Privacy Policy

Overview

Vault is a freelancer invoicing app that helps you generate invoices, manage clients, and track payments. This Privacy Policy explains what data we collect, how we use it, and your rights over it.

By using Vault, you agree to the practices described in this policy. If you do not agree, please do not use the app.

Data We Collect

We collect only what is necessary to provide the service:

• Account information — your name and email address, provided via Google Sign-In
• Business details — business name, payment details (bank account, PayNow), default rate, and invoice settings you enter during onboarding
• Client data — names, email addresses, and billing information you add for your clients
• Invoice data — line items, amounts, due dates, and payment status for invoices you create
• Google Calendar data — if you connect Google Calendar, we access event titles, dates, and times to help generate invoices. We do not store your full calendar; only matched billing events are processed.
• Usage data — crash reports and error logs via Sentry, used solely to fix bugs

How We Use Your Data

• To provide and operate the Vault invoicing service
• To generate and send invoices to your clients on your behalf
• To parse Google Calendar events into invoice line items (only when you explicitly trigger this)
• To display your dashboard and financial summaries
• To diagnose crashes and fix bugs

We do not sell your data. We do not use your data for advertising. We do not share your data with third parties except as described below.

Third-Party Services

Vault uses the following third-party services to operate:

• Google OAuth — for sign-in and optional Calendar access. Governed by Google's Privacy Policy.
• Supabase — our database provider. Your data is stored in a Supabase Postgres instance hosted in the ap-southeast-1 (Singapore) region.
• Resend — used to send invoice emails to your clients on your behalf.
• Sentry — used for crash reporting and error monitoring. No PII is included in error logs.
• Railway — our server hosting provider.

Data Storage & Security

Your data is stored in Singapore (ap-southeast-1) on Supabase infrastructure. We apply the following security measures:

• All data in transit is encrypted via HTTPS/TLS
• Authentication uses JWT tokens with expiry and revocation
• Row-level security policies ensure users can only access their own data
• Sensitive payment fields are encrypted at the application layer

No security system is perfect. We recommend using a strong Google account password and enabling two-factor authentication on your Google account.

Data Retention

We retain your data for as long as your account is active. If you delete your account, all associated data — including your profile, clients, invoices, and line items — is permanently deleted from our systems within 30 days.

Your Rights (PDPA)

As a Singapore-based service, we comply with the Personal Data Protection Act (PDPA). You have the right to:

• Access the personal data we hold about you
• Correct inaccurate data
• Request deletion of your account and all associated data
• Withdraw consent for data processing

To exercise any of these rights, contact us at the email below. We will respond within 30 days.

Children

Vault is not intended for users under the age of 18. We do not knowingly collect data from minors.

Changes to This Policy

We may update this policy as the app evolves. When we do, we will update the "Last updated" date at the top of this page. Continued use of Vault after changes constitutes acceptance of the updated policy.