Privacy Policy

Last updated: April 16, 2026

Collection Vault is a private collectables cataloguing tool. This policy explains what personal data we collect, why we collect it, who receives it, and your rights over it.

Short version: We collect only what is needed to run the service. We do not sell your data, run advertising, or show ads. External services that receive any part of your data fall into three groups: AI providers (Anthropic, OpenAI) receive images and notes you submit for analysis; payment, auth, and infrastructure providers (Stripe, Cloudflare, Google/GitHub/Discord if you use social login) receive the minimum data needed to deliver their function; and privacy-respecting analytics (Umami for pageview counts, PostHog for product usage metrics) receive a pseudonymous user id and a short list of usage events — no emails, names, item content, or images. No third-party advertising or tracking cookies are set.

1. What we collect and why

Data	Purpose	Retention
Email address	Account identity and login	Until account deletion
Username / display name	Personalisation and public share page attribution	Until account deletion
Password (bcrypt hash)	Authentication — the original password is never stored	Until account deletion
Photos you upload	Item cataloguing and AI analysis	Until you delete the item or account
Item notes, grades, values	Collection management	Until you delete the item or account
IP address + email (sign-in log)	Security — detect brute-force attacks and unauthorised access	90 days, then automatically deleted
Google profile (email, name, avatar)	Only if you sign in with Google — used to create your account	Until account deletion

2. Third-party services that receive your data

We minimise data sent to external services. No third party receives your email address, username, or account details except Stripe (for billing) and the OAuth providers you choose to use (Google, GitHub, Discord).

Service	What is sent	Why
Anthropic (Claude AI)	Photos and item notes you submit for analysis	AI-powered grading and valuation
OpenAI (GPT-4o)	Photos and item notes (only if OpenAI provider is configured)	AI-powered grading and valuation
eBay Browse API	Item name and year (as a search query)	Market price lookups
Google / GitHub / Discord	OAuth profile (email, name, avatar) — only if you use the corresponding social sign-in	Authentication
Stripe	Name, email, and billing details you provide during checkout	Payment processing for paid subscriptions. Card data is handled entirely by Stripe and never stored on our servers.
Resend (email provider)	Your email address and the content of transactional emails we send you (password reset, email verification, analysis-complete notification, price alerts, support replies)	Delivering transactional email. We do not send marketing email.
Umami (self-hosted web analytics)	Pageview counts and referrer, without any personal identifier. Runs on infrastructure we operate ourselves — no third-party tracker.	Understanding which public pages visitors use. No cookies, no fingerprinting.
PostHog Cloud (product analytics, US region)	Only when you are signed in. We send: a pseudonymous user id (a random UUID tied to your account), the name of the event (for example `item_uploaded`, `analysis_complete`, `credit_pack_purchased`), a small number of non-identifying properties about that event (for example the analysis tier or credit pack id), and standard browser metadata (browser, OS, page URL within our app). We do not send: your email address, username, display name, IP address, item names, item photos, item notes, comments, or any AI output. How it is stored: PostHog stores its identifier in memory only while the page is open — no cookies, no localStorage. Closing the tab ends the session. Session recording is disabled.	Measuring which features are used, identifying bugs, and improving the product. We cannot run a viable service without some measurement of how it is being used.
Cloudflare	All traffic passes through Cloudflare's network (IP address, request metadata)	CDN, DDoS protection, and encrypted transport. Cloudflare is our hosting infrastructure provider.
Cloudflare R2	Your uploaded images and encrypted database records	Encrypted cloud storage for backups. Images are encrypted with AES-256 (Restic) before upload. Database records are continuously replicated via Litestream. Data is stored in Cloudflare's infrastructure and is not used for any purpose other than disaster recovery.

Fonts (Playfair Display, DM Sans) are served from our own server — no requests are made to Google Fonts or any other font CDN.

3. Cookies

We set one cookie:

Cookie	Purpose	Expiry	Type
`vault_token`	Keeps you signed in between sessions (JWT authentication token)	30 days	Strictly necessary — the site cannot function without it

No analytics cookies, advertising cookies, or tracking pixels are used. We do measure in-app usage via PostHog (see the third-party services table above), but PostHog is configured with memory-only persistence — it does not write any cookie, localStorage entry, or other persistent identifier to your browser. Pageview measurement via Umami is similarly cookieless. No consent banner is required because no cookie is set for analytics or tracking purposes; the only cookie on this site is the strictly-necessary authentication cookie.

4. Your rights

Under GDPR (if you are in the EU/EEA/UK) and CCPA (if you are in California) you have the right to:

Access — request a copy of the personal data we hold about you
Deletion — request that your account and all associated data be permanently deleted. When an account is deleted, all items, images, categories, wishlists, and sign-in records are immediately removed from the live database. Backup retention note: encrypted image backups (Restic, stored in Cloudflare R2) are retained for up to 12 months under a 7-daily / 4-weekly / 12-monthly rotation schedule and are used exclusively for disaster recovery — they are never queried or processed operationally. Deleted data ages out of all backups within 12 months. This is consistent with GDPR guidance that backup copies used solely for business continuity are permissible for a reasonable retention period.
Rectification — correct inaccurate data (email, username, and display name are editable within the app)
Portability — export your collection as CSV, PDF, or a full JSON data archive from within the app at any time
Objection — object to processing where our lawful basis is legitimate interest

To exercise any of these rights, use the self-service tools in your Profile page (Settings → Data & Privacy) — you can download a full data export or permanently delete your account without contacting anyone. For other requests, contact the site administrator.

5. Lawful basis for processing (GDPR)

Contract — processing your account data and uploaded items is necessary to provide the service you signed up for
Legitimate interest — the sign-in security log (IP + email, 90-day retention) is necessary to detect and respond to unauthorised access attempts
Consent — if you choose to sign in with Google, you consent to us receiving your Google profile at that point

6. Data security

All traffic is encrypted in transit via TLS (HTTPS)
Passwords are stored as bcrypt hashes — the original password is never stored or logged
The authentication cookie is httpOnly (not accessible to JavaScript) and uses SameSite=Lax to prevent cross-site request forgery
The application server is not directly reachable from the internet — all requests pass through Nginx and Cloudflare
Your uploaded images are backed up daily to encrypted cloud storage (AES-256 via Restic). The database is continuously replicated in real time. Backups are encrypted before leaving our server — the cloud provider cannot read the contents
API keys for AI providers (if you supply your own) are encrypted at rest using AES-256 before being stored

7. Children

Collection Vault is not directed at children under 13. We do not knowingly collect personal data from children.

8. Changes to this policy

If we make material changes to this policy, we will update the "Last updated" date above. Continued use of the service after changes constitutes acceptance of the revised policy.

9. Contact

For privacy requests or questions about this policy, contact the site administrator. If you believe your data has been processed unlawfully, you have the right to lodge a complaint with your local data protection authority (e.g. the ICO in the UK, or your EU member state's supervisory authority).