Privacy Policy

Effective Date: April 23, 2026

1. Who we are

VaultKeeper ("we", "our", "us") is a personal finance application operated by an independent developer (Dmitry Sinkovskiy, sole proprietor). This Privacy Policy explains how we collect, use, store, and share information when you use the VaultKeeper iOS app, the VaultKeeper web app at vaultkeepermoney.com/webapp, and related services.

For privacy questions, data requests, or to exercise any right described below, contact info@vaultkeepermoney.com.

2. Information we collect

2.1 Information you provide

• Account credentials — email address, password hash (handled by Firebase Authentication), or OAuth profile data when you sign in with Google or Apple (name and email only).
• Financial data you enter — wallet names, balances, categories, transactions (date, amount, type, note, category), and scheduled/recurring transaction definitions. All manually-entered data is stored under your user account in Firebase Realtime Database.
• Household membership — when you invite others or accept an invite, we store the household owner's UID and member list. Members can read and write the household's shared financial data.
• App preferences — theme choice, app-lock passcode, two-factor authentication (TOTP) secret if enabled, biometric-unlock toggle, base currency.

2.2 Information from integrated services

• Bank transaction data (optional) — if you connect a bank via Plaid or Teller, we receive transaction history, account balances, and account identifiers for the accounts you explicitly authorize. Access tokens live in Cloudflare KV, encrypted at rest, never exposed to the client.
• Subscription status — if you purchase VaultKeeper Premium, RevenueCat (our subscription provider) sends us webhook events with your subscription state. We store a small set of fields in your user record: active-or-not, product ID, trial status, expiration date.
• AI chat context (only when you opt in) — when you explicitly enable VaultKeeper AI and send a message, the app sends a sanitized snapshot of your financial data (wallet names, balances, category names, last 90 days of transactions) to Anthropic to generate the response. See Section 5 for details on exclusions.
• Wallet share tokens — if you create a read-only share link for a wallet, the wallet's data is mirrored to a public-but-unguessable URL (24-char random hex token). You can revoke the link at any time.

2.3 Automatically collected

• Crash reports — Firebase Crashlytics captures native crashes for diagnostic purposes. Reports include stack traces, device model, OS version, and your anonymized Firebase user ID (a 28-character opaque token, not your email). No financial data or app content is included.
• Worker-side request logs — our Cloudflare Worker logs routine API activity (endpoint path, response status, rate-limit counter) for abuse prevention and debugging. Retained for 30 days by Cloudflare; not combined with other data.
• No analytics, telemetry, advertising identifiers, or behavioral tracking. No cookies used for tracking purposes; only auth tokens + small preference values stored in localStorage on the web.

3. How we use your information

• Provide and maintain the financial tracking service across iOS and web.
• Authenticate you and keep your account secure (including app-level passcode and two-factor authentication when you enable them).
• Sync data across your devices and, when you invite them, household members.
• Import bank transactions on your request via Plaid or Teller.
• Process subscription payments and maintain entitlement state.
• Generate AI responses about your finances (only when you've enabled AI chat).
• Diagnose crashes and operational issues.
• Comply with legal obligations where they apply.

We do not use your data to train machine-learning models (neither ours nor third-party), display advertisements, or sell to data brokers.

4. Third-party processors

We rely on the following service providers to operate VaultKeeper. Each processes data solely to provide its service and is bound by a Data Processing Agreement (where applicable) under GDPR Article 28.

5. VaultKeeper AI and Anthropic

VaultKeeper AI is an optional feature available to premium subscribers. It lets you ask questions about your finances ("How much did I spend on groceries last month?") and uses Anthropic's Claude language model to generate the response.

5.1 Consent gating

AI chat is disabled by default. On first use you see an explicit consent prompt describing exactly what data will be sent. Nothing is sent to Anthropic until you accept. You can revoke consent at any time from Settings → VaultKeeper AI; subsequent sends are blocked until you opt back in.

5.2 What is sent to Anthropic

When you send an AI message, we build a sanitized text snapshot and include it in the prompt:

• Today's date and your base currency
• Active wallets: name, type, current balance, currency code
• Active expense and income category names (not icons, colors, or IDs)
• Last 90 days of transactions: date, type, signed amount, category name, wallet name, note (truncated to 120 characters)
• Your conversation history with the AI in the current session

5.3 What is never sent to Anthropic

• Your Firebase user ID, email, or any other identifier we use internally
• Household member emails or UIDs
• Plaid or Teller access tokens or account fingerprints
• Wallet share tokens
• Firebase Auth tokens
• Transaction IDs, wallet IDs, or category IDs (we send names only)
• Icons, colors, or any visual metadata

5.4 Anthropic's retention and training

Anthropic's API does not use your inputs to train its models by default. We have a Data Processing Agreement with Anthropic under GDPR Article 28. Anthropic retains API request data for up to 30 days for trust-and-safety purposes, then deletes it. See Anthropic's privacy policy for their full data-handling terms.

