Privacy Policy
This Privacy Policy explains what personal information Vault & Value (the App, we, us) collects from you, how it is used, who it is shared with, and what choices you have. It is written in plain English. If a section conflicts with applicable law in your jurisdiction, Bahraini law takes precedence.
1. Who we are
Vault & Value is an iOS application that helps you estimate fair prices for jewelry, watches, and bullion, save those items into a personal collection, and track their value over time.
The App is operated by Mansoor Al Buhmaid. You can contact us at support@vaultandvalue.app.
2. What we collect
We collect only the data needed to provide the App's features. Specifically:
| Category | Examples | Why |
|---|---|---|
| Account identifiers | Apple Sign In ID, email, display name, Supabase user ID | To create and authenticate your account |
| Item content | Item title, category, seller name, salesperson, purchase date, prices, weights, materials, custom notes | To populate your personal collection |
| Photos | Item photos and invoice photos you upload | To attach visuals to your saved items |
| Price alerts | Materials, target prices, currencies | To notify you when a target is reached |
| Price alert history | Record of alerts that fired (target price, actual price at trigger, currency, timestamp) | To deliver push and email notifications, to track delivery success, and to power a future in-app alert history view |
| Sharing data | Recipient emails, share permissions, accept/decline status | To enable collection and item sharing with people you invite |
| Subscription state | Subscription tier, expiry date, auto-renew flag | To enforce Free vs Plus feature gates and warn you before expiry |
| Device tokens | Apple Push Notification token | To send price-alert and subscription-expiry notifications to your device |
We do not collect: location, contacts, browsing history, microphone audio, advertising identifiers, or biometric data. Face ID is processed entirely on your device by iOS — we never see your face data.
Sign in with Apple
When you choose Sign in with Apple, Apple shares a stable user identifier with us, along with your name and email address — or a private relay email address (an @privaterelay.appleid.com alias that forwards to your real address) if you chose that option in the Apple sign-in sheet. We use this information only to create and authenticate your account and to send the transactional emails described in Section 3. We never receive your Apple ID password. If you revoke the Sign in with Apple link from iOS Settings → [Your Name] → Sign-In & Security → Sign in with Apple → Vault & Value → Stop Using Apple ID, we lose the ability to authenticate you under that identifier.
Sign in with Google
When you choose Sign in with Google, Google shares your name, email address, profile picture URL, and a stable Google account identifier with us. We use this information only to create and authenticate your account and to send the transactional emails described in Section 3. We never receive your Google account password. You can review and revoke Vault & Value's access at any time at myaccount.google.com/permissions.
3. How we use your information
- Provide the service. Show your saved items, run price estimates, fetch live and historical material prices, send notifications.
- Authenticate you. Sign in with Apple is the primary authentication. Your Apple ID identifier is exchanged with Supabase Auth to create a server-side session.
- Sync across devices. If you sign in on a new device, your collection appears.
- Communicate with you. Optional emails for support requests you initiate. Transactional push notifications and transactional emails for price alerts, share invitations, and subscription expiry (sent to the email tied to your account when an alert you set fires). We do not send marketing email or push notifications unless you opt in.
We never sell your personal information. We never use your saved items, photos, or invoices for advertising. The App is and will remain ad-free.
4. Third-party service providers
We use the following providers to operate the App. Each is contractually bound to handle your data only on our behalf:
- Supabase Inc. — backend database, file storage, and authentication. Stores your account, items, photos, invoices, price alerts, and shares. supabase.com/privacy
- Apple Inc. — Sign in with Apple, push notifications via APNs, App Store transactions, App Store Server Notifications. apple.com/legal/privacy
- Google LLC — Google Sign In (alternative login method) and Firebase Crashlytics for crash reporting and error tracking. If the App encounters an unhandled error in production, a stack trace, device model, iOS version, app version, and the most recent in-app actions ("breadcrumbs" — short non-sensitive labels like "opened item detail" or "save failed") are sent to Firebase Crashlytics so we can diagnose and fix it. A per-install random identifier (Crashlytics Installation UUID, regenerated when you reinstall the App) is included so we can group crashes from the same device. Firebase Crashlytics does NOT receive your saved items, photos, invoices, payment details, or sign-in credentials. You can opt out at any time via Profile → Privacy → Crash Reporting. policies.google.com/privacy · firebase.google.com/support/privacy
- Resend Inc. — transactional email delivery (used to email share invitations to recipients and to email you when your own price alerts fire). Receives the recipient email address plus the alert / invitation body content. resend.com/legal/privacy-policy
- Cloudflare Inc. — DNS, CDN, and email forwarding for our domain. cloudflare.com/privacypolicy
We do NOT share your data with data brokers, advertisers, or analytics partners outside what is listed above.
