Privacy Policy

Last updated: 2026-05-06

Vault is a manual budget tracker. The whole point of this product is that we don't link to your bank, don't show ads, and don't sell your data. This page documents exactly what that means in practice.

What we collect

• Email address — used as your username and to send transactional email (verification, password reset, lockout notice, deletion confirmation).
• Password hash — a one-way scrypt hash. The plaintext password is never stored or logged.
• Financial data you enter — transactions (amount, currency, category, date, optional description), recurring bills, lump-sum bills, monthly budgets, savings goals, and your currency / theme preferences.
• Feedback you submit — the message text, optional rating, and the page you submitted from.
• Security audit log — for events like sign-in, password reset, and account deletion: the timestamp, your IP address (truncated to 45 characters), your User-Agent string, and event-specific metadata. Used for forensic replay if your account is compromised. Retained for 365 days, then deleted.

What we DON'T collect

• Bank credentials, account numbers, transaction feeds from any aggregator.
• Location data, contacts, social-media graph, device IDs.
• Cross-site tracking cookies. Vault sets exactly one cookie, the session cookie, and only after you sign in.
• Behavioural advertising profiles. There are no ad networks loaded on any Vault page.

Third parties

The following services touch your data when configured. Each is opt-in via an environment variable; they can be disabled at any time without breaking the app.

• Render — hosting (North American region). Operates the server, the database disk, and the TLS certificate.
• Plausible Analytics — privacy-friendly, cookie-less page-view counting. Only loaded on public marketing pages (landing, guide, blog) — never on the dashboard or any signed-in page. Plausible doesn't track individuals and uses no cookies.
• Sentry — backend error tracking when SENTRY_DSN is set. URL paths containing one-time tokens (password-reset, email-verify) are scrubbed before transmission. send_default_pii is off.
• SMTP provider — currently Gmail SMTP — for transactional email delivery only (verification, reset, lockout, deletion confirmation). The provider sees the recipient address and the email body.

Retention

• Active account data — kept until you delete your account.
• Password reset tokens — expire in 1 hour, purged after 30 days.
• Email verification tokens — expire in 24 hours, purged after 30 days.
• Audit log entries — kept for 365 days, then automatically pruned.
• Server logs (Render) — managed by Render's retention policy; typically 7-30 days.

Your rights

Under Quebec's Law 25 (in force since September 2023) and the EU General Data Protection Regulation, you have the following rights. All of them are self-service in the app.

• Access — sign in and view all your data on the dashboard, transactions, budgets, bills, goals, and reports pages.
• Correction — edit any record using the in-app forms.
• Portability — Settings → "Download my data (.zip)". Includes every CSV plus an account.json summary.
• Erasure — Settings → Danger zone → "Delete my account". Re-prompts for your password, then permanently deletes every per-user row, including the audit log.
• Withdrawal of consent — same as Erasure.

Privacy contact

For privacy questions or to escalate a concern, contact the maintainer at [email protected]. Under Law 25, this address is also the designated privacy officer of record.

Changes to this policy

If material changes are made, the “Last updated” date at the top of this page bumps. Significant changes will be announced via email to active accounts.