Privacy Policy
00 Overview
PokéVault Holdings ("PokéVault," "we," "us," or "our") operates the PokéVault application and website (collectively, the "Service"). This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and what rights you have over it.
We are committed to being transparent about our data practices. If at any point something is unclear, email us at hello@pokevaultapp.com and we will explain it in plain language.
Short version: We collect the minimum data needed to operate the Service. We do not sell your data, share it with advertisers, or use your card photographs to train AI models without your explicit consent. Your collection stays yours.
01 Data We Collect
Account Data
When you create an account, we collect:
- Email address (required for login and account communications)
- Display name (optional, shown only to you)
- Password (stored as a one-way cryptographic hash — we never store it in plaintext)
- Subscription tier and billing status (not full payment card details — those are held by our payment processor)
Collection & Card Data
| Data type | Purpose | Required? |
|---|---|---|
| Card photographs | AI identification and grading | Yes, for scan feature |
| Collection metadata | Portfolio tracking, value calculation | Yes, core feature |
| Price alert settings | Triggering market notifications | Optional |
| Watchlist items | Tracking cards you don't own | Optional |
| Trade comparison history | Trade checker feature | Optional |
Technical Data
We automatically collect certain technical data when you use the Service:
- Device type, operating system version, and App version (for compatibility and debugging)
- IP address (for security monitoring and approximate region detection — not stored long-term)
- Session tokens and authentication data
- Crash logs and error reports (anonymized)
Data We Do NOT Collect
We do not collect: precise GPS location, contacts, call logs, browsing history outside our app, biometric data, or any sensitive personal categories under GDPR Article 9.
02 How We Use Your Data
We use the data we collect for the following purposes:
- Providing the Service: Card identification, collection tracking, price calculation, trade checking, and alert delivery
- Account management: Authentication, subscription management, and customer support
- Service improvement: Aggregated, anonymized usage analytics
- Security: Fraud detection, abuse prevention, and protecting the integrity of our systems
- Legal compliance: Meeting our obligations under applicable law
- Communications: Transactional emails and, with your opt-in consent, product update newsletters
We rely on the following legal bases under GDPR (where applicable): contract performance, legitimate interests, legal obligation, and consent.
03 Data Sharing
We do not sell, rent, or trade your personal data. We share data only in the following limited circumstances:
Service Providers
We engage trusted third-party service providers under strict data processing agreements: cloud infrastructure (encrypted at rest and in transit), payment processing via Stripe (we never receive or store full card numbers), email delivery, and anonymized analytics.
Market Data Partners
To provide price data, we send only card identifier information (set name, card number, condition grade) to retrieve pricing — we do not share your identity or collection details with these partners.
Legal Requirements
We may disclose data if required by valid legal process. We will notify you of such requests where legally permitted, and we will challenge requests we believe to be overbroad.
Business Transfers
In the event of a merger or acquisition, we will notify you at least 30 days before any data transfer, and you will have the option to delete your account before the transfer completes.
We never share your data with advertisers, data brokers, or analytics platforms that track you across the web.
04 Retention & Deletion
| Data category | Retention period |
|---|---|
| Account & collection data | Until account deletion, then 30-day export window, then purged |
| Card photographs | Deleted immediately after identification unless saved to collection |
| Transaction records | 7 years (legal/tax compliance) |
| Crash logs & error reports | 90 days, anonymized |
| IP address logs | 30 days for security purposes |
To delete your account, go to Settings → Account → Delete Account in the App, or email us at hello@pokevaultapp.com. We will process deletion requests within 30 days.
05 Security
We implement industry-standard security measures:
- Encryption in transit: TLS 1.2 or higher
- Encryption at rest: AES-256
- Password hashing: bcrypt with appropriate work factor
- Access controls: Principle of least privilege, logged and audited
- Vulnerability management: Regular penetration testing and dependency auditing
In the event of a data breach that affects your personal information, we will notify you within 72 hours of becoming aware, as required by applicable law.
06 Children's Privacy
The Service is not directed to children under the age of 13. We do not knowingly collect personal data from children under 13. If you believe your child has provided us with personal information, please contact us at hello@pokevaultapp.com and we will delete that information promptly.
07 Cookies & Tracking
Website Cookies
Our website uses strictly necessary cookies (session management), functional cookies (preferences), and anonymized analytics cookies with no cross-site tracking. We do not use advertising cookies or social media tracking pixels.
Mobile App
The App does not use advertising SDKs, cross-app tracking identifiers, or share data with ad networks. On iOS, we fully comply with App Tracking Transparency (ATT) requirements.
08 Your Rights
To exercise any of these rights, email hello@pokevaultapp.com. We will respond within 30 days. EU/EEA users may also lodge a complaint with their local data protection Supervisory Authority. California users have CCPA rights — we do not sell personal information.
09 International Transfers
PokéVault is operated from the United States. For EU/EEA users, we rely on Standard Contractual Clauses (SCCs). For UK users, we use International Data Transfer Agreements (IDTAs). We apply equivalent protection measures to all user data regardless of origin.
10 AI & Card Data
How AI Scanning Works
When you scan a card, the photograph is sent securely to our servers, processed by our AI identification model, and the result is returned to your device. By default, card photographs are deleted from our servers immediately after processing.
AI Model Training
We do not use your card photographs or collection data to train or improve our AI models without your explicit, separate opt-in consent. If you choose to contribute scans, those images are anonymized before use and stripped of any identifying metadata.
Default behaviour: Your scan photographs are processed and deleted within seconds. They are never used for training or shared with third parties. Verify this in Settings → Privacy → Card Scan Data.
Automated Decision-Making
The trade checker and grading features use automated processing to generate advisory verdicts and grades. No automated decision produces legal or similarly significant effects on you.
11 Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and via in-app notice at least 14 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance.
12 Contact & Data Protection Officer
For any privacy-related questions, requests, or concerns:
- Email: hello@pokevaultapp.com
- Subject line: "Privacy Request — [your request type]" for faster routing
- Response time: Acknowledged within 2 business days, resolved within 30 days
Our Data Protection Officer can be reached at the same email address with the subject line "DPO — [your inquiry]".