Privacy Policy

1. Data Controller

The data controller for the Service is the operator of Vaulta. For any privacy request, contact: [email protected].

2. What We Collect

• Account data: email address, first and last name, password hash, currency and locale preferences, plan tier, creation and login timestamps.
• Financial data: asset categories, asset definitions, monthly snapshot values, invested amounts, and notes. Snapshot values are stored by the Service so they can be shown, exported, and processed for your account.
• Technical data: IP address, user agent, and authentication tokens required to operate sessions and detect abuse. Refresh tokens are stored in HttpOnly cookies.
• Shared reference data: cached stock prices and foreign-exchange rates fetched from third-party providers. These are not linked to your identity.

We do not collect banking credentials, connect to bank accounts, or import transactions. Vaulta is a self-reported tracker.

3. Purpose & Legal Basis

• Providing the Service (Art. 6(1)(b) GDPR — performance of contract): account creation, authentication, storing and displaying your portfolio.
• Security and fraud prevention (Art. 6(1)(f) — legitimate interest): rate limiting, abuse detection, audit logs.
• Legal compliance (Art. 6(1)(c)): responding to lawful requests and retaining records where required.

4. Security Measures

Vaulta uses transport encryption via TLS, authenticated sessions, rate limiting, and account-scoped access controls. Privacy mode is a screen-level masking feature that blurs sensitive values in the user interface; it is not cryptographic encryption. Snapshot values are not currently end-to-end encrypted.

5. How We Store Data

Data is hosted on servers located in the European Union (Hetzner, Germany). All traffic is encrypted in transit via TLS. Database records are stored server-side for the purpose of providing the Service.

6. Third-Party Services

• Zitadel (self-hosted) — authentication and identity management. Runs on our infrastructure.
• Stock price providers — we query public market data APIs using ticker symbols only. No personal data is sent.
• Exchange rate providers — we query public forex APIs using currency codes only. No personal data is sent.
• Cloudflare — DNS, TLS termination, DDoS protection. May process IP addresses as processor.

We do not use analytics, advertising networks, social media pixels, or behavioural tracking.

7. Cookies

Vaulta uses only strictly-necessary cookies required to operate the Service:

• Authentication session and refresh-token cookies (HttpOnly).
• Locale preference cookie.
• Theme preference (dark/light) stored in local storage.

No advertising, analytics, or profiling cookies are set. Because only strictly-necessary cookies are used, no consent banner is required under ePrivacy.

8. Retention

• Account data: retained while your account is active.
• Deleted accounts: all personal data and snapshot records are permanently deleted within 30 days of account deletion.
• Backups: overwritten on a rolling 30-day schedule.
• Audit logs: security-relevant logs kept up to 12 months.

9. Your Rights

Under GDPR you have the right to:

• Access a copy of your data.
• Rectify inaccurate data.
• Erase your data ("right to be forgotten") — use the Delete Account action in Settings.
• Export your data in a portable format (CSV / PDF export).
• Restrict or object to processing.
• Lodge a complaint with your national supervisory authority.

To exercise these rights, contact [email protected]. We respond within 30 days.

10. Breach Notification

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the supervisory authority within 72 hours and, where required, notify you without undue delay.

11. Children

Vaulta is not directed to children under 16. We do not knowingly collect data from children.

12. Changes

Material changes to this policy will be announced via email or in-app notice at least 14 days before taking effect.