Privacy Policy

Last updated: May 2, 2026 · Version 1.0

In short: Vendor Vault is a privacy-first app for managing collectibles trade fair booths. The Free tier runs entirely offline and never sends any data to external servers. The Pro tier requires email registration for multi-device sync and cloud backup, but even then we never share your data with third parties or use it for advertising or profiling.

1. Data controller

Vendor Vault is operated by sanvil, an individual developer. For any privacy-related matter, contact us at [email protected].

2. Data we collect

2.1 Free tier (offline-only)

In Free mode no data is sent to external servers. All content (product catalog, sales, photos, cash sessions, trade-ins) stays exclusively on your device, in the app's local SQLite database.

2.2 Pro tier (with account)

To enable Pro features (multi-device sync, cloud backup, analytics) we ask you to create an account with email + password. The data we collect:

Data	Purpose	Legal basis	Retention
Email	Account, password recovery, service communications	Contract performance (GDPR art. 6.1.b)	While the account is active
Password (hash)	Authentication	Contract performance	While the account is active
Product catalog, sales, trade-ins, sessions	Sync across your devices	Contract performance	While the account is active or until deletion is requested
Product / trade-in photos	Sync across your devices	Contract performance	While the account is active (Free downgrade → permanent cloud retention)
Pro purchase receipt (Apple/Google/Stripe)	Active subscription verification, fraud prevention	Contract performance + legal obligation	10 years (tax obligation)
IP address (request log)	Security, anti-abuse	Legitimate interest (GDPR art. 6.1.f)	30 days

We do NOT collect: usage telemetry (no Google Analytics, Firebase, PostHog, Plausible, etc.), name, address, phone number, geolocation data, contacts, background camera/microphone access.

3. Sub-processors

To deliver the Pro service we rely on:

Provider	Service	Data location
Supabase Inc.	Database, authentication, backup storage	EU (Frankfurt)
Cloudflare Inc.	Photo storage (R2), DNS, webapp hosting	EU/Global
Apple Inc.	App Store distribution, iOS IAP	USA
Google LLC	Play Store distribution, Android IAP	USA
Stripe, Inc.	Pro web payments	USA (with GDPR SCCs)

4. Photos and images

Photos you take or upload in the app:

Free: stay only on your device (max 1 photo per product).
Pro: are uploaded to Cloudflare R2 (private storage tied to your account) for multi-device sync. Max 5 photos per product. Photos are accessible via non-indexed public URLs (security by obscurity via UUID in the path) — they are not publicly searchable.

We do not analyze, tag, or automatically classify your photos.

5. Cookies and trackers

The mobile app does not use cookies. The webapp (vendor-vault.app/app) uses only technical localStorage and IndexedDB for functionality (Drift local DB, user settings). No tracking or profiling cookies.

6. Your rights (GDPR)

As an EU user you have the right to:

Access your data: use the "Export JSON" feature in Settings.
Rectify inaccurate data: directly from the app.
Erase your data ("right to be forgotten"): write to [email protected] or use the "Delete account" feature (coming soon).
Restrict processing: write to support.
Portability: the JSON export is structured and portable.
Object to processing based on legitimate interest: write to support.
Lodge a complaint with the Italian Data Protection Authority (garanteprivacy.it) or your local supervisory authority.

7. Security

End-to-end TLS 1.3 encrypted communications. Passwords hashed with bcrypt. Encrypted at-rest storage at Supabase + Cloudflare R2. No shared database between different user accounts (Row Level Security enabled).

8. Minors

Vendor Vault is not intended for children under 16. We do not knowingly collect data from minors.

9. Changes

We will update this policy when necessary. Significant changes will be notified via email (Pro) or on app startup (Free + Pro). The last update date is at the top of this page.

10. Contact

Email: [email protected]