This Privacy Policy explains how Vaulted LLC collects, uses, and shares your personal information when you use the Vaulted platform. We do not sell your personal data.
01 Information We Collect
We collect information you provide directly, information generated by your use of the Service, and limited information from third parties. The categories below describe what we collect and when.
1.1 Account and Identity
- Email address — required for account creation, verification, password resets, and transactional communications.
- Username — your public display name on the platform.
- Password — stored as a bcrypt hash. We never store or transmit your plaintext password.
- Date of birth — collected at registration for age verification. We require users to be at least 18 years old.
- Session tokens and email verification codes — short-lived tokens used to authenticate sessions and verify your email address.
- Password reset codes — short-lived 6-digit codes issued when you request a password reset.
- Accepted terms flag — a boolean recording that you accepted our Terms of Service at registration.
- Optional join reason — a free-text field you may optionally fill in during registration.
1.2 Profile Information
- Bio — optional free-text profile description.
- Profile picture — optional photo cropped to 256×256 pixels and stored in Cloudflare R2.
- Privacy setting — controls whether your profile is publicly visible or visible only to friends.
- App accent color and profile accent color — optional cosmetic colors selectable by Vault Pass subscribers.
1.3 Place and Location Data
- Place name, city, address, and description — provided when you submit a location.
- Latitude and longitude coordinates — used for map display and proximity search.
- Difficulty rating and condition updates — community-reported attributes attached to places.
- Place images — photos are automatically stripped of EXIF metadata (including GPS coordinates and device identifiers), compressed, converted to WebP format, and stored in Cloudflare R2.
1.4 User-Generated Content
- Comments — text content and optional attached images you post on place listings.
- Memories — personal journal entries including a title, description, date, optional image, and a link to a place.
1.5 Trust and Activity Data
- Trust score — a numeric value reflecting your community contribution level.
- Trust event history — a log of each event that changed your trust score, including the event type, point delta, optional note, and timestamp.
1.6 Social and Interaction Data
- Friend requests and friendships — stored as sender/recipient user ID pairs with status (pending, accepted, blocked).
- Place shares — records of places sent to or received from friends.
- Bookmarks — records of places you have saved.
1.7 Moderation Data
- Reports — when you file a report, we record the report type, reason, target, and your user ID.
- Strikes, warnings, bans, and admin notes — moderation actions taken on your account.
- Image safety ratings — automated SafeSearch scores (adult, violence, racy) returned by Google Cloud Vision, stored alongside each image in the moderation queue.
- Banned email list — email addresses associated with permanently banned accounts are retained to prevent ban evasion.
1.8 Push Notification Data
- Expo push token — a device token used to deliver push notifications to your device.
- Platform and registration timestamp — the device operating system and the time your push token was registered.
1.9 Subscription and Payment Data
- Subscription tier and expiry — whether you have an active Vault Pass subscription and when it expires.
- Founding member flag — whether your account has founding member status.
- Vault Pass credits balance — credits earned through the invite system.
- RevenueCat purchase events — subscription purchase, renewal, and expiration events received via webhook. We do not receive or store your payment card details.
1.10 Invite System Data
- Invite codes — the code string, its status (active, redeemed, revoked), the creator's user ID, the redeeming user's ID, and a flag indicating whether credits have been granted.
1.11 Email Management Data
- Email suppression list — email addresses that have bounced, resulted in spam complaints, or been manually unsubscribed, along with the suppression reason.
- HMAC-signed unsubscribe tokens — cryptographically signed tokens embedded in email footers that allow one-click unsubscription without requiring login.
1.12 Device and Local Storage
The Vaulted mobile app stores the following data locally on your device:
- Encrypted local storage (SecureStore): your user ID, username, and email address are stored in your device's secure encrypted storage.
- Standard local storage (AsyncStorage): non-sensitive preference flags such as your logged-in state, rules acceptance, and subscription tier.
1.13 Server Logs
Our servers generate operational logs that may include usernames, email addresses, place names, trust score deltas, and push tokens. These logs are used for debugging and operational monitoring and are not shared externally.
02 How We Use Your Information
We use the information we collect to:
- Provide and operate the Service — authenticate your account, display place listings, process content submissions, deliver notifications, and enable social features;
- Verify your identity and age — confirm you are at least 18 years old and that your email address is valid before activating your account;
- Calculate and maintain your trust score — record contribution events and reflect your standing within the community;
- Moderate content — review flagged images and reports to keep the platform safe and compliant with our policies;
- Send transactional emails — deliver account verification codes, password reset codes, moderation notices, and other essential account communications;
- Deliver push notifications — send in-app alerts about trust score changes, friend activity, moderation decisions, and account status updates;
- Process subscriptions — track your Vault Pass status, apply subscription benefits, and process credit redemptions;
- Prevent abuse — detect and block ban evasion, enforce rate limits, and investigate violations of our Terms of Service;
- Improve the Service — analyze aggregate usage patterns to identify bugs and improve features; and
- Comply with legal obligations — respond to lawful requests from law enforcement or regulatory authorities where required.
03 How We Share Your Information
We do not sell your personal data. We share your information only as described below.
