The data controller for Vault is:
The Vault team
Website: vaultwishlist.com
Contact: a dedicated support email address is being set up and will be published here shortly.
For any privacy-related request, use the contact channel above with the subject "Privacy".
| Data | Purpose | Legal basis (GDPR) |
|---|---|---|
| Email address and password (hashed) | Creating and securing your account, sign-in, account recovery | Art. 6(1)(b) — contract performance |
| Your vault content (saved items, titles, links, images URLs, prices, notes, lists, reminders) | Providing the core service: storing and syncing your wishlists across devices | Art. 6(1)(b) — contract performance |
| Subscription status (Free / Plus) | Activating paid features you purchased | Art. 6(1)(b) — contract performance |
| Names entered by guests when reserving a gift on a shared gift list | Showing other guests that a gift is taken, to avoid duplicates | Art. 6(1)(f) — legitimate interest of the list participants |
| Technical logs (IP address, timestamps) processed by our infrastructure providers | Security, abuse prevention, service operation | Art. 6(1)(f) — legitimate interest |
We do not collect: payment card numbers (handled by Stripe), precise location, contacts, advertising identifiers, or behavioural profiles.
Passwords are never stored or transmitted in plain text. Authentication is operated by Supabase, which stores passwords using the industry-standard bcrypt hashing algorithm. Neither we nor Supabase can read your password.
We use a small number of service providers ("processors") to run Vault:
| Provider | Role | Location / transfers |
|---|---|---|
| Supabase (Supabase Inc.) | Database, authentication, backend functions — stores your account and vault data | Project hosted in the EU. Supabase privacy policy |
| Stripe (Stripe, Inc.) | Payment processing for Vault Plus subscriptions — card data is entered on Stripe's own pages and never touches our servers | EU/US — Stripe participates in the EU-US Data Privacy Framework. Stripe privacy policy |
| GitHub Pages (GitHub, Inc.) | Hosting of the app's static files | Global CDN — GitHub participates in the EU-US Data Privacy Framework. GitHub privacy statement |
When you use "fetch data" on a product link, the request to read that page is made by our backend on your behalf; the target site sees our server's request, not your identity.
Vault uses only technical storage that is strictly necessary for the app to function:
We use no analytics, advertising, or profiling cookies. Because this storage is strictly necessary, it does not require consent under the ePrivacy rules — we show a notice for transparency. If you clear your browser storage, local data is removed (cloud-synced data remains in your account).
Stripe's checkout pages, which open on stripe.com when you subscribe, set their own cookies as an independent controller — see Stripe's policy linked above.
You have the right to:
To exercise any right, contact us through the channel indicated in section 1. We respond within 30 days.
Vault is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has created an account, contact us and we will delete it.
If we make material changes, we will show a notice in the app before the changes take effect. The "last updated" date at the top always reflects the current version.