Vulta AI
TermsPrivacySign in

Privacy Policy

Vulta — Automated Chargeback Defense Platform

Effective Date: March 18, 2026

1. Introduction

Vulta AI ("Vulta," "we," "us," or "our") operates an automated chargeback defense platform for digital product merchants. This Privacy Policy explains how we collect, use, store, and protect information in connection with the Vulta AI Service — including the Vulta Pixel tracking script (vulta.js), the Evidence Vault, and all related platform components.

This Policy is addressed to two distinct audiences:

  • Merchants — businesses that register for and use the Vulta AI platform to manage chargeback disputes. Merchants are the primary contracting parties and are subject to our Terms of Service.
  • End Customers — the customers of our Merchants, whose data is captured by the Vulta Pixel as a result of their interactions with the Merchant's platform. Vulta processes End Customer data solely on behalf of the Merchant.

By using the Service, Merchants acknowledge and accept this Privacy Policy. End Customers should be informed of this Policy by their Merchant, as described in Section 6.

2. Data Controller & Data Processor

This is a critical legal distinction. Vulta AI operates strictly as a Data Processor with respect to End Customer personal data. The Merchant operates as the Data Controller for all personal data collected about its own end customers through the Vulta Pixel.

2.1 Merchant as Data Controller

The Merchant determines the purposes and means of processing End Customer personal data. The Merchant is responsible for ensuring that its collection and use of End Customer data via the Vulta Pixel complies with all applicable data protection laws, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and any other applicable privacy legislation. The Merchant must have a valid legal basis for processing End Customer data (e.g., legitimate interest in fraud prevention or explicit consent).

2.2 Vulta AI as Data Processor

Vulta processes End Customer personal data exclusively on behalf of, and under the documented instructions of, the Merchant. Vulta does not determine the purposes of processing End Customer data and does not process such data for its own commercial purposes. Vulta will not sell, rent, license, or otherwise exploit End Customer personal data to any third party.

Merchants who require a Data Processing Agreement (DPA) for GDPR compliance may request one by contacting aaron@vultahq.com.

2.3 Merchant Account Data

With respect to data Merchants provide about themselves (name, email address, business information, payment details), Vulta acts as an independent Data Controller and processes such data pursuant to its own legitimate interests in operating the platform and fulfilling its contractual obligations.

3. The Vulta Pixel (vulta.js)

The Vulta Pixel is a lightweight JavaScript tracking script that Merchants embed in the <head> section of their online platforms (course platforms, membership sites, sales funnels, etc.). Once installed, the Pixel operates passively in the background and captures defined behavioral and technical data signals each time an End Customer interacts with the Merchant's platform.

The Pixel is loaded from https://api.vultahq.com/pixel/vulta.js and communicates exclusively with Vulta's servers. It does not load any third-party scripts, set any cookies on the End Customer's browser, or communicate with any advertising, analytics, or tracking network.

The Pixel is activated only after the Merchant calls Vulta.init(productId) with the Merchant's unique product identifier. Data is transmitted to Vulta's servers using the browser's native navigator.sendBeacon() API, with a fetch() keepalive fallback, ensuring reliable delivery without blocking page performance.

THE SOLE PURPOSE OF THE VULTA PIXEL IS FRAUD PREVENTION AND CHARGEBACK MITIGATION. THE PIXEL IS NOT USED FOR ADVERTISING, BEHAVIORAL PROFILING, AUDIENCE TARGETING, RETARGETING, OR ANY COMMERCIAL PURPOSE OTHER THAN GENERATING EVIDENCE FOR THE RESOLUTION OF PAYMENT CARD DISPUTES ON BEHALF OF THE MERCHANT.

4. What We Collect & Why

Through the Vulta Pixel and platform interactions, we collect the following categories of data:

4.1 Network & Device Identifiers

  • IP Address: The IPv4 or IPv6 address from which the End Customer accesses the Merchant's platform. Used to establish geolocation consistency and verify that transactions originated from the cardholder's known network environment.
  • Device ID / Fingerprint: A unique identifier derived from the browser and hardware characteristics of the End Customer's device, including User-Agent string, screen resolution, language settings, timezone, platform type, and hardware concurrency. This identifier is used to confirm that access occurred on a device previously associated with the cardholder's account.
  • User-Agent String: The full browser and operating system identifier string transmitted by the End Customer's browser in every HTTP request. Used to characterize the device used during purchase and subsequent access.

