Legal

Privacy Policy

Last updated: April 2026

VaultFolio ("we", "us", "our") is an Australian-based collectibles portfolio platform. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use the VaultFolio mobile application and associated services (the "Service").

We are committed to complying with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), the General Data Protection Regulation (GDPR) for users in the European Union, and the California Consumer Privacy Act (CCPA) for California residents.

1. Information We Collect

1.1 Account Data

When you sign in via Google OAuth or Sign in with Apple, we collect:

Email address
Display name (as provided by your OAuth provider)
Profile photo URL (as provided by your OAuth provider)
Authentication tokens (stored server-side, never exposed to the client)

    Biometric authentication: If you enable Face ID or Touch ID, biometric data remains entirely on your device and is never transmitted to our servers.
  

1.2 Collectibles Data (User-Generated)

Content you create within the Service:

Item names, descriptions, and photos you upload
Grading information (PSA, BGS, CGC, GIA, PCGS, NGC, SGC certification numbers and grades)
Portfolio valuations (derived from market data)
Vault organisation (collections, tags, categories)

1.3 Camera and Photo Data

When you use the camera or photo library features:

Camera access is used to scan grading labels and slabs for certification identification
Photo library access is used to identify items from existing photos
Photos are processed on-device for OCR — only extracted certification numbers are sent to verification APIs
No photos are stored on our servers unless you explicitly add them to your vault

1.4 Market Data

Public market prices from the eBay Browse/Finding API (not user-specific)
VF-500 index calculations (aggregated and anonymised)

1.5 Blockchain and Mint Data (Opt-In Only)

If you choose to use our Reverse Mint feature, we collect:

Wallet addresses (Polygon, Ethereum, or Base networks)
Mint transaction hashes
IPFS metadata hashes

    Privacy-preserving design: We store a privacy-preserving owner hash — sha256(email:cert_number) — rather than personally identifiable information on-chain. No PII is ever written to the blockchain.
  

1.6 Analytics Data

Anonymous usage analytics (screen views, feature usage)
Crash reports (via Expo/Sentry)
No advertising SDKs are included in the application
No ad tracking of any kind

2. How We Use Your Information

Purpose	Data Used
Provide and operate the Service	Account data, collectibles data
Calculate portfolio valuations	Collectibles data, market data
Verify grading certifications	Certification numbers (sent to PSA/Beckett/CGC/GIA)
Mint blockchain provenance tokens	Wallet address, cert data (opt-in only)
Compute the VF-500 index	Aggregated, anonymised market data
Improve the Service	Anonymous analytics, crash reports
Communicate with you	Email address (service updates and material policy changes only)

We do not sell, rent, or trade your personal information to third parties. We do not use your data for advertising purposes.

3. How We Store Your Data

Data Type	Storage Provider	Location
Account and collectibles data	Supabase (PostgreSQL)	AWS Sydney (ap-southeast-2)
User-uploaded files	Supabase Storage	AWS Sydney (ap-southeast-2)
Static assets and CDN	Cloudflare	Global edge network
Blockchain provenance tokens	Polygon / Ethereum / Base	Public blockchain (decentralised, immutable)
Mint metadata	Pinata (IPFS)	Decentralised (immutable)

All data at rest is encrypted. Data in transit uses TLS 1.2 or higher. Database access is secured via Supabase Row Level Security (RLS), ensuring users can only access their own data.

4. Third-Party Services

We share limited data with the following third-party services as necessary to provide the Service:

Service	Purpose	Data Shared
Supabase	Database, authentication, file storage	Account data, collectibles data, uploaded files
Google	OAuth sign-in	Authentication flow only
Apple	Sign in with Apple	Authentication flow only
Cloudflare	CDN, DNS, DDoS protection	Standard HTTP request data
Railway	API hosting	API requests (authenticated)
eBay	Market data API	No user data shared — public market queries only
PSA / Beckett / CGC / GIA	Grading certification verification	Certification numbers only
Polygon / Ethereum / Base	Blockchain provenance minting	Wallet address, privacy-preserving hash (opt-in)
Pinata	IPFS metadata storage	Mint metadata only — no PII
Expo / EAS	App build and update service	No user data

5. Your Rights

Depending on your jurisdiction, you have the following rights regarding your personal information:

Right	How to Exercise
Access — obtain a copy of your data	Use the in-app data export feature or contact us
Correction — correct inaccurate data	Edit directly in the app, or contact us
Deletion — request deletion of your data	Delete your account in-app (30-day grace period, then permanent deletion)
Portability — receive your data in a portable format	JSON export available in-app
Opt-out of analytics — stop anonymous usage tracking	Toggle in app settings

GDPR Rights (EU Users)

If you are located in the European Union, you additionally have the right to: restrict processing of your data, object to processing, lodge a complaint with your local data protection authority, and withdraw consent at any time. Our lawful basis for processing is contract performance (providing the Service) and legitimate interest (improving the Service).

CCPA Rights (California Residents)

California residents have the right to: know what personal information we collect, request deletion of personal information, and opt out of the sale of personal information. We do not sell personal information. To exercise your rights, contact us at luke@vaultfolio.ai.

6. Data Retention

Active accounts: Your data is retained for as long as your account exists and is active.
Account deletion: Upon account deletion, your data enters a 30-day grace period during which you may recover your account. After 30 days, all personal data is permanently deleted from our servers.
Blockchain data: Data written to the blockchain (Polygon, Ethereum, Base) or IPFS is immutable by design and cannot be deleted. This data contains no personally identifiable information — only privacy-preserving hashes and metadata.
Anonymous analytics: Aggregated, anonymised analytics data may be retained indefinitely as it cannot be linked to individual users.

7. Children's Privacy

VaultFolio is not intended for use by children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected data from a child under 13, we will take prompt steps to delete that information. If you believe a child under 13 has provided us with personal data, please contact us at luke@vaultfolio.ai.

8. Cookies and Tracking

VaultFolio uses minimal cookies:

Session cookies: Used by Supabase Auth to maintain your authenticated session. These are strictly necessary for the Service to function.
No advertising cookies: We do not use any advertising, marketing, or third-party tracking cookies.
No cross-site tracking: We do not participate in cross-site tracking or share data with ad networks.

9. International Data Transfers

Your primary data is stored in AWS Sydney (ap-southeast-2), Australia. However, some data may be processed internationally:

Cloudflare CDN: Static assets are cached on Cloudflare's global edge network to improve performance. This involves standard HTTP caching and does not include personal data.
Blockchain networks: Blockchain data is replicated across decentralised global nodes by design. No PII is stored on-chain.
IPFS: Mint metadata is stored on the decentralised IPFS network. No PII is included.

For EU users, where data is transferred outside the European Economic Area, we rely on Standard Contractual Clauses or adequacy decisions as appropriate. For CCPA purposes, we do not sell personal information to third parties.

10. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you via the email address associated with your account before the changes take effect. Non-material changes (such as formatting or clarification) may be made without notice. The "Last updated" date at the top of this policy indicates when it was last revised.

11. Contact Us

If you have questions about this Privacy Policy, wish to exercise your data rights, or have a complaint about how we handle your data, please contact us:

VaultFolio — Privacy Enquiries

Email: luke@vaultfolio.ai

Website: vaultfolio.ai

VaultFolio is an Australian-based entity. For Australian Privacy Act complaints that remain unresolved, you may contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.