This Privacy Policy explains how AGByte Labs B.V. (“AGByte Labs”, “we”, “us”, or “our”) collects, uses, stores, transfers, and protects personal data when you use Vaultable (“the App”, “the Service”). It applies to all users of the Vaultable mobile application and any associated services, regardless of how you access them.
We are committed to processing personal data responsibly, transparently, and in full compliance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and applicable Dutch data protection law.
1. Who We Are
Vaultable is a product of:
AGByte Labs B.V.[PLACEHOLDER: Registered address — street, city, postal code, Netherlands]
Chamber of Commerce (KVK): [PLACEHOLDER: KVK number]
VAT: [PLACEHOLDER: BTW number]
AGByte Labs B.V. acts as the data controller for all personal data processed through Vaultable and its associated backend services.
2. Scope of This Policy
This policy applies to:
- All registered users of Vaultable, including workspace owners and workspace members invited by another user
- Visitors to our website at vaultable.app, to the extent applicable
- Any individual whose personal data is provided to us in connection with using the Service — for example, a person invited to join another user’s workspace
This policy does not apply to third-party services you may access through links within the App. We encourage you to review the privacy policies of any third parties you interact with.
3. What Personal Data We Collect
We collect only what is necessary to provide and improve the Service. The following describes the categories of personal data we process.
3.1 Account and Identity Data
When you create an account, we collect basic identity and authentication information — including your name, email address, and a securely stored representation of your password. We never store your password in plain text. If you add a profile photograph, we store that image.
If you sign in using a third-party provider such as Google, we receive from that provider only the identity information your account makes available — typically your name, email address, and profile image. We do not receive your third-party password.
3.2 Inventory and Documentation Data
The core purpose of Vaultable is to help you document your possessions. In the course of using the Service, you may voluntarily provide descriptive information about items you own — such as their names, categories, purchase details, estimated values, identification details, and condition notes. You may also optionally organise this information by location.
All inventory data is provided entirely at your discretion and is used solely to power the features you have chosen to use.
3.3 Insurance and Warranty Documentation Data
To enable specific features — such as coverage analysis and claim preparation tools — you may optionally provide details about your insurance or warranty arrangements, such as provider names, policy references, coverage values, and relevant dates.
3.4 Media and Document Attachments
When you attach files to your inventory records, we receive and store photographs and PDF documents uploaded by you as evidence of possession, proof of purchase, warranty records, or other supporting documentation.
All attachments are stored privately and are accessible only to authorised members of your workspace.
3.5 Device and Technical Data
To deliver push notification reminders, we register and store a push notification token associated with your account. We also record your device platform and last activity date for each registered device.
We do not collect device identifiers used for advertising, behavioural tracking, or device fingerprinting.
3.6 Operational and Security Log Data
We collect limited technical data for security, fraud prevention, and service reliability — including IP addresses used for rate limiting and abuse detection, and anonymised request metadata used to monitor service health and diagnose errors. Sensitive values — including passwords, authentication tokens, and personal content — are automatically redacted from all logs before storage.
3.7 Subscription and Billing Data
We do not process your payment card details. Payments are handled entirely by Apple or Google through our subscription management provider. From these providers we receive only the information necessary to determine your subscription status and which features you may access. No financial account data is stored by us.
3.8 Support Communications
When you contact us for support, we retain your email address and the content of your communication, used solely to respond to and resolve your enquiry.
3.9 Analytics and Tracking Data
Depending on the consent choices you make in the App’s privacy preference settings, we may collect analytics or tracking data as described in Section 12.
4. How We Collect Your Data
We collect personal data through the following means:
- Directly from you — when you create an account, enter information into the App, upload attachments, configure settings, or contact us for support
- Automatically — through technical mechanisms required to deliver the Service, such as device tokens registered at sign-in and operational logs
- From third parties — from authentication providers if you use third-party sign-in; from our subscription provider regarding your billing entitlement status; and from our email delivery provider regarding transactional message delivery
- Through analytics and tracking tools— only where you have provided consent through the App’s privacy preference centre (see Section 12)
5. Legal Bases for Processing (GDPR Article 6)
We rely on the following legal bases depending on the specific processing activity:
| Processing Activity | Legal Basis |
|---|---|
| Creating and managing your account | Performance of contract (Art. 6(1)(b)) |
| Providing core app features and functionality | Performance of contract (Art. 6(1)(b)) |
| Sending transactional messages (email verification, password reset, invitations) | Performance of contract (Art. 6(1)(b)) |
| Delivering push notification reminders | Performance of contract / Legitimate interest (Art. 6(1)(b) / (f)) |
| Processing subscription and entitlement status | Performance of contract (Art. 6(1)(b)) |
| Security monitoring, fraud prevention, and rate limiting | Legitimate interest (Art. 6(1)(f)) |
| Service reliability, error tracking, and debugging | Legitimate interest (Art. 6(1)(f)) |
| Compliance with applicable legal obligations | Legal obligation (Art. 6(1)(c)) |
| Analytics and tracking (where applicable) | Consent (Art. 6(1)(a)) |
| Future marketing communications | Consent (Art. 6(1)(a)) |
Where we rely on legitimate interests, we have assessed that those interests do not override your fundamental rights and freedoms. You have the right to object — see Section 10.
Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
6. How We Use Your Data
We use personal data exclusively for the following purposes:
Delivering the Service
Providing, maintaining, and personalising Vaultable’s features — including account management, inventory documentation, coverage analysis, claim preparation exports, and reminder notifications.
Security and Account Integrity
Verifying identity, preventing unauthorised access, detecting and responding to abuse, and enforcing our Terms of Use.
Team and Collaboration Features
Processing workspace invitations, managing team memberships and access rights, and maintaining collaborative activity records where applicable to your subscription.
Service Communications
Sending transactional messages required for you to use the Service, including verification emails, subscription status changes, and security alerts.
Customer Support
Responding to and resolving support enquiries you submit to us.
Service Improvement
Where you have consented, analysing usage data to identify usability issues, prioritise new features, and improve the overall experience.
Legal and Regulatory Compliance
Retaining records as required by applicable Dutch and EU law, and responding to lawful requests from regulatory authorities.
- Targeted advertising or behavioural profiling for advertising purposes (except where you have explicitly opted in to the relevant tracking tools)
- Sale, rental, or licence to any third party
- Insurance underwriting, credit assessment, or any financial scoring
- Automated decision-making that produces legal or similarly significant effects without human review
7. Data Sharing and Third-Party Processors
We share data only with the following categories of sub-processors, who act strictly under our instructions and are bound by data processing agreements that meet GDPR requirements:
7.1 Infrastructure and Storage
| Provider | Role | Location |
|---|---|---|
| Cloudflare, Inc. | File storage, edge network delivery, serverless compute | USA (SCCs) |
| MongoDB, Inc. | Database hosting | [PLACEHOLDER: EU region preferred — confirm Atlas cluster] |
7.2 Authentication and Notifications
| Provider | Role | Location |
|---|---|---|
| Google LLC (Firebase) | Push notification delivery | USA (SCCs) |
| Google LLC (OAuth) | Third-party sign-in (if used) | USA (SCCs) |
7.3 Billing and Subscriptions
| Provider | Role | Location |
|---|---|---|
| RevenueCat, Inc. | Subscription management and entitlement | USA (SCCs) |
| Apple Inc. | iOS in-app purchase processing | USA |
| Google LLC | Android in-app purchase processing | USA |
| Stripe, Inc. (future — web billing) | Payment processing | USA (SCCs) |
7.4 Email Delivery
| Provider | Role | Location |
|---|---|---|
| [PLACEHOLDER: e.g. Postmark / Resend / SendGrid] | Transactional email delivery | [PLACEHOLDER] |
7.5 Analytics and Tracking
Depending on your consent choices, data may be shared with analytics and tracking providers as described in Section 12.
7.6 Legal and Regulatory Disclosure
We may disclose personal data to courts, regulators, or other public authorities where required by applicable law or a binding legal order. Where permitted by law, we will notify you prior to making such a disclosure.
7.7 Business Transfers
If AGByte Labs B.V. is involved in a merger, acquisition, restructuring, or sale of assets, personal data may be transferred as part of that transaction. We will notify you by email and/or in-app notice and will ensure any successor entity is bound by privacy obligations no less protective than this policy.
7.8 Workspace Members
If you are a workspace owner, the members you invite can view and interact with shared workspace content. If you are a member, the workspace owner can see all content contributed to that workspace, including content you add. By accepting a workspace invitation, you acknowledge this shared access model.
8. International Data Transfers
AGByte Labs B.V. is established in the Netherlands and processes data within the European Union. Several of our sub-processors are located outside the European Economic Area (EEA), primarily in the United States.
Where we transfer personal data outside the EEA, we do so only under one of the following safeguards:
- An adequacy decision by the European Commission
- Standard Contractual Clauses (SCCs) approved by the European Commission, incorporated into our agreements with the relevant processor
- Other appropriate safeguards permitted under Chapter V of the GDPR
Our principal international transfers — to Cloudflare, Google, RevenueCat, and MongoDB — are governed by Standard Contractual Clauses. You may request copies of the applicable safeguards by contacting us at [PLACEHOLDER: [email protected]].
