Central Tracker

Privacy Policy

We collect information you provide, including account details, case data, documents, optional ID numbers, and limited session, device, and usage data to run Central Tracker. We do not sell your personal information. We share data only with service providers who help us operate the app, attorneys you choose to connect with, and government systems when you ask us to check case status.

Effective: June 25, 2026Updated: June 25, 2026

Operator

Central Tracker is operated by BoldVault LLC.

Scope

Public policy for Central Tracker mobile app users and related web services.

Contact

Questions can be sent to legal@boldvault.io, support@boldvault.io, or privacy@boldvault.io.

01

Scope and Roles

This Privacy Policy explains how BoldVault LLC collects, uses, discloses, retains, and protects personal information when you use Central Tracker.

The Service is offered primarily in the United States and Brazil app stores. Data is processed in the United States unless otherwise stated.

Data controller
BoldVault LLC
LGPD controller
BoldVault LLC
Privacy contact
privacy@boldvault.io
Support
support@boldvault.io
02

Information We Collect

  • Account information such as name, email, hashed password, and profile photo.
  • Approximate location such as ZIP or postal code, optional city, and state for marketplace distance matching. We do not collect GPS coordinates for this feature.
  • Immigration cases, USCIS receipt numbers, EOIR details, categories, descriptions, notes, fees, court information, hearing dates, and status history.
  • Documents, including PDF and DOCX uploads, titles, and form types stored in the document vault.
  • Optional US Documentation fields, including driver's license, A-Number, EAD, passport, visa, SSN, and ITIN data.
  • Partner profile information such as firm name, bar number, licensure state, practice areas, and office address.
  • AI conversations, including messages you send and receive through AI features.
  • Marketplace actions such as connection requests, discoverability preferences, referral activity, support communications, and notification preferences.
  • Session and authentication metadata, device information for push delivery, usage analytics, crash logs, and error logs.
  • We do not build individual advertising profiles and do not use your data for third-party ad targeting.
03

Information From Third Parties

  • Google and Apple OAuth may provide name, email, and profile image for sign-in.
  • USCIS and EOIR systems return case status information for identifiers you submit.
  • Postal-code geocoding providers may return approximate coordinates for distance matching.
  • Stripe provides payment status, subscription tier, and transaction IDs. We do not receive or store full card numbers.
  • Google Gemini processes AI request and response payloads for AI features.
  • Tremendous provides gift-card fulfillment metadata for referral redemptions.
04

How We Use Information

  • Provide case tracking, document storage, AI assistance, marketplace features, billing, and notifications.
  • Authenticate users and maintain secure sessions.
  • Query USCIS and EOIR on your behalf using identifiers you provide.
  • Match applicants with attorneys based on approximate location and category, subject to consent settings.
  • Process subscriptions, AI top-ups, and referral rewards through service providers.
  • Generate AI responses using Google Gemini.
  • Send transactional notifications for case updates, security, billing, and marketplace events, and send marketing messages only with consent where required.
  • Enforce plan limits for cases, documents, AI credits, and leads.
  • Improve reliability using aggregated, de-identified analytics and enforce plan limits, security, and legal obligations.
  • Detect fraud, abuse, and security incidents.
05

Legal Bases for Brazil

For users in Brazil, we process personal data under LGPD based on contract performance, consent, legitimate interests, legal obligations, and exercise of rights as applicable.

Sensitive personal data, including immigration status-related information and government identifiers you store, receives heightened protection and is processed based on specific consent or another applicable LGPD basis where required.

06

How We Share Information

We do not sell, rent, or trade your personal information for monetary consideration. We share information only with service providers, attorneys you choose to connect with, organization members authorized for your matter, government systems you ask us to query, and where required for legal, safety, or business-transfer reasons.

Service providers act on our instructions under contractual confidentiality, security obligations, and terms that bind them to this Privacy Policy.

Third parties are prohibited from using your information, including de-identified, anonymized, or pseudonymized data, for their own purposes without your active consent. They may not use your data for their own marketing or unrelated processing.

