← Back to Vault

Privacy Policy

Last updated: 3 July 2026 · Applies to vaultwishlist.com and the Vault app
In short: Vault stores your account email and the wishlist data you create, so the app can work and sync across your devices. We don't run ads, we don't sell your data, and we don't use tracking or profiling cookies. Payments are handled entirely by Stripe — we never see your card details.

1. Data Controller

The data controller for Vault is:

The Vault team
Website: vaultwishlist.com
Contact: a dedicated support email address is being set up and will be published here shortly.

For any privacy-related request, use the contact channel above with the subject "Privacy".

2. What data we collect and why

DataPurposeLegal basis (GDPR)
Email address and password (hashed)Creating and securing your account, sign-in, account recoveryArt. 6(1)(b) — contract performance
Your vault content (saved items, titles, links, images URLs, prices, notes, lists, reminders)Providing the core service: storing and syncing your wishlists across devicesArt. 6(1)(b) — contract performance
Subscription status (Free / Plus)Activating paid features you purchasedArt. 6(1)(b) — contract performance
Names entered by guests when reserving a gift on a shared gift listShowing other guests that a gift is taken, to avoid duplicatesArt. 6(1)(f) — legitimate interest of the list participants
Technical logs (IP address, timestamps) processed by our infrastructure providersSecurity, abuse prevention, service operationArt. 6(1)(f) — legitimate interest

We do not collect: payment card numbers (handled by Stripe), precise location, contacts, advertising identifiers, or behavioural profiles.

3. Passwords

Passwords are never stored or transmitted in plain text. Authentication is operated by Supabase, which stores passwords using the industry-standard bcrypt hashing algorithm. Neither we nor Supabase can read your password.

4. Where your data lives (processors)

We use a small number of service providers ("processors") to run Vault:

ProviderRoleLocation / transfers
Supabase (Supabase Inc.)Database, authentication, backend functions — stores your account and vault dataProject hosted in the EU. Supabase privacy policy
Stripe (Stripe, Inc.)Payment processing for Vault Plus subscriptions — card data is entered on Stripe's own pages and never touches our serversEU/US — Stripe participates in the EU-US Data Privacy Framework. Stripe privacy policy
GitHub Pages (GitHub, Inc.)Hosting of the app's static filesGlobal CDN — GitHub participates in the EU-US Data Privacy Framework. GitHub privacy statement

When you use "fetch data" on a product link, the request to read that page is made by our backend on your behalf; the target site sees our server's request, not your identity.

5. Cookies and local storage

Vault uses only technical storage that is strictly necessary for the app to function:

We use no analytics, advertising, or profiling cookies. Because this storage is strictly necessary, it does not require consent under the ePrivacy rules — we show a notice for transparency. If you clear your browser storage, local data is removed (cloud-synced data remains in your account).

Stripe's checkout pages, which open on stripe.com when you subscribe, set their own cookies as an independent controller — see Stripe's policy linked above.

6. How long we keep data

7. Your rights (GDPR Articles 15–22)

You have the right to:

To exercise any right, contact us through the channel indicated in section 1. We respond within 30 days.

8. Security

9. Children

Vault is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has created an account, contact us and we will delete it.

10. Changes to this policy

If we make material changes, we will show a notice in the app before the changes take effect. The "last updated" date at the top always reflects the current version.