Privacy Policy
Last updated: June 4, 2026 · Version 1.1
1. Data controller
Vendor Vault is operated by sanvil, an individual developer. For any privacy-related matter, contact us at [email protected].
2. Data we collect
2.1 Free tier (offline-only)
In Free mode no data is sent to external servers. All content (product catalog, sales, photos, cash sessions, trade-ins) stays exclusively on your device, in the app's local SQLite database.
2.2 Pro tier (with account)
To enable Pro features (multi-device sync, cloud backup, analytics) we ask you to create an account with email + password. The data we collect:
| Data | Purpose | Legal basis | Retention |
|---|---|---|---|
| Account, password recovery, service communications | Contract performance (GDPR art. 6.1.b) | While the account is active | |
| Password (hash) | Authentication | Contract performance | While the account is active |
| Product catalog, sales, trade-ins, sessions | Sync across your devices | Contract performance | While the account is active or until deletion is requested |
| Product / trade-in photos | Sync across your devices | Contract performance | While the account is active (Free downgrade → permanent cloud retention) |
| Pro purchase receipt (Apple/Google/Stripe) | Active subscription verification, fraud prevention | Contract performance + legal obligation | 10 years (tax obligation) |
| IP address (request log) | Security, anti-abuse | Legitimate interest (GDPR art. 6.1.f) | 30 days |
2.3 Mobile app — usage analytics & crash reporting
The mobile app integrates Firebase Analytics for aggregate product usage measurement (e.g. which features are used most). It is active by default on the basis of our legitimate interest (GDPR art. 6.1.f — improving product stability and quality), and you can turn it off at any time in Settings → Privacy / consents ("Anonymous analytics"). Data is anonymized/pseudonymized. On Android we explicitly remove the com.google.android.gms.permission.AD_ID permission (declared as tools:node="remove" in the manifest): we do not use the advertising ID, and Firebase first-open attribution works without it. We do not show in-app ads and do not target you with personalized advertising. On iOS we use Firebase/AnalyticsWithoutAdIdSupport: no IDFA tracking, no App Tracking Transparency prompt.
For crash diagnostics we integrate Sentry (EU region, Frankfurt). Same model: active by default on the basis of legitimate interest, with a separate toggle in Settings → Privacy / consents ("Crash reports") to turn it off at any time. We strip personal identifiers (event.user, request headers, cookies) via beforeSend.
We do NOT collect: name, address, phone number, contacts, background camera/microphone access. We do not run any other analytics or advertising SDK (no PostHog, Plausible, AppsFlyer, AdMob, etc.).
Location — Tap-to-Pay only: when you use Tap-to-Pay to accept in-person contactless card payments, the app requests location permission because Stripe Terminal requires it for transaction security and fraud prevention (a payment-network/EMV requirement). Location is accessed only at the moment of an in-person payment, is processed by Stripe as part of the payment, and is never used for tracking, profiling, advertising, or any other purpose. If you never use Tap-to-Pay, location is never accessed.
2.4 Cross-device sync coverage (Pro tier)
When you enable Pro and sign in with email, the following data syncs across your devices via our managed Postgres database (EU Frankfurt). Each row carries your vendor_id (your account UUID) and is row-level isolated server-side — no other Pro user can read your data.
| Data | Synced | Notes |
|---|---|---|
| Product catalog (name, price, photos metadata) | Yes | Photo binaries on managed object storage (EU), accessed via short-lived signed URLs |
| Sales + sale lines | Yes | Including QR receipt URL if generated |
| Trade-ins | Yes | Customer name optional, signature stored as raster image |
| Cashiers (Pro multi-user) | Yes | PIN bcrypt hash only, never plaintext |
| Consignors + consignment batches | Yes | Third-party (C2C) item management |
| Events / fairs + event expenses | Yes | Used for ROI analytics |
| Wanted items (buy list) | Yes | |
| Checklist templates + runs | Yes | |
| Payment methods (PayPal / IBAN / Satispay links) | Yes | |
| Cash movements (petty cash log) | Yes | |
| My Contact (vCard identities) | Yes | Pro-only since v0.4.0 |
| Cash sessions | No — local-only by design | Tied to the specific device opening / closing the register |
| Parked sales (in-progress carts) | No — local-only by design | Ephemeral state; syncing would create cross-device confusion |
Free tier (no account): nothing leaves your device. All data is stored locally in SQLite.
