Privacy Policy

Last updated: 6 May 2026  ·  Effective: 6 May 2026

1. Who We Are

VaultTrack ("we", "us", "our") is a personal finance web application. We are the data controller for the personal data you provide when using the Service.

For privacy enquiries: [email protected]

2. What Data We Collect

2.1 Data you provide directly

Data	Why we collect it
Name & email address	Account creation, authentication, and support communication
Password (hashed)	Account security. We never store plain-text passwords
Budget data (income, expenses, categories)	Core app functionality — to show you your financial picture
Trading journal entries	P&L tracking and heatmap analytics
Mortgage and calculator inputs	To return calculation results — not stored beyond your session unless you save them
Financial journal entries	AI-assisted journaling feature

2.2 Data collected automatically

Data	Why we collect it
IP address	Security, fraud prevention, and rate limiting
Browser type & version	Ensuring compatibility and diagnosing technical issues
Pages visited & timestamps	Understanding usage patterns to improve the product
Session cookies	Keeping you logged in. See our Cookie Policy

2.3 OAuth login data

If you sign in with Google, we receive your name, email address, and profile picture from that provider. We do not receive your password. You can review what Google shares in your Google account settings.

3. How We Use Your Data

We use your data exclusively to:

• Provide, operate, and maintain the Service
• Authenticate you and keep your account secure
• Generate AI-powered insights from your budget data (processed via Groq — see Section 8)
• Send transactional emails (account confirmation, subscription receipts, trial expiry reminders)
• Respond to support requests
• Detect and prevent fraud, abuse, or security threats
• Comply with legal obligations

We do not use your data for advertising, profiling, or sale to third parties.

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom, our legal bases for processing are:

• Contract performance — processing necessary to provide the Service you signed up for
• Legitimate interests — security monitoring, fraud prevention, and product improvement
• Legal obligation — compliance with applicable laws (e.g. tax, accounting)
• Consent — for non-essential cookies (see our Cookie Policy)

5. Data Storage & Security

Your data is stored on servers located within the European Union. We implement the following security measures:

• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3
• Encryption at rest: Your stored data is encrypted at the database level
• Password hashing: Passwords are hashed using bcrypt with a per-user salt — we cannot recover your password
• Access controls: Database access is restricted to a minimum of authorised systems and personnel
• Session security: Sessions are token-based with CSRF protection and automatic expiry

No security system is impenetrable. In the event of a data breach that affects your rights and freedoms, we will notify you within 72 hours of becoming aware, in compliance with GDPR Article 33.

6. Data Retention

We retain your data for as long as your account is active. When you delete your account:

• Your personal data and financial records are permanently deleted within 30 days
• Anonymised aggregated statistics (e.g. "X users this month") may be retained for analytics
• Billing records may be retained for up to 7 years for legal and tax compliance

You can request deletion at any time by emailing [email protected] or by deleting your account in settings.

7. Third Parties

We share data with the following trusted service providers, only to the extent necessary to operate the Service:

Provider	Purpose	Data shared
Google OAuth	Optional sign-in method	Name, email (if you choose Google login)
Groq	AI budget analysis	Your budget summary data (anonymised where possible)
Payment processor	Subscription billing	Payment card details (we never see or store full card numbers)
Cloud hosting provider	Server infrastructure	All app data, stored encrypted

We do not sell, rent, or trade your personal data to any third party for marketing or commercial purposes.

8. AI Processing

VaultTrack uses Groq to generate budget analysis and spending insights. When you request an AI analysis:

• A summary of your budget data (income, expense totals, categories) is sent to Groq's API
• We minimise the data sent — no names, account numbers, or sensitive identifiers are included
• Groq processes data under its own privacy policy and does not retain inputs beyond the request
• AI-generated insights are stored in your account for your future reference

You may opt out of AI analysis by simply not using that feature. No data is sent to Groq unless you explicitly trigger an analysis.

9. Your Rights

Under GDPR and similar regulations, you have the following rights:

To exercise any of these rights, email [email protected]. We will respond within 30 days.

10. Children's Privacy

VaultTrack is not directed at children under 18 years of age. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected data from a minor, please contact us immediately and we will delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and update the "Last updated" date at the top of this page. We encourage you to review this page periodically.

12. Contact & Complaints

For privacy-related questions or to exercise your rights:

• Email: [email protected]
• Response time: within 5 business days (rights requests within 30 days)

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority. In Ireland, this is the Data Protection Commission (DPC).