5.5 Session-only history

Your conversation history is not persisted. When you close the AI chat sheet, messages are discarded. We do not store them in Firebase, Anthropic does not retain them beyond the 30-day trust-and-safety window, and a fresh conversation starts each time you open the chat.

6. Data storage and security

• All data in transit uses TLS 1.2+.
• Financial data is stored in Firebase Realtime Database (region: us-central1). Access is governed by Firebase Security Rules that enforce per-user and per-household permissions.
• The subscription node in Firebase (which controls premium entitlement) is locked to admin-only writes via .validate: false; clients cannot self-grant premium.
• Bank access tokens are stored in Cloudflare Workers KV, encrypted at rest by Cloudflare.
• Apple sandbox and production subscription receipts are signed by Apple using ECDSA P-256; our Worker verifies the signature before writing entitlement state.
• Optional on-device controls: app-level passcode lock (4-digit PIN), Face ID / Touch ID unlock, two-factor authentication via TOTP (RFC 6238).
• Firebase Realtime Database offline persistence keeps an encrypted local cache of your data on-device so the app works without a network. The cache is scoped to the device and cleared on sign-out.
• Financial data is backed up daily to a private Google Cloud Storage bucket (vaultkeeper-effeb-default-rtdb-backups), encrypted at rest, with a 3-year retention horizon.

7. Data sharing

We do not sell, rent, or share your personal data with third parties except:

• Service Providers listed in Section 4, solely to operate VaultKeeper.
• Household members — if you use family sharing, members you invite can read and write the household's shared financial data (wallets, transactions, categories, scheduled transactions). Subscription state and app preferences remain per-user.
• Wallet share links — if you create a share link, anyone with the link can view read-only a snapshot of that one wallet's balance and recent transactions. You control creation and revocation.
• Legal requirements — we may disclose data if required by a valid subpoena, court order, or applicable law.

8. Data retention

• Account and financial data — retained for as long as your account is active. You may delete individual records at any time from inside the app.
• Full account deletion — Settings → Delete Account permanently removes: your user record, your household (if you are the owner), your membership record (if you are a member), all wallet share tokens, pending invitations addressed to you, your bank access tokens in Cloudflare KV, your Plaid items (also revoked with Plaid), your Teller enrollments, your AI rate-limit counters, and your Firebase Auth profile. The action is irreversible.
• Crash reports — retained by Firebase Crashlytics for 90 days.
• Worker request logs — retained by Cloudflare for 30 days.
• AI chat — not retained by us. Anthropic holds API request data for up to 30 days for trust-and-safety, then deletes.
• Backups — daily Firebase exports retained for up to 3 years in our private GCS bucket. Deletion requests are propagated to backups within 30 days of the next scheduled backup cycle.

See our Data Retention Policy for the operational procedures.

9. Your rights

Regardless of jurisdiction, we aim to honor the following rights:

• Access — request a copy of your data. Available in-app via Settings → Export to CSV, which includes every transaction with currency, amount, category, wallet, and notes. For data not covered by CSV (subscription state, preferences), email info@vaultkeepermoney.com.
• Correction — edit any wallet, transaction, or category from within the app.
• Deletion — delete individual records in-app, or delete your entire account from Settings → Delete Account.
• Portability — CSV export provides data in a machine-readable format suitable for import into other finance apps.
• Objection and restriction — disconnect bank accounts, revoke AI consent, or opt out of crash reporting at any time.
• Withdraw consent — revoking AI consent in Settings stops all future data transfer to Anthropic.
• Lodge a complaint — EU/UK users have the right to lodge a complaint with a supervisory authority.

10. International transfers

Your data is stored on servers in the United States (Firebase region us-central1, Cloudflare's global edge network, Anthropic's US infrastructure, Apple's global infrastructure). If you access the service from outside the US, your data will be transferred to and processed in the US. Standard Contractual Clauses apply where required under GDPR.

11. Children's privacy

VaultKeeper is rated 4+ in the App Store for its non-objectionable content, but it is not designed for children. We do not knowingly collect personal information from children under 13 (or under 16 in jurisdictions where that threshold applies). If you believe a child has provided us with personal information, contact us at info@vaultkeepermoney.com and we will delete it.

12. Subscription payments

Premium subscriptions are processed by Apple through In-App Purchases. We do not receive or store your payment-method details (credit card, Apple ID password, etc.) — those stay with Apple. We receive only the subscription status (active / inactive / in-trial) and the product ID from Apple via RevenueCat's webhook and Apple's App Store Server Notifications V2. Cancel any time at Settings → Apple ID → Subscriptions on your iOS device.

13. Changes to this policy

We may update this policy from time to time. When we make material changes, we will update the Effective Date at the top and, if the changes are significant, notify you in-app. Minor edits (clarifications, typo fixes) may be made without notice.

14. Contact

For privacy questions, data access requests, or to exercise any right described above, email info@vaultkeepermoney.com. We respond within 30 days.