9. Data Retention
We retain personal data only for as long as necessary for the purposes described in this policy, or as required by law.
9.1 Active Accounts
All personal data associated with an active account is retained for the duration of your use of the Service.
9.2 After Account Deletion
When you delete your account:
- All associated personal data is immediately marked as pending deletion and becomes inaccessible.
- A 30-day grace period applies during which your data is preserved in case the deletion was accidental. You may restore your account within this period by contacting us.
- After 30 days, all data is permanently and irreversibly deleted from our systems, and deletion is instructed across our sub-processors.
If you are a workspace owner with active members, you must remove all members or transfer ownership before account deletion can proceed.
9.3 After Workspace Deletion
If a workspace is deleted by its owner, all associated workspace data is permanently deleted within 30 days. All members immediately lose access.
9.4 Specific Retention Periods
| Data Category | Retention Period |
|---|---|
| Account and profile data | Duration of account + 30-day grace period |
| Inventory and documentation data | Duration of account + 30-day grace period |
| Operational and security logs | 30 days |
| Support communications | 2 years from resolution |
| Billing records | As required by Dutch financial record-keeping law (generally 7 years) |
| Push notification device tokens | Until revoked on sign-out or account deletion |
9.5 Anonymised Data
Anonymised and aggregated data from which no individual can be identified is not subject to these retention periods and may be retained for service improvement purposes.
10. Your Rights Under GDPR
As a data subject under the GDPR, you have the following rights, subject to applicable exemptions.
10.1 Right of Access (Article 15)
You may request a copy of all personal data we hold about you, along with information about how it is used, who it has been shared with, and the legal basis for processing.
10.2 Right to Rectification (Article 16)
You may request correction of inaccurate or incomplete personal data. Most information can be updated directly within the App.
10.3 Right to Erasure (Article 17)
You may request deletion of your personal data where it is no longer necessary or where you withdraw consent. The in-app account deletion feature initiates this process automatically.
10.4 Right to Restriction of Processing (Article 18)
You may request that we temporarily restrict processing of your data — for example, while we investigate a dispute about its accuracy.
10.5 Right to Data Portability (Article 20)
You may request your personal data in a structured, machine-readable format. Pro and Team subscribers can export data directly from within the App. Free plan users may submit a request to [PLACEHOLDER: [email protected]].
10.6 Right to Object (Article 21)
You may object to processing based on our legitimate interests. We will cease such processing unless we can demonstrate compelling legitimate grounds.
10.7 Automated Decision-Making (Article 22)
We do not engage in automated decision-making that produces legal or similarly significant effects on individuals. Any scoring or analytical features in the App are informational tools based entirely on data you provide.
10.8 Right to Withdraw Consent
Where processing is based on your consent — such as analytics or tracking — you may withdraw it at any time through the App’s privacy preference settings.
10.9 Right to Lodge a Complaint
If you believe we have not handled your personal data in accordance with the GDPR, you may lodge a complaint with the Dutch supervisory authority:
Autoriteit Persoonsgegevens (AP)Prins Clauslaan 60, 2595 AJ Den Haag, Netherlands
autoriteitpersoonsgegevens.nl | +31 70 888 8500
You also have the right to complain to the supervisory authority in the EU member state where you habitually reside or work.
10.10 How to Exercise Your Rights
To exercise any right not available directly in-app, contact us at [PLACEHOLDER: [email protected]]. We will respond within 30 days. In complex cases, this may be extended by a further 60 days with notice provided within the initial period. We may verify your identity before processing your request.
11. Security
We implement technical and organisational security measures appropriate to the nature of the data we process.
11.1 Technical Safeguards
- Encryption in transit: All data transmitted between the App and our servers is protected by TLS encryption.
- Encryption at rest: Data stored in our database and file storage is encrypted at rest.
- Authentication security: We use short-lived authenticated sessions with rotating token mechanisms. All sessions are invalidated on sign-out.
- Private file access: Attachments are stored in a private, access-controlled environment and are never accessible via public URLs. Access is delivered through time-limited authenticated mechanisms that expire after use.
- Credential protection: Passwords are never stored in plain text. Authentication tokens, secrets, and personal content are automatically excluded from all operational logs.
- Abuse prevention: API endpoints are rate-limited and protected against common attack patterns. All inputs are validated before processing.