4.2 Behavioral & Engagement Data

  • Session Timestamps: The date and time (in UTC) of each authenticated login session initiated by the End Customer on the Merchant's platform after purchase. Used to document repeated, voluntary engagement with the purchased digital product.
  • Course Completion Percentage: A numeric value (0–100%) reflecting the proportion of course content or digital product content accessed or completed by the End Customer. Used as the primary indicator of service delivery and consumption.
  • Last Module Accessed: The name or identifier of the most recently accessed content module within the purchased product. Used to demonstrate specific, progressive engagement with the product.
  • Terms of Service Acceptance Timestamp: The date, time, and contextual data at which the End Customer explicitly accepted the Merchant's Terms of Service and refund policy during or before the purchase process. This is the single most important piece of legal evidence collected by the Pixel and constitutes proof of informed, voluntary consent.
  • Support Interaction Logs: Records of communications between the End Customer and the Merchant's support channels (chatbot, email, help desk), specifically the number and timestamps of interactions, used to demonstrate that no dispute or refund request was raised through proper channels prior to the chargeback.

4.3 Merchant Account Data

  • Registration Information: Full name, email address, and password hash (bcrypt). We never store passwords in plaintext.
  • Payment Processor Credentials: Stripe Secret Keys and Webhook Signing Secrets provided by the Merchant. These credentials are encrypted at rest using AES-128 symmetric encryption (Fernet) before storage in our database and are never stored in plaintext.

4.4 Data We Do NOT Collect

The Vulta Pixel does not collect and Vulta does not store:

  • Payment card numbers, CVV codes, or bank account information;
  • Government-issued identification numbers or documents;
  • Health or medical information;
  • Precise geolocation data (GPS coordinates);
  • Biometric data of any kind;
  • The full content of communications between End Customers and Merchants;
  • Browsing history outside of the Merchant's platform where the Pixel is installed.

5. Stripe Connect Data

Data obtained through the Stripe Connect OAuth integration is used exclusively and solely for the purpose of processing and responding to payment card disputes on behalf of the Merchant. This data is never used for any other purpose.

When a Merchant connects their Stripe account to Vulta via Stripe Connect OAuth, Vulta receives and stores the following Stripe-provided data:

  • The Merchant's Stripe Account ID;
  • An OAuth access token scoped to dispute evidence submission;
  • Dispute metadata from charge.dispute.created and related Stripe webhook events, including: dispute ID, disputed amount, currency, reason code, evidence deadline, and the customer email associated with the disputed charge.

Vulta uses this data exclusively to: (a) verify the authenticity of incoming webhook events; (b) match disputes to the corresponding merchant and evidence records; (c) upload and submit evidence packages to Stripe's dispute API; and (d) track dispute outcomes for commission calculation purposes.

Stripe's own collection and processing of data in connection with the Stripe Connect integration is governed by Stripe's Privacy Policy, available at stripe.com/privacy.

6. Merchant's Disclosure Obligation

MERCHANTS ARE LEGALLY REQUIRED TO DISCLOSE TO THEIR END CUSTOMERS THAT A THIRD-PARTY FRAUD PREVENTION PROCESSOR (VULTA AI) COLLECTS AND PROCESSES BEHAVIORAL AND TECHNICAL DATA ABOUT THEIR INTERACTIONS WITH THE MERCHANT'S PLATFORM. THIS IS NOT OPTIONAL. FAILURE TO MAKE THIS DISCLOSURE MAY CONSTITUTE A VIOLATION OF APPLICABLE DATA PROTECTION LAWS, INCLUDING THE GDPR AND CCPA, FOR WHICH THE MERCHANT BEARS SOLE AND EXCLUSIVE LEGAL RESPONSIBILITY.

By installing the Vulta Pixel, the Merchant agrees to:

  • Update their Privacy Policy to include a description of Vulta AI as a third-party data processor engaged for fraud prevention purposes, the categories of data collected (as described in Section 4), the purpose of collection (chargeback mitigation), and a link to this Privacy Policy.
  • Update their Cookie Consent Banner or Consent Management Platform (if applicable) to disclose the use of the Vulta tracking script if required by applicable law (e.g., under the ePrivacy Directive for EU-resident users).
  • Obtain any necessary consents from End Customers required under applicable law prior to deploying the Pixel and collecting data.
  • Respond to End Customer data rights requests (access, deletion, portability) under applicable law. Vulta will reasonably assist Merchants in fulfilling verified deletion requests; contact aaron@vultahq.com.

