Privacy Policy

The Vilkax Privacy Policy is the canonical contract on what we collect, why, how long we keep it, and your rights under the EU GDPR, the CCPA, and the other local data-protection laws that apply.

Who we are (data controller)

The controller of your personal data is Vilkax UAB, registered in Lithuania with its registered office in Vilnius and an operating hub in Barcelona, Spain. (Our company registration number and full registered address are published here once incorporation is confirmed.) You can reach us through our contact form; to reach our data-protection contact, select the privacy topic. As an EU-established controller, our lead supervisory authority is the Lithuanian State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija, VDAI).

What we collect

What we do NOT collect

Your rights

Children and families

Vilkax is built to protect families, and that starts with how we treat younger users. Under the GDPR (Art. 8), a child can consent to an online service themselves from a national threshold age that varies between 13 and 16 across EU member states. Vilkax is established in Lithuania, where that age is 14: you can create a Vilkax account yourself if you are 14 or older. Below the age that applies to you, we ask that a parent or guardian consents to your use of Vilkax - account creation includes an explicit confirmation of exactly that, and we keep a timestamped record of it.

Automated decisions and profiling (EU AI Act Art. 50 & GDPR Art. 22)

Vilkax uses AI and machine-learning models to generate risk scores, anomaly flags, and threat classifications for users and their accounts. These scores may affect which features are available to you (alert priority, protective tier gates, or escalation routing). No automated decision produces a legal effect or similarly significant impact without the right to human review. Our legal basis for this profiling is Art. 6(1)(b) GDPR (performance of a contract: the core protection service you signed up for) and Art. 6(1)(f) GDPR (legitimate interest in detecting and preventing fraud and account-level threats).

Your rights regarding automated decisions: you can request an explanation of any specific risk score or automated action affecting your account through our contact form. You can also request human review of any decision you consider to have produced an unjust outcome. Every automated decision is logged with its inputs (see the "Explanation" right above).

Where data lives

Account data is stored in a primary region. Edge caches hold only public, anonymous data (marketing pages, public state aggregates). Specific region details are documented in the Sub-processors section of our DPA, available on request.

Contact

Privacy questions: contact our privacy team.
To reach our data protection officer, contact us and select the privacy topic.
Security disclosures: /.well-known/security.txt

Last updated: 2026-07-02 · Version v6 (added the Children and families section - GDPR Art. 8 consent age, parental consent below it, KIN's circle-only consented location sharing, and the parent/guardian contact route; v5 re-based to the EU controller - Vilkax UAB, registered in Vilnius, Lithuania, with an operating hub in Barcelona, Spain - lead supervisory authority the Lithuanian VDAI, scoped to the EU GDPR; v4 disclosed the consent-gated Spotify embed; v3 disclosed device / network / app-usage protection signals, their consent gating, retention, and confirmed signal-data erasure on account deletion)