Privacy Policy

VesperVault ("we," "us," or "our") operates the VesperVault mobile application and website at vespervault.app (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

We take your privacy seriously. Our business model is based on subscriptions, not advertising. We do not sell, rent, or share your personal data with third parties for marketing purposes.

By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree, please do not use the Service.

2.1 Information You Provide

Account Information: Email address, password (hashed and salted), and optionally your phone number when you create an account.

Emergency Messages: The content of messages you create within the Service, including text content, message titles, and any information you choose to include.

Recipient Information: Names, phone numbers, and email addresses of the emergency contacts you add to receive your messages.

Payment Information: When you subscribe to a paid plan, payment is processed by Stripe. We do not store your full credit card number. We receive only the last four digits, card brand, and billing status from Stripe.

Referral Information: If you participate in our referral program, we store your referral code and track referral relationships for commission calculation.

2.2 Information Collected Automatically

Check-in Activity: Timestamps of your check-ins, timer settings, and escalation events. This data is essential to operating the safety check-in service.

Location Data: If you enable location tracking, we collect GPS coordinates approximately every 15 minutes or when you move more than 50 meters. Location data is automatically deleted after 48 hours unless you lock specific records. You can disable location tracking at any time.

Device Information: Device type, operating system version, app version, and push notification tokens. Used for delivering notifications and ensuring app compatibility.

Error and Performance Data: We use Sentry for error tracking and crash reporting. This may include device state, stack traces, and app interaction data at the time of an error. No message content or personal data is included in error reports.

We use the information we collect exclusively to:

Operate and maintain the safety check-in service, including timer management, escalation logic, and emergency message delivery via SMS (Twilio) and email (Resend).

Send you push notifications, voice call reminders, and escalation alerts related to your check-in activity.

Process subscription payments and manage your account through Stripe.

Calculate and pay referral commissions if you participate in the referral program.

Monitor and improve the reliability, security, and performance of the Service.

Respond to your requests if you contact us.

We do not use your data for advertising, profiling, or any purpose unrelated to providing the safety check-in service.

We share your information only in the following limited circumstances:

Emergency Message Delivery: When an escalation is triggered, your pre-written messages (including GPS location if enabled) are delivered to your designated recipients via SMS and email. This is the core purpose of the Service and occurs only when you fail to check in within your configured timeframe.

Service Providers: We use the following third-party services to operate: Supabase (database and authentication), Stripe (payment processing), Twilio (SMS delivery), Resend (email delivery), and Sentry (error monitoring). Each provider processes only the minimum data necessary for their specific function.

Legal Requirements: We may disclose your information if required to do so by law, court order, or governmental regulation, or if we believe disclosure is necessary to protect the rights, property, or safety of VesperVault, our users, or the public.

We do not sell, rent, or trade your personal information to any third party for any reason.

Your data is stored on Supabase infrastructure using PostgreSQL databases. All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Our database is protected by Row Level Security (RLS) policies that ensure users can only access their own data.

Passwords are hashed using bcrypt before storage. We never store or have access to your plaintext password.

While we implement industry-standard security measures, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security but we are committed to protecting your data using commercially reasonable measures.

Account Data: Retained for as long as your account is active. After account deletion, all personal data is permanently removed within 30 days.

Location Data: Automatically deleted after 48 hours unless manually locked by you. You can delete all location history at any time.

Emergency Messages: Stored for as long as your account is active. Deleted when you delete a message or delete your account.

Delivery Logs: Records of emergency message deliveries are retained for 90 days for reliability monitoring, then automatically deleted.

Payment Records: Transaction records are retained as required by applicable financial regulations (typically 7 years).

Depending on your location, you may have the following rights regarding your personal data:

Access: Request a copy of all personal data we hold about you. You can export your data as a JSON file directly from the app Settings screen.

Correction: Update or correct any inaccurate personal data through the app or by contacting us.

Deletion: Request complete deletion of your account and all associated data. This can be initiated from the app Settings screen.

Portability: Receive your data in a structured, machine-readable format (JSON export).

Restriction: Request that we limit processing of your personal data under certain circumstances.

Objection: Object to processing of your personal data for specific purposes.

To exercise any of these rights, use the in-app data management tools or contact us at privacy@vespervault.app.

Your data may be processed in countries other than your country of residence. Our service providers operate globally, and data may be transferred to and stored in the United States or other jurisdictions. We ensure that appropriate safeguards are in place for such transfers in compliance with applicable data protection laws.

The Service is not intended for use by anyone under the age of 13 (or 16 in the European Economic Area). We do not knowingly collect personal data from children. If we become aware that we have collected data from a child without parental consent, we will delete it promptly.

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the legal bases for processing your personal data are: performance of our contract with you (providing the Service), your consent (location tracking, which you can withdraw at any time), and our legitimate interest in maintaining service security and preventing abuse.

You have the right to lodge a complaint with your local data protection supervisory authority if you believe your data has been processed unlawfully.

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA): the right to know what personal information we collect and how it is used, the right to request deletion of your personal information, the right to opt out of the sale of personal information (we do not sell personal information), and the right to non-discrimination for exercising your CCPA rights.

The VesperVault mobile app does not use cookies. Our website (vespervault.app) uses only essential cookies necessary for basic site functionality. We do not use advertising cookies, social media trackers, or third-party analytics cookies.

Our Service may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to read the privacy policies of any third-party services you interact with.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and, where appropriate, through in-app notifications. The "Last updated" date at the top of this policy indicates when it was last revised.

Your continued use of the Service after changes are posted constitutes your acceptance of the updated Privacy Policy.

If you have questions about this Privacy Policy or our data practices, you can reach us at:

Email: privacy@vespervault.app

For data deletion requests, use the in-app account deletion feature for the fastest processing.