  • Stripe, Inc. processes payments and subscriptions.
  • Google LLC, through Google AI and Gemini, processes AI request and response payloads for AI inference.
  • Amazon Web Services, Inc. provides encrypted document storage through AWS S3.
  • Neon, Inc. hosts the PostgreSQL database.
  • Upstash, Inc. supports rate limiting and job queues.
  • Expo push infrastructure supports mobile push delivery.
  • Tremendous, Inc. supports referral gift-card fulfillment.
  • Postal-code geocoding providers, including Nominatim/OSM, Zippopotam.us, and CEP Aberto, process postal code data for approximate distance matching.
  • If you enable lawyer discoverability, verified partner attorneys may see approximate distance and immigration category, but not your name or email until you initiate contact.
  • If you initiate a connection, the attorney receives your name and email to contact you about that request.
  • With team collaboration, authorized partner attorneys may access case information for matters you shared. Sharing can help you get attorney support, but authorized collaborators may view shared matters until you revoke access.
  • If you are a client of a law firm using Central Tracker, firm staff with appropriate roles may access case and document data for your matter under the firm's account policies.
  • We transmit USCIS receipt numbers to the USCIS Case Status API to retrieve status. USCIS is an independent controller for information submitted to U.S. government systems.
  • If BoldVault LLC is acquired or merges, information may transfer as part of that transaction. We will notify you at least 30 days before transfer when practicable, and the acquirer must honor this Policy or offer you the option to delete your data.
07

Sensitive Information and Security

  • US Documentation fields such as SSN, ITIN, A-Number, EAD, passport, visa, and driver's license data are encrypted at rest with AES-256-GCM.
  • Immigration case data is private and accessible only to you and authorized collaborators.
  • We use TLS 1.2 or higher for data in transit, encryption at rest, role-based access control, authenticated APIs, and restricted production access.
  • If a breach is likely to pose high risk to your rights, we will notify affected users by email within 72 hours of becoming aware.
  • We do not collect genetic data, health records, or biometric templates beyond what Apple or Google provide for authentication.
  • Immigration information you enter may relate to family members if you choose to store or discuss it in the app. Sharing case or document data with collaborators may affect others named in those records.
  • No method of transmission or storage is 100% secure. You are responsible for safeguarding your device and credentials.
08

Data Retention and Deletion

Active account data is retained while your account is active. Deleted account data is removed from the active database within 30 days through cascading deletion, and encrypted backups are purged on a rolling 90-day cycle.

Dormant accounts may be deleted after three years of inactivity following email notice and a 30-day response window. Stripe financial records are retained under Stripe and legal requirements.

Aggregated, de-identified analytics may be retained indefinitely.

To delete your data, use More, Delete Account in the app or email privacy@boldvault.io. Deletion removes cases, documents, snapshots, AI conversations, US Documentation, location data, and subscription linkage from active systems.

09

Your Privacy Rights

  • All users may access, correct, delete, and request a copy of personal data we hold, opt out of marketing emails, and manage notifications.
  • California residents may request access, deletion, correction, limitation of sensitive information use, and non-discrimination for exercising rights. We do not sell personal information.
  • Brazil residents may confirm processing, access data, correct data, request anonymization or deletion, request portability, revoke consent, and contact ANPD.
  • Contact privacy@boldvault.io to exercise rights. We may verify your identity before responding.
10

International Transfers

BoldVault is operated in the United States. If you access the Service from Brazil or other countries, your information may be transferred to, stored in, and processed in the United States subject to applicable safeguards.

For Brazilian users, international transfers rely on appropriate safeguards, including standard contractual clauses, consent where required, and contractual protections with processors.

11

Automated Processing and AI

AI features generate responses based on your inputs and case context. We do not use AI to make solely automated decisions that produce legal effects without human involvement. AI output is informational only and should be reviewed by you and qualified professionals.

12

Children's Privacy

The Service is not directed to children under 13, or under 16 in the EEA. In Brazil, the Service is intended for users 18 or older or with verified parental consent given the sensitivity of immigration data.

13

Cookies and Web Technologies

The primary Service is a mobile application. If you access boldvault.io or billing pages in a browser, those sites may use essential cookies and similar technologies for authentication, security, and checkout. We do not use third-party advertising cookies on our marketing site.

14

Changes to This Policy

We will notify you of material changes at least 14 days before they take effect by email and/or prominent in-app notice, with a plain-language summary.

If changes materially affect how we collect, use, or share sensitive data, we will obtain your affirmative consent through an in-app prompt before the changes apply to you. You must check a box to accept the updated Terms and Privacy Policy; continued use alone is not sufficient for those changes.

For non-sensitive updates, continued use after the effective date constitutes acceptance. If you disagree, delete your account before the effective date.

15

Contact

Privacy
privacy@boldvault.io
Support
support@boldvault.io
Legal
legal@boldvault.io
Account deletion
Use More, Delete Account in the app or email privacy@boldvault.io.