Legal

Privacy Policy

Effective date: April 7, 2026 · Last updated: April 7, 2026 · Covers GDPR Art. 13 & CCPA §1798.100

Short version: We collect only what's necessary to run Vault. We don't sell your data. You can delete everything at any time.

1. Who We Are

Vault ("we," "us," or "our") is an independent bookmark management service. For privacy enquiries, contact us at privacy@vault.app.

2. Data We Collect

Category	Data	Why	Legal Basis (GDPR)
Account	Email address, hashed password, OAuth provider token	Authentication and account management	Contract performance (Art. 6(1)(b))
Content	Saved URLs, titles, descriptions, collection names	Core service — storing and retrieving your links	Contract performance (Art. 6(1)(b))
Technical	IP address (via Vercel), browser type, timestamps	Security, abuse prevention, debugging	Legitimate interests (Art. 6(1)(f))
Analytics	Page views, feature interactions, funnel events (PostHog)	Understanding how the app is used so we can improve it	Consent (Art. 6(1)(a)) — only after cookie banner acceptance
Error Tracking	JavaScript errors, stack traces (Sentry)	Catching and fixing bugs before users are affected	Consent (Art. 6(1)(a)) — only after cookie banner acceptance

Guest mode: If you use Vault without an account, all link data is stored exclusively in your browser's localStorage. We never see or transmit this data.

3. Who We Share Data With

We do not sell personal data. We share data only with the following service providers ("processors") who help us operate Vault:

Supabase — Database and authentication. Data stored in EU or US regions depending on project configuration. Privacy Policy
Vercel — Web hosting and serverless functions. Processes access logs. Privacy Policy
PostHog — Product analytics. Only loaded after your consent. Privacy Policy
Sentry — Error monitoring. Only loaded after your consent. Error reports may include the URL you were viewing. Privacy Policy

All processors are contractually bound to handle your data only as instructed and in accordance with applicable data protection law.

4. Cookies & Local Storage

Vault uses the following storage mechanisms:

localStorage (essential): Stores your guest links, collection preferences, and your cookie consent choice. Always active.
Supabase session cookie (essential): An authentication JWT set after sign-in. Required for the service to function.
PostHog cookies (analytics, consent required): Used to track sessions and link events across page loads. Blocked until you accept our cookie banner.
Sentry cookies (functional, consent required): Used to correlate errors with sessions. Blocked until you accept our cookie banner.

You can withdraw consent at any time by clearing your browser's local storage or clicking "Decline" in the cookie banner (clear vault_consent from localStorage to see it again).

5. Data Retention

Account data: Retained until you delete your account.
Saved links and collections: Retained until you delete them or your account.
Guest data: Stored in your browser only. Cleared when you clear browser data.
Server logs: Retained for up to 30 days by Vercel for security purposes.
Analytics events: Retained for up to 12 months in PostHog.
Error reports: Retained for up to 90 days in Sentry.

6. Your Rights

Depending on your location, you may have the following rights:

Access: Request a copy of your personal data.
Deletion ("right to be forgotten"): Request deletion of your account and all associated data.
Portability: Request an export of your saved links in JSON format.
Rectification: Correct inaccurate personal data.
Objection / Restriction: Object to processing based on legitimate interests.
CCPA (California): You have the right to know what personal information we collect and to request deletion. We do not sell personal information.

To exercise any of these rights, email privacy@vault.app. We will respond within 30 days.

7. Data Security

We use industry-standard security measures including HTTPS/TLS for data in transit, Supabase Row-Level Security (RLS) policies that restrict each user's access to only their own data, and bcrypt-hashed passwords. No system is 100% secure, and we cannot guarantee absolute security.

8. Children's Privacy

Vault is not directed at children under 13. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact privacy@vault.app and we will delete it promptly.

9. International Transfers

Your data may be processed in countries outside your own, including the United States and EU member states. Where required by law (e.g., GDPR Chapter V), we rely on Standard Contractual Clauses or adequacy decisions as the transfer mechanism.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For material changes, we will notify signed-in users via a banner in the app.

11. Contact & Complaints

For privacy questions or to exercise your rights, contact us at privacy@vault.app.

If you are in the EU/EEA and believe we have not handled your data lawfully, you have the right to lodge a complaint with your local data protection authority.