The data controller responsible for processing your personal data in connection with VantageVault is:
VantageVault ("we", "us", "our"), operated by SyncPointFlow (Netherlands), is committed to protecting your privacy in accordance with the General Data Protection Regulation (GDPR), the Dutch Implementation Act (UAVG), and applicable ePrivacy/Cookie Law. This Privacy & Cookie Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.
By using VantageVault you acknowledge this policy. If you do not agree, please discontinue use. You can also view our standalone Cookie Policy →
When you create an account we collect your email address and a chosen username. Your password is never stored in plaintext — it is used exclusively on your device to derive an encryption key, and a hashed credential is managed by Supabase (our authentication provider).
Legal basis: Contractual necessity (Art. 6(1)(b) GDPR) — required to provide the Service you signed up for.
Images, OCR-extracted text, and custom names you upload are encrypted with AES-256 on your device before transmission. We store only the encrypted ciphertext. Because we do not hold your decryption keys, we have zero access to your plaintext data.
Legal basis: Contractual necessity (Art. 6(1)(b) GDPR).
When you interact with our Service (login, signup, file upload), your IP address is temporarily processed by our backend infrastructure solely for rate limiting and abuse prevention.
How we handle IP data: IP addresses are processed in-memory as short-lived records on a rolling 15-minute window. We do not log them to long-term storage, do not associate them with your identity, and do not use them for analytics, advertising, or profiling of any kind.
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR) — proportionate security measure with minimal privacy impact.
When you submit our contact form, we collect your name, email address, subject, and message. This data is encrypted at rest (AES-256) and used only to respond to your enquiry.
Legal basis: Consent (Art. 6(1)(a) GDPR) and legitimate interests in responding to enquiries (Art. 6(1)(f)).
We log anonymised download counts (platform type only: Windows/macOS/Linux) when you download the application. No personally identifiable information is recorded.
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR) — understanding platform usage to guide development decisions.
When you interact with our cookie banner, we store your consent choice, timestamp, and browser user-agent string in your browser's localStorage under the keys vv_cookie_consent, vv_cookie_functional, and vv_consent_log. This record is local to your browser — it is not transmitted to our servers.
Legal basis: Legal obligation (Art. 6(1)(c) GDPR) — maintaining consent records is required under ePrivacy Directive / GDPR.
We may collect anonymised error logs to maintain security and improve performance. This data does not identify you personally and is not linked to your account.
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).
We use cookies and similar technologies. No functional cookies or third-party resources are loaded until you give explicit consent via our cookie banner on the website. For full details of every cookie, storage mechanism, and technology used see our Cookie Policy →
| Service | Provider | Purpose | Category | Privacy Policy |
|---|---|---|---|---|
| Session tokens (auth) | Supabase Inc. (USA) | Keeps you logged in; stores access & refresh tokens in localStorage. The Supabase auth API is core infrastructure — loaded regardless of cookie preference. | Necessary | supabase.com/privacy |
| Resend | Resend Inc. (USA) | Server-side delivery of transactional emails (OTP codes, password reset, signup confirmation). No browser-side request — triggered only by account actions you initiate. | Necessary (server-side) | resend.com/privacy |
| HuggingFace Spaces | HuggingFace Inc. (USA) | Hosts our secure API proxy. All requests from the website and desktop app route through this proxy. Your IP is processed ephemerally for rate limiting only. | Necessary (server-side) | huggingface.co/privacy |
| Google Fonts | Google LLC (USA) | Loads Share Tech Mono, Bebas Neue & DM Sans typefaces from Google servers. Not loaded until functional consent is given — system fonts used as fallback. | Functional (consent required) | policies.google.com/privacy |
| jsDelivr CDN | Prospect One (EU/Poland) | Delivers the Supabase JS authentication SDK from a CDN. Loaded with functional consent. If rejected, the Supabase SDK is still loaded via jsDelivr as it is necessary for auth — only Google Fonts are fully blocked. | Functional (consent required) / Necessary for auth SDK | jsdelivr.com/privacy |
We use no analytics trackers (no Google Analytics, Hotjar, Meta Pixel, etc.), no advertising cookies, and no cross-site tracking.
Your vault content is protected using AES-256-Fernet encryption. Keys are derived from your password via PBKDF2-HMAC-SHA256 (100,000 iterations) and never transmitted to or stored on our servers. All data in transit is protected by TLS 1.2+. As a zero-knowledge service, if you lose both your password and recovery code, we are mathematically unable to recover your data.
We do not sell, rent, or trade your personal data. The following third parties may have access to limited personal data as described:
| Third Party | Data Shared | Purpose | Location | Safeguards |
|---|---|---|---|---|
| Supabase Inc. | Email, username, encrypted vault ciphertext, session tokens | Database, authentication, and storage infrastructure | USA / EEA | Standard Contractual Clauses; privacy policy |
| HuggingFace Inc. | IP address (ephemeral, rate limiting only), API request payloads | Secure API proxy between the desktop app and our backend | USA | Standard Contractual Clauses; privacy policy |
| Resend Inc. | Email address | Delivery of transactional emails (OTP, password reset) | USA | Standard Contractual Clauses; privacy policy |
| Google LLC | IP address, browser info (via font request) | Serving Google Fonts — only loaded with functional consent | USA | Standard Contractual Clauses; privacy policy |
| Prospect One (jsDelivr) | IP address, browser info (via CDN request) | Delivering Supabase JS SDK — only loaded with functional consent | EU (Poland) | EU-based entity; privacy policy |
No other third parties have access to your personal data. We do not use any advertising networks, analytics platforms, or data brokers.
Under the GDPR, you have the following rights regarding your personal data:
To exercise any of these rights, contact us at security@vantagevault.dev. We will respond within 30 days.
When you interact with our cookie banner, we record your consent decision locally in your browser's localStorage. This record includes: your choice (accept / reject / custom), your functional cookie preference, a timestamp (ISO 8601), browser user-agent string, and policy version number.
This record is stored under vv_consent_log and is not transmitted to our servers. The last 5 consent events are retained locally; older records are overwritten automatically.
To withdraw consent or change your cookie preferences at any time, click the 🍪 icon in the bottom-left corner of our website, or clear localStorage for vantagevault.dev in your browser settings.
You can delete your account at any time from Account Settings in the app, or by contacting us. Upon deletion, all account metadata and encrypted vault contents are permanently purged from active databases within 30 days. Backups are purged within 90 days.
VantageVault is not intended for users under the age of 16 (per Dutch AVG / GDPR standards). We do not knowingly collect information from children. If we become aware that a user is under 16, we will delete their account and associated data promptly.
We may update this Privacy Policy to reflect changes in law or our Service. Where changes are material, we will notify users by email or via an in-app notice. Continued use after the effective date constitutes acceptance of the revised policy.