11.2 Organisational Safeguards
Access to production systems and user data is restricted to authorised personnel on a strict need-to-know basis. Third-party processors are assessed for security practices and bound by appropriate data processing agreements.
11.3 Breach Notification
In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the Autoriteit Persoonsgegevens within 72 hours of becoming aware, as required by GDPR Article 33. If the breach is likely to result in a high risk to you personally, we will notify you directly without undue delay under GDPR Article 34.
11.4 Your Responsibility
You are responsible for maintaining the confidentiality of your login credentials. Contact us immediately at [PLACEHOLDER: [email protected]] if you suspect unauthorised access to your account.
12. Analytics, Tracking and Cookie Preferences
12.1 Your Control
Vaultable gives you meaningful control over analytics and tracking. When you first open the App, and at any time through your privacy settings (Account → Settings → Privacy & Tracking), you can review and update your tracking preferences.
12.2 Strictly Necessary Processing
Certain processing is required to operate the Service — such as the technical mechanisms that authenticate your session and deliver push notifications. This is not subject to opt-out and is covered under the performance-of-contract legal basis described in Section 5.
12.3 Analytics and Performance (Optional — Requires Consent)
Where you consent, we may use analytics tools to collect information about how features within the App are used — such as which screens are visited and where errors occur. The purpose is to improve Vaultable’s usability and stability. We may use one or more of the following tools:
- Google Analytics (Google LLC, USA) — usage and behaviour analytics. Data processed in the USA under Standard Contractual Clauses. Privacy policy: policies.google.com/privacy
- Microsoft Clarity (Microsoft Corporation, USA) — session and interaction analytics. Data processed in the USA under Standard Contractual Clauses. Privacy policy: privacy.microsoft.com
- PostHog — product analytics. Depending on configuration, data may be processed in the EU or USA. Privacy policy: posthog.com/privacy
We configure analytics tools to minimise personal data collection. Where available, IP addresses are anonymised or truncated before being processed by these tools.
12.4 Marketing and Social Tracking (Optional — Requires Separate Consent)
Where you separately and explicitly consent, we may activate marketing measurement tools, which may include:
- Meta Pixel (Meta Platforms, Inc., USA) — used to measure the effectiveness of marketing campaigns and, where applicable, to enable interest-based advertising on Meta platforms including Facebook and Instagram. Data is transferred to Meta in the USA under Standard Contractual Clauses. This tool is only ever activated with your explicit, freely given, and informed consent. It can be disabled at any time through your privacy settings.
You should be aware that once data is transmitted to Meta, it is processed in accordance with Meta’s own data policy, which is independent of this policy. We recommend reviewing Meta’s data policy at facebook.com/privacy/policy before consenting to this tool.
We take a cautious approach to social and marketing tracking. Given the complexity of regulatory requirements — including decisions by EU data protection authorities regarding such tools — we will only activate these tools where we are satisfied that appropriate consent and transfer mechanisms are in place.
12.5 Managing Your Preferences
You can review and update your tracking preferences at any time at:
Account → Settings → Privacy & Tracking
Withdrawing consent causes the relevant tool to cease collecting data from that point forward. It does not affect data already collected and transmitted prior to withdrawal.
For questions about specific tools, contact us at [PLACEHOLDER: [email protected]].
13. Children’s Privacy
Vaultable is not directed at anyone under the age of 16. We do not knowingly collect personal data from individuals under 16.
If you are a parent or guardian and believe your child has provided personal data to us, contact us immediately at [PLACEHOLDER: [email protected]]. We will take prompt steps to delete the data.
If we become aware of inadvertent collection of personal data from a child under 16, we will delete it without undue delay.
14. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the features we offer.
For material changes, we will:
- Update the effective date at the top of this document
- Notify you by email and/or in-app notification
- Provide at least 30 days’ advance notice before the changes take effect
Your continued use of Vaultable after the effective date constitutes acknowledgement of the changes. If you do not agree, you may delete your account before the effective date.
Non-material changes — such as clarifications or corrections that do not affect your rights — may be made without advance notice.
15. Contact and Data Protection
For privacy questions, data rights requests, or concerns:
AGByte Labs B.V.[PLACEHOLDER: Registered address]
Email: [PLACEHOLDER: [email protected]]
AGByte Labs B.V. has not designated a formal Data Protection Officer, as it does not meet the mandatory thresholds under GDPR Article 37. Privacy matters are handled directly by the company at the address above.
We aim to respond to all privacy enquiries within 5 business days and all formal data rights requests within 30 days.
If you are not satisfied with our response, you have the right to escalate your complaint to the Autoriteit Persoonsgegevens (see Section 10.9).