5. Where your data is stored
Your data is stored in Supabase's cloud infrastructure. The default region for our project is Seoul (ap-northeast-2). Data may transit through other regions during routine operations. Supabase data centers are SOC 2 Type II certified.
6. Security
We use industry-standard security measures:
- Transport security. All connections to our servers use HTTPS / TLS 1.2+.
- Database access controls. Supabase Row-Level Security restricts every query to your own user identifier.
- Storage access controls. Item photos and invoice photos are stored in private buckets accessible only to authenticated users for their own data.
- Local encryption. iOS protects your account credentials in the device Keychain.
No system is perfectly secure. If we discover a breach affecting your data, we will notify you within the timeframes required by applicable law.
7. Your rights
You can:
- Access your data — your collection, photos, invoices, and price alerts are visible in the App at any time.
- Edit your data — every saved field is editable inside the App.
- Delete your data — Profile → Delete Account performs a complete deletion of your account, items, photos, invoices, alerts, and shares. The deletion is irreversible.
- Export your data (coming in a future release) — request a copy by emailing support@vaultandvalue.app.
- Withdraw consent — by deleting your account.
If you reside in the EU/UK, you also have rights under GDPR including data portability and the right to lodge a complaint with your supervisory authority. If you reside in California, CCPA grants additional rights including the right to know what personal information we sell (we do not sell personal information).
To exercise any right, email support@vaultandvalue.app with your account email. We will respond within 30 days.
8. Subscription downgrade and grace period
If you subscribe to Vault & Value Plus and your subscription later ends, content beyond the Free tier's limits (more than 5 saved items, more than 1 item photo, more than 1 invoice photo, more than 1 material alert and 1 item alert) is trimmed automatically. Trimmed content is soft-deleted on our servers for a 30-day grace period, during which you can re-subscribe and have it fully restored. After 30 days the trimmed content and its associated photo files are permanently deleted from our servers.
9. How long we keep your data
We keep different categories of data for different lengths of time:
- Active-account data (saved items, photos, invoices, price alerts, share invitations) — kept as long as your account exists. You can edit or delete any of it at any time inside the App.
- Trimmed-by-downgrade content — kept for 30 days after Plus ends, then permanently deleted (see Section 8).
- Account deletion (Profile → Delete Account) — your account row, items, photos, invoices, price alerts, alert history, share invitations, and push tokens are deleted from our servers immediately. The Sign in with Apple link is also revoked at deletion time so the App cannot re-authenticate you under the same identifier.
- Price alert history — kept while the parent alert exists; deleted automatically when you delete the alert, and deleted with your account on account deletion.
- Subscription state — kept while your account exists; deleted with your account. Apple separately retains transaction records on their side per Apple's own policies, which we do not control.
- Server-side logs (HTTP request logs, error traces, push-delivery status) — retained by our backend providers (Supabase, Apple, Resend, Cloudflare) per each provider's standard policy (typically 7 to 30 days). We do not extract or persist these logs ourselves.
We may retain a minimal record of an account's existence (anonymised user ID and deletion timestamp) for up to 12 months after deletion solely for fraud-prevention and to honour legal obligations. This record contains no items, photos, content, or contact details.
10. Children
The App is not directed at children under 13 (or the equivalent minimum age in your jurisdiction). We do not knowingly collect personal information from children. If you believe a child has provided personal information to the App, contact us and we will delete it.
11. Changes to this policy
We may update this policy from time to time. Material changes will be communicated via in-app notice or email. The "Last updated" date at the top reflects the most recent revision.
12. Contact
Questions about your privacy or this policy:
Email: support@vaultandvalue.app