Suggested disclosure language for Merchants (to be adapted to the Merchant's specific platform and legal context):

"We use Vulta AI, a third-party fraud prevention and chargeback mitigation service, to collect technical and behavioral data about your interactions with our platform. This data includes your IP address, device identifier, session timestamps, Terms of Service acceptance records, and course engagement metrics. This data is collected solely for the purpose of defending against illegitimate payment disputes and is never used for advertising or profiling. For more information, see Vulta AI's Privacy Policy at vultahq.com/privacy."

7. Data Sharing & Third Parties

Vulta does not sell, rent, or trade personal data. We share data only in the following limited circumstances:

7.1 Stripe

Evidence packages, including End Customer data, are transmitted to Stripe's API for the purpose of responding to specific disputes. This sharing is the core function of the Service and is authorized by the Merchant.

7.2 Anthropic (AI Processing)

Dispute evidence data (including customer email, disputed amount, and anonymized behavioral signals) is transmitted to Anthropic's Claude API to generate chargeback rebuttal letters. Anthropic's data handling for API customers is governed by Anthropic's usage policies, which confirm that data submitted via the API is not used to train Anthropic's models.

7.3 Infrastructure Providers

We use Railway (cloud hosting) and PostgreSQL-compatible database services for infrastructure. These providers process data on our behalf under appropriate data processing terms.

7.4 Legal Requirements

We may disclose data if required to do so by law, regulation, legal process, or governmental request, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Vulta, our Merchants, or others.

8. Data Retention

We retain End Customer evidence data for as long as the Merchant maintains an active account with Vulta and for a period of ninety (90) days following account termination, after which it is permanently deleted from our systems, unless longer retention is required by applicable law or to resolve an active legal dispute.

Dispute records (including outcome data used for commission calculation) are retained for seven (7) years from the date of the dispute outcome for financial record-keeping purposes.

Merchant account data is retained for thirty (30) days following account deletion and then permanently purged.

9. Security

Vulta implements industry-standard technical and organizational security measures to protect data against unauthorized access, disclosure, alteration, or destruction. These measures include:

  • AES-128 symmetric encryption (Fernet) for Stripe credentials stored in the database;
  • bcrypt password hashing for all Merchant account passwords;
  • JWT-based authentication with short-lived tokens (60 minutes);
  • HTTPS/TLS encryption for all data in transit;
  • Role-based access controls restricting data access to authorized personnel;
  • Rate limiting on all authentication and public-facing API endpoints.

While we implement these measures, no security system is impenetrable. In the event of a data breach affecting Merchant or End Customer data, Vulta will notify affected Merchants in accordance with applicable law and without undue delay.

10. Data Subject Rights

10.1 Rights of End Customers

End Customers whose data has been collected by the Vulta Pixel have rights under applicable data protection law, which may include the right to access, rectify, erase, restrict processing of, or port their personal data. Because Vulta processes End Customer data solely on behalf of the Merchant (Data Controller), End Customers must direct their requests to the Merchant. Vulta will cooperate with and assist Merchants in fulfilling verified requests.

10.2 Rights of Merchants

Merchants may access, update, export, or request deletion of their account data by contacting us at aaron@vultahq.com or through the account settings in the dashboard. We will respond to verified requests within thirty (30) days.

10.3 California Residents (CCPA)

California residents have specific rights under the CCPA, including the right to know what personal information is collected, the right to delete personal information, and the right to opt out of the sale of personal information. Vulta does not sell personal information. To exercise your CCPA rights, contact aaron@vultahq.com.

11. International Data Transfers

Vulta's infrastructure is hosted in the United States. If you are a Merchant or End Customer located outside the United States, your data may be transferred to and processed in the United States, which may not provide the same level of data protection as your country of residence.

For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland to the United States, Vulta relies on Standard Contractual Clauses (SCCs) as the legal transfer mechanism. Merchants requiring SCCs may request them by contacting us at aaron@vultahq.com.

12. No Services to Minors

The Service is directed exclusively at businesses and their representatives who are at least 18 years of age. Vulta does not knowingly collect personal data from individuals under the age of 18. If we become aware that we have collected personal data from a minor, we will take steps to delete such data promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. When we make material changes, we will notify Merchants by email and by posting the updated Policy on our website with a new effective date. Your continued use of the Service after the effective date of the updated Policy constitutes your acceptance of the changes.

14. Contact & Data Protection Inquiries

For any questions, concerns, or requests related to this Privacy Policy or the processing of personal data, please contact us at:

Vulta AI — Data Protection
Email: aaron@vultahq.com
Website: www.vultahq.com

Merchants in the European Union who believe their data protection rights have been violated may lodge a complaint with their local supervisory authority.

Questions about these terms? aaron@vultahq.com

© 2026 Vulta AI. All rights reserved.