Vault-Budget

Privacy policy

Last updated · May 25, 2026

This policy is shorter than average because we collect much less data than average. Vault-Budget is built zero-knowledge : your transactions, balances, labels and attachments are encrypted on your device before any upload. Our servers store cryptographic noise we cannot read.

What we collect

  • Account : your email address, a bcrypt hash of your password, your language preference
  • Subscription : Stripe customer identifier, current plan, invoices (handled by Stripe)
  • Encrypted vault blobs that we cannot decrypt
  • Encrypted sync deltas (Vault+ and above, optional)
  • Argon2id salt and keyCheck (16 bytes) to allow multi-device unlock
  • Server logs (IP address, user-agent) kept for 30 days for security and diagnostics
  • Contact messages you send via the /contact form or from inside the app (subject, body, type)
  • Reply-to email on the contact form (ONLY if you explicitly checked the dedicated box — deleted automatically after resolution)
  • Feature requests and suggestions submitted from the app (title, description) — read by our team so we can reply
  • B2B shared-signature metadata (Pro): consent text shown to the signer, recipient email/name hint if provided, signer IP and user-agent at signing time — required to give the e-signature its legal evidentiary value

What we never collect

  • Your transactions, amounts, labels or bank accounts
  • Your receipts or attachments in plaintext
  • Your categories, budgets, goals or simulations
  • Your contacts, your relationships, your address book
  • No data is shared, sold or transferred to any third party

Legal basis

We process your data on two grounds : performance of the service contract (authentication, billing, vault delivery) and legitimate interest (service security, logs, fraud prevention).

Your rights

You hold the rights of access, rectification, erasure, portability and objection. Full account export and permanent deletion are automated from the Security page in your account area. You may also lodge a complaint with the CNIL or your local data protection authority.

Retention periods

  • Active account : for as long as your subscription is running
  • Server logs : 30 days
  • Account deletion : 30-day grace period, then permanent erasure
  • Stripe invoices : 10 years (French legal obligation)
  • Contact messages: sender email kept only while we handle your message, automatically deleted 30 days after resolution. The message itself is soft-deleted 180 days after archiving.

Transfers outside the EU

Core infrastructure is hosted inside the European Union. Stripe processes payments from the United States under the Data Privacy Framework and Standard Contractual Clauses approved by the European Commission.

Sub-processors

  • Stripe Inc. : payment processing and billing
  • Amazon Web Services (S3) : encrypted attachment storage
  • Hetzner Online GmbH : application server hosting (Germany)
  • European Central Bank : public exchange rates (read-only)
  • CoinGecko : public crypto quotes (read-only)

Contact us

For any question about your personal data, reach out at the address below. We respond within 30 days at most.

privacy@vault-budget.com
Back to home