3.1 Third-Party Service Providers
| Provider |
Purpose |
Data Sent |
| Google Cloud Vision |
Automated SafeSearch moderation of uploaded images |
Image URLs; receives back safety ratings (adult, violence, racy) |
| Amazon Web Services SES |
Transactional email delivery |
Recipient email address and message content; AWS sends bounce and complaint events back to us |
| Expo Push API |
Delivering push notifications to mobile devices |
Device push token and notification payload (title, body, data) |
| RevenueCat |
Subscription management and purchase validation |
Your user ID; RevenueCat sends purchase, renewal, and expiration events back to us |
| Cloudflare R2 |
Object storage for user-uploaded images |
Processed image files (EXIF-stripped WebP); no personal identifiers are embedded in stored files |
3.2 Other Users
Content you post publicly — place listings, comments, condition updates, and your public profile — is visible to other users in accordance with your privacy settings. Your email address is never displayed to other users.
3.3 Legal Requirements
We may disclose your information if required to do so by law or in the good-faith belief that such action is necessary to comply with a legal obligation, protect and defend the rights or property of Vaulted LLC, prevent or investigate possible wrongdoing in connection with the Service, or protect the personal safety of users or the public.
3.4 Business Transfers
If Vaulted LLC is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will provide notice before your information is transferred and becomes subject to a different privacy policy.
04 Data Security
We take reasonable technical and organizational measures to protect your information against unauthorized access, loss, or disclosure. These measures include:
- Password hashing: passwords are hashed using bcrypt before storage. Plaintext passwords are never stored or logged.
- EXIF stripping: all uploaded images are processed to remove embedded metadata before storage, preventing inadvertent disclosure of GPS coordinates or device information.
- Device encryption: the mobile app stores your user ID, username, and email address in your device's encrypted secure storage (SecureStore), not in standard unencrypted local storage.
- Transport security: all data transmitted between the app and our servers uses HTTPS with HTTP Strict Transport Security (HSTS) enforced in production.
- Access controls: administrative endpoints are protected by separate authentication and are not accessible to regular users.
- Rate limiting: all API endpoints are rate-limited to mitigate brute-force and abuse attempts.
- Input sanitization: all user-supplied string inputs are sanitized to prevent injection attacks.
No security measure is perfect. If you believe your account has been compromised, contact us immediately at [email protected].
05 Data Retention
We retain your information for as long as your account is active and for a reasonable period afterward as needed for the purposes described in this policy.
- Active accounts: account data is retained until you delete your account.
- Deleted accounts: your profile, places, memories, and images are removed. Comments are anonymized rather than deleted to preserve community context. Push tokens are deleted at account deletion.
- Banned accounts: your email address is retained on a suppression list to prevent ban evasion. This record does not include your password, profile content, or other personal data.
- Email suppression list: bounce, complaint, and unsubscribe records are retained to honor your preferences and comply with email regulations.
- Server logs: operational logs are retained for a limited period for debugging and security purposes and then purged.
- Moderation records: reports, strikes, and moderation notes are removed upon account deletion, except where retention is required for legal purposes.
06 Your Rights and Choices
6.1 Account Deletion
You may delete your account at any time from the Settings screen within the Vaulted mobile app. Deletion removes your profile, places, memories, and images from the Service. This action is irreversible.
6.2 Data Export
You may request a copy of all personal data we hold about you — including your profile, places, comments, memories, trust history, and friendships — using the data export feature in the app's Settings screen. The export is delivered as a JSON file via your device's share sheet.
6.3 Email Preferences and Unsubscribing
Every marketing or non-essential email we send includes an unsubscribe link in the footer. Clicking the link uses a cryptographically signed token to immediately add your address to our suppression list without requiring you to log in. We may still send essential transactional emails (e.g., verification codes, password resets) even if you unsubscribe from other communications.
6.4 Profile Visibility
You may toggle your profile between public and private at any time in the Settings screen. Private profiles are only visible to your friends.
6.5 Updating Your Information
You may update your email address, username, and bio through the Settings screen. Email address changes take effect after re-verification of the new address.
6.6 Additional Rights
Depending on your jurisdiction, you may have additional rights regarding your personal information, such as the right to access, correct, or restrict processing of your data. To exercise any such rights, contact us at [email protected]. We will respond within a reasonable timeframe consistent with applicable law.
07 Children's Privacy
The Service is not directed at individuals under the age of 18. We require all users to be at least 18 years old and collect date of birth at registration to verify this requirement. We do not knowingly collect personal information from anyone under 18. If we become aware that we have inadvertently collected information from a person under 18, we will delete that information promptly. If you believe we have collected information from a minor, please contact us at [email protected].
08 Third-Party Links
The Service may contain links to third-party websites or services. This Privacy Policy does not apply to those third-party sites, and we are not responsible for their content or privacy practices. We encourage you to review the privacy policies of any third-party sites you visit.
09 Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where practicable, provide in-app or email notice before the changes take effect. Your continued use of the Service after the effective date of any updated policy constitutes your acceptance of the changes.
If you do not agree to the updated policy, you must stop using the Service and may delete your account as described in Section 6.1.
10 Contact Information
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: