Privacy Policy

1. Personal data we collect

• Account data: name, email address, encrypted password if you register by email, Google account identifier if you sign in with Google, preferred language and account role.
• Subscription data: plan, subscription status, Stripe customer/subscription identifiers, billing period and cancellation status. Card numbers are processed by Stripe and are not stored by Vaultly.
• Security data: login attempts, IP address, user agent, refresh token records, OAuth anti-forgery state and standard server logs.
• Usage data: unique site and article views counted with a hashed IP address, not the raw IP.
• Preferences: market alert categories, minimum impact, email/browser alert settings, RSS token, RSS language and RSS filters.
• Support data: messages you send in Premium support chat, related conversation metadata and admin replies.
• Profile data: avatar image if you upload one.

2. Why we use data and legal bases

• To provide accounts, authentication, subscriptions, paywall access, RSS feeds and support: performance of a contract.
• To send transactional emails such as verification, welcome, password reset, subscription and market alert emails: performance of a contract or legitimate interest.
• To keep the service secure, prevent abuse, count non-duplicated views and protect paid content: legitimate interest.
• To remember optional choices such as language, cookie acknowledgement and browser notification permission: consent or legitimate interest, depending on the feature.
• To comply with tax, accounting, payment, fraud-prevention and legal obligations: legal obligation.

3. AI, editorial tools and support chat

Vaultly uses AI tools to generate and translate editorial content from public sources. We do not intentionally send payment card data or passwords to AI providers.

If you use Premium support chat, the text you type may be processed by our AI support provider so the bot can answer. Do not send highly sensitive information in chat. You can contact us by email for privacy requests.

4. Processors and third parties

Some providers may process data outside your country. Where required, we rely on contractual safeguards such as standard contractual clauses, adequacy decisions or the provider's legally recognised transfer mechanism.

• Vercel: hosting, delivery and server logs.
• Supabase/PostgreSQL: database, storage for avatars and application data.
• Stripe: checkout, subscriptions, payment processing and billing portal.
• Google: Google OAuth sign-in and Gemini AI services.
• Resend or SMTP email provider: delivery of transactional emails and market alerts.
• Unsplash/Pexels or similar image providers: article images and related attribution.

5. Cookies, local storage and browser notifications

Vaultly uses essential cookies for login, security, language preference and cookie acknowledgement. We do not use advertising cookies. Browser notifications are only used if you enable them, and the browser stores the permission locally. See the Cookie Policy for the full list.

6. Retention

• Account data is kept while your account exists and for the period required to handle legal, accounting, security or dispute obligations.
• Refresh tokens normally expire after 30 days unless revoked earlier. OAuth state cookies expire after about 10 minutes.
• Login attempts and security logs are retained only as long as needed for security and abuse prevention.
• Hashed view records may be kept to preserve non-duplicated analytics without storing raw IP addresses.
• Support conversations, RSS settings and alert preferences are kept until account deletion or until no longer needed for the service.
• Backups may persist for a limited technical period before deletion is completed.

7. Your rights

Depending on your location, you may have the right to access, rectify, erase, restrict, object to processing, receive a portable copy of your data, withdraw consent and lodge a complaint with a data protection authority. To exercise your rights, contact vaultlybusiness@hotmail.com.

8. Children, security and changes

The service is not directed to children under 16. We use technical and organisational measures to protect the service, but no internet service can be guaranteed to be risk-free. We may update this policy when the product, providers or legal requirements change.