3. Sub-processors
To deliver the Pro service we rely on:
| Service | Purpose | Data location |
|---|---|---|
| Supabase (Supabase Inc.) | Managed Postgres database, authentication, realtime sync, backup storage | EU (Frankfurt, Germany) |
| Cloudflare, Inc. (R2 + Pages) | Product photo storage (R2), marketing site & CDN hosting | EU / Global edge |
| Apple Inc. | App Store distribution, iOS IAP | USA |
| Google LLC | Play Store distribution, Android IAP, Analytics 4 | USA |
| Stripe, Inc. | Pro web payments | USA (with GDPR SCCs) |
| Stripe Connect + Terminal (NFC) | Acquiring — in-person card payments via Tap-to-Pay (activated only when the merchant uses this feature) | Ireland (EU + UK), USA (Stripe Inc., with GDPR SCCs) |
| eBay Inc. | Publishing listings to the eBay marketplace via your own OAuth connection (data sent: product title, price, attributes). Activated only when you connect an eBay account and publish a listing. | USA |
| Google LLC (Sheets / Drive API) | Exporting your consignment catalog to a Google Sheet you own, via your own OAuth connection (scopes spreadsheets + drive.file). Activated only when you connect Google Sheets export. Distinct from Google Play / Analytics above. | USA |
An up-to-date list of named sub-processors is available on request via [email protected].
4. Photos and images
Photos you take or upload in the app:
- Free: stay only on your device (max 1 photo per product).
- Pro: are uploaded to a private encrypted object storage tied to your account, for multi-device sync. Max 5 photos per product. Photos are accessible via non-indexed URLs (security by obscurity via UUID in the path) — they are not publicly searchable.
We do not analyze, tag, or automatically classify your photos.
5. Cookies and trackers
The mobile app does not use cookies. The webapp (vendor-vault.app/app) uses only technical localStorage and IndexedDB for functionality (local DB, user settings). No tracking or profiling cookies.
The marketing landing page at vendor-vault.app uses Google Analytics 4 to measure aggregate visit traffic and Google Consent Mode v2 for ad measurement and remarketing audiences (so we can run paid campaigns and attribute conversions). IP anonymization is enabled. Tracking starts only after you click Accept in the cookie banner; if you click Reject, no analytics cookies are set, no events are sent, and you are not added to any remarketing list. The mobile app uses Firebase Analytics + Sentry as documented above (Section 2.3) — both active by default on the basis of legitimate interest and switchable off at any time in Settings.
6. Your rights (GDPR)
As an EU user you have the right to:
- Access your data: use the "Export JSON" feature in Settings.
- Rectify inaccurate data: directly from the app.
- Erase your data ("right to be forgotten"): write to [email protected] or use the "Delete account" feature (coming soon).
- Restrict processing: write to support.
- Portability: the JSON export is structured and portable.
- Object to processing based on legitimate interest: write to support.
- Lodge a complaint with the Italian Data Protection Authority (garanteprivacy.it) or your local supervisory authority.
7. Security
End-to-end TLS 1.3 encrypted communications. Passwords hashed with bcrypt. Encrypted at-rest storage on EU cloud providers. No shared database between different user accounts (per-vendor row-level isolation).
8. Minors
Vendor Vault is not intended for children under 16. We do not knowingly collect data from minors.
9. Changes
We will update this policy when necessary. Significant changes will be notified via email (Pro) or on app startup (Free + Pro). The last update date is at the top of this page.
10. Contact
Email: [email protected]