Vault Privacy Policy

Effective date: [SET ON PUBLISH] Last updated: [SET ON PUBLISH]

Vault ("we", "us", "our") is a personal finance application that helps you track spending, set budgets, save toward goals, and split expenses with people you trust. We take your privacy seriously. This policy explains what data we collect, why, how we handle it, and the rights you have over it.

By using Vault, you agree to the practices described below.

1. Who we are and how to reach us

Controller: Akash Unnikrishnan (sole developer, trading as "Vault"). Contact: akash.feb12@gmail.com Jurisdiction: United Kingdom. Data-protection enquiries can be directed to the UK Information Commissioner's Office (ico.org.uk).

2. Data we collect

2.1 Account data (from sign-in)

When you sign in with Apple or Google:

  • Apple Sign-In: your Apple-issued user identifier, and (on first sign-in only, if you allow it) your name and email. If you choose Apple's "Hide My Email" feature, we receive a relay address that Apple forwards to your real address.
  • Google Sign-In: your Google user ID, name, email, and profile picture URL.

We do not receive your Apple or Google password. Authentication happens entirely on Apple's or Google's servers.

2.2 Profile data (you provide)

  • Display name, optional profile photo, preferred currency, optional monthly budget goal, optional biometric-lock preference.

2.3 Financial data

  • Manual transactions you add — amount, date, merchant, category, note, currency.
  • Bank transactions imported via TrueLayer — amount, date, merchant, transaction type, pending/settled status, currency. Only transactions from accounts you explicitly link. You can unlink at any time.
  • Budgets, savings goals, categories, recurring-expense rules, merchant→category mappings — all user-created.
  • Bank connection metadata — institution name, logo, connection status, encrypted TrueLayer refresh token. We never store your bank credentials.
  • Shared-space expenses — expenses you log in a shared space (flat, trip, group) and who owes what.

2.4 Device and technical data

  • Device identifier (identifierForVendor), app version, iOS version, time zone, language.
  • Crash logs and diagnostic events (via Apple's standard TestFlight/App Store logging when you opt in at install).
  • IP address (visible to our edge functions for the duration of each request).

2.5 Data we do NOT collect

  • Your Apple ID password, Google password, or bank credentials.
  • Contacts, calendar, photos (unless you explicitly attach one — e.g. a profile picture — which is uploaded only when you tap the picker).
  • Location data. Vault does not request location permission.
  • Cross-app advertising identifiers. We do not track you across other apps or websites.

3. Why we process this data (lawful bases under UK GDPR)

| Purpose | Lawful basis | |---|---| | Create and maintain your account | Contract (Article 6(1)(b)) | | Sync your data across your devices | Contract | | Import bank transactions via TrueLayer | Contract + explicit consent to bank linking | | Send push notifications (budget alerts, bill reminders, weekly summaries) | Consent — you can disable in iOS Settings or Vault's notification settings at any time | | Process subscription purchases | Contract | | Detect abuse, fraud, and security incidents (rate limiting, auth logs) | Legitimate interest | | Comply with legal, tax, and App Store requirements | Legal obligation |

We do not use your data for advertising, profiling, or automated decision-making.

4. Who sees your data (processors)

We use the following sub-processors:

  • Supabase Inc. — database, authentication session storage, edge functions (Frankfurt, EU region). GDPR-compliant, Standard Contractual Clauses in place.
  • TrueLayer Ltd. — UK-regulated Open Banking provider, used only when you explicitly link a bank account. See https://truelayer.com/privacy.
  • Apple — Sign in with Apple, App Store / StoreKit subscriptions, push notification delivery, crash reporting.
  • Google — Google Sign-In authentication.

We do not sell or share your data with advertising networks, data brokers, or any other third parties.

5. Where your data is stored

  • On your device: local cache via Apple's SwiftData (encrypted at the filesystem level when your device is locked).
  • On Supabase's EU servers: account, profile, transaction, budget, space, and subscription data. Encrypted at rest by Supabase. Bank refresh tokens are additionally encrypted by us with AES-256-GCM before being stored.
  • Apple Keychain on your device: your Vault session token (hardware-encrypted, inaccessible to other apps).

All data transfers use TLS 1.3. We hash session tokens at rest so a database breach would not yield usable session credentials.

6. How long we keep it

  • Active account data: kept as long as your account exists.
  • Deleted accounts: permanently deleted within 30 days of your deletion request. No backups retained beyond 30 days for personal data (some aggregated, non-identifying logs may persist longer for abuse prevention).
  • Bank connections: deleted immediately when you unlink a bank.
  • Session tokens: 30 days from last use, then expire and are deleted.
  • Rate-limiting logs: IP hashes kept for 24 hours, then auto-purged.

7. Your rights

Under UK GDPR and the Data Protection Act 2018, you have the right to:

  • Access — request a copy of your data. Settings → Privacy → Export Data (CSV) exports transactions immediately; email us for a full JSON export of all other records.
  • Rectification — correct inaccurate data directly in the app, or email us for anything you can't edit in-app.
  • Erasure (delete) — Settings → Privacy → Delete Account. This hard-deletes every row associated with your account across all tables, revokes any bank connections via TrueLayer's revoke API, and signs you out. Completed within 30 days.
  • Portability — the CSV export covers this for transactions. Full JSON export on email request.
  • Object to processing — email us and we'll stop.
  • Withdraw consent — any time, via in-app toggles (notifications) or by deleting your account.
  • Complain — to the UK Information Commissioner's Office at ico.org.uk if you believe we've mishandled your data.

We respond to requests within 30 days. No fee unless the request is repetitive or excessive.

8. Children

Vault is not directed to children under 13 and we do not knowingly collect their data. If you believe a child has created an account, contact us and we will delete it.

9. International transfers

Data is primarily stored in the EU (Supabase Frankfurt region). When Apple or Google processes authentication, your data may transit their US infrastructure briefly. Both Apple and Google have appropriate transfer safeguards (Standard Contractual Clauses, Data Privacy Framework). TrueLayer processes exclusively within the UK/EEA.

10. Security

  • All traffic uses TLS 1.3.
  • Session tokens stored in iOS Keychain with AccessibleAfterFirstUnlockThisDeviceOnly — device-encrypted, excluded from iCloud backups.
  • Supabase session tokens hashed (SHA-256) at rest.
  • Bank refresh tokens encrypted with AES-256-GCM.
  • Apple Sign-In uses JWT RS256 signature verification + nonce replay-protection.
  • Row-Level Security enabled on every database table; edge functions enforce server-side user scoping.
  • Rate limiting on authentication and invite-code endpoints.
  • No security control is perfect. If you discover a vulnerability, please email us at akash.feb12@gmail.com.

11. Subscriptions, IAPs, and billing

Subscriptions (monthly or yearly) are processed by Apple via StoreKit. We do not receive your payment details — only a confirmation that your subscription is active. You can cancel anytime from Settings → Apple ID → Subscriptions. Refunds are handled by Apple per their refund policy.

12. Changes to this policy

We will notify you of material changes via an in-app banner before they take effect. The "Last updated" date above reflects the latest revision.

Questions? Email akash.feb12@gmail.com.