Privacy Policy

Last updated: March 19, 2026

This Privacy Policy describes how Abaza Business Services ("we", "us", or "our") collects, uses, and protects information when you use The Vault application and website (collectively, the "Service") available at myvaults.io and app.myvaults.io.

We are committed to protecting your privacy and processing your personal data in accordance with the General Data Protection Regulation (GDPR), the UK GDPR, and all applicable privacy laws.

1. Data Controller

The data controller for personal data processed through the Service is:
Abaza Business Services
Email: privacy@myvaults.io

2. What Data We Collect

We collect only the data necessary to provide and improve the Service:

• Account data: Email address, display name, and profile photo (collected when you register or sign in with Google).
• Card collection data: Images of trading cards you upload, and metadata we derive or you provide (player name, set, condition, estimated value, notes).
• Usage data: Pages visited, features used, error logs, and device/browser type — collected via Firebase Analytics and Vercel Analytics for performance monitoring.
• Communications: Any messages you send to us via email or support channels.

We do not collect payment information. We do not sell your personal data.

3. Legal Basis for Processing (GDPR)

We process your personal data under the following lawful bases:

• Contract performance (Art. 6(1)(b)): Processing necessary to provide the Service you requested (account creation, card storage, AI analysis).
• Legitimate interests (Art. 6(1)(f)): Analytics and security monitoring to operate and improve the Service.
• Consent (Art. 6(1)(a)): Where you have explicitly agreed (e.g. marketing communications, if applicable). You may withdraw consent at any time.
• Legal obligation (Art. 6(1)(c)): Where required by law.

4. How We Use Your Data

• To create and manage your account.
• To identify, describe, and value your trading cards using AI (processed via Anthropic's Claude API — see Section 7).
• To fetch live eBay pricing estimates relevant to your cards.
• To generate shareable card images on your request.
• To diagnose errors and improve the Service.
• To comply with legal obligations.

5. Data Retention

We retain your account and collection data for as long as your account is active. If you delete your account, we will delete or anonymise your personal data within 30 days, except where we are required to retain it by law.

Server logs are retained for up to 90 days for security and debugging purposes.

6. Cookies and Tracking

The website uses minimal cookies:

• Strictly necessary: Firebase Authentication session tokens — required for you to stay logged in.
• Analytics: Vercel Analytics and Firebase Analytics collect anonymised usage data. No advertising trackers are used.

You can disable analytics cookies in your browser settings at any time without affecting core functionality.

7. Third-Party Services

We use the following third-party services to operate the Service. Each acts as a data processor under appropriate agreements:

• Google Firebase (Google LLC) — authentication, Firestore database, and file storage. Data may be processed in the US. Google is certified under the EU-US Data Privacy Framework. See Firebase Privacy.
• Anthropic — AI card analysis. Card images and metadata are sent to Anthropic's API for processing. Anthropic's data processing is governed by their Privacy Policy. We do not send personally identifiable information to Anthropic beyond what is strictly necessary.
• Vercel — web hosting and serverless API functions. See Vercel Privacy Policy.
• eBay — public sales data API used to estimate card values. No personal data is sent to eBay.
• Pexels — royalty-free images used in articles. No personal data is sent to Pexels.

8. International Transfers

Some of our third-party providers are based in the United States. Where personal data is transferred outside the European Economic Area (EEA), we ensure adequate safeguards are in place, including reliance on Standard Contractual Clauses (SCCs) or certification schemes such as the EU-US Data Privacy Framework.

9. Your Rights (GDPR)

Under the GDPR and UK GDPR, you have the following rights:

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Ask us to correct inaccurate or incomplete data.
• Right to erasure ("right to be forgotten"): Request deletion of your personal data.
• Right to restriction: Ask us to limit how we use your data.
• Right to data portability: Receive your data in a structured, machine-readable format.
• Right to object: Object to processing based on legitimate interests.
• Right to withdraw consent: Where processing is based on consent, you may withdraw at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at privacy@myvaults.io. We will respond within 30 days.

You also have the right to lodge a complaint with your local data protection authority (e.g. the ICO in the UK, or your national supervisory authority in the EU).

10. Data Security

We implement industry-standard security measures including HTTPS encryption in transit, Firebase Security Rules restricting data access to authenticated owners, and regular review of access controls. No method of transmission over the internet is 100% secure, but we take reasonable steps to protect your data.

11. Children's Privacy

The Service is not directed at children under the age of 13 (or 16 where applicable under local law). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the "Last updated" date at the top of this page. Continued use of the Service after changes constitutes your acceptance of the updated policy.