta enquiry emailsUntil you ask us to remove you, or 24 months after your last interaction, whichever is earlier.
Customer Content (encrypted file payloads)Until the configured expiry, the view limit is reached, or you or your recipient delete it. After that, payloads are permanently deleted.
Audit logs and access recordsUp to 24 months, then deleted or aggregated. Longer where required for legal, regulatory, or dispute-resolution purposes.
Billing records (invoices, payment receipts)7 years, as required by Australian tax and corporations law.
Security / abuse investigation recordsUp to 24 months, or longer where an active investigation or legal matter requires it.
BackupsRolling backups are overwritten on a rotating schedule (typically within 35 days).

10.Security

We take the security of your data seriously. Our measures include:

  • Encryption in transit: all traffic to the Service is protected with TLS 1.2 or higher.
  • Encryption at rest: file payloads, file names, and sensitive fields are encrypted with AES-256.
  • Key management: encryption keys are managed so that Vukorix staff cannot read the contents of your files under normal operating conditions.
  • Access controls: least-privilege access for staff, mandatory multi-factor authentication for employees with access to production systems, and detailed access logs.
  • Mandatory 2FA: two-factor authentication is required on every Vukorix customer account.
  • Virus scanning: every upload is scanned by the Warden engine before it becomes available to recipients.
  • Secure development: code review, dependency scanning, and regular security testing.
  • Hosting: primary hosting in ISO 27001-certified data centres.

No system is ever completely secure. If you believe your account has been compromised, or you have discovered a security issue, please contact [email protected] immediately.

11.Cookies and analytics

11.1 What we use cookies for

  • Strictly necessary cookies: keep you signed in, remember your cookie choice, and protect against fraud. These cannot be disabled because the Service would not work without them.
  • Analytics cookies: help us understand how visitors use the marketing site so we can improve it. We use Google Analytics 4 with IP anonymisation enabled and without advertising signals. We do not use Google Analytics to build advertising audiences.
  • Preference cookies: remember minor choices (such as whether you have dismissed a banner).

11.2 Your choices

When you first visit vukorix.com we show a cookie banner. You can accept or reject analytics cookies; your choice is remembered in your browser and can be changed at any time by clearing your site data. Most browsers also let you block or delete cookies; doing so may affect how the Service works.

11.3 Do Not Track and Global Privacy Control

We honour Global Privacy Control (GPC) signals, where applicable, as a valid opt-out of non-essential analytics.

12.Your rights

12.1 Everyone

You can ask us to:

  • confirm what personal information we hold about you;
  • provide you with a copy of that information;
  • correct information that is inaccurate or out of date;
  • delete information we no longer need to keep;
  • close your account.

Email [email protected] to exercise any of these rights. We will respond within 30 days.

12.2 Australia — Privacy Act 1988

If you are in Australia, you have rights of access and correction under the Australian Privacy Principles (Privacy Act 1988 (Cth)). If you are unhappy with how we have handled your personal information, you may complain to the Office of the Australian Information Commissioner (oaic.gov.au).

12.3 EEA and UK — GDPR / UK GDPR

If you are in the EEA, the UK, or Switzerland, you additionally have the right to:

  • restrict processing in certain circumstances;
  • object to processing based on legitimate interests;
  • data portability (receive your information in a structured, machine-readable format);
  • withdraw consent at any time where we rely on consent;
  • lodge a complaint with your local supervisory authority, including the UK Information Commissioner's Office (ico.org.uk).

12.4 California — CCPA / CPRA

If you are a California resident, you have the right to know what personal information we collect about you and why, to request deletion, to correct inaccurate information, and to opt out of the "sale" or "sharing" of personal information. We do not sell or share personal information as those terms are defined under California law. You can exercise your rights by emailing [email protected]. We will not discriminate against you for exercising these rights.

12.5 Verification

To protect your information, we may ask you to verify your identity before acting on a request. In some cases we may be unable to fulfil a request — for example, where another law requires us to keep the information. We will explain our reasons if we decline.

13.Data breach notification

If we become aware of an eligible data breach that is likely to result in serious harm or a risk to your rights, we will notify you and the relevant regulator without undue delay, in accordance with the Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth), the GDPR, the UK GDPR, and any other applicable law. Where practicable we will notify affected individuals within 72 hours of confirming the breach, describe what happened, what information was involved, the steps we are taking, and what you can do.

14.Children's privacy

The Service is intended for business use and is not directed at children under 18. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact [email protected] and we will delete it.

15.Automated decision-making

We do not use personal information to make decisions about you that are solely automated and that produce legal or similarly significant effects. Some features of the Service use automated techniques (for example the Warden virus scanner, the Smart Forms field detector, and fraud-detection heuristics), but these support human decisions rather than replace them.

16.Changes to this policy

We may update this Privacy Policy from time to time. When we make a material change we will update the "Last updated" date above and, if you have an account with us, notify you by email or through a notice in the Service before the change takes effect. Your continued use of the Service after the effective date means you accept the updated policy.

17.Complaints and contact

If you have a question, concern, or complaint about how we handle your personal information, please contact our Privacy Officer first so we have the chance to put things right:

Privacy Officer, Osmicro Networks Pty Ltd
ABN 70 642 841 638
Email: [email protected]
General support: [email protected]

We aim to acknowledge privacy complaints within 5 business days and provide a substantive response within 30 days.

If you are not satisfied with our response, you may lodge a complaint with:

  • Australia: Office of the Australian Information Commissioner — oaic.gov.au
  • United Kingdom: Information Commissioner's Office — ico.org.uk
  • European Economic Area: your local data protection authority.