VinVault ("we", "us", "our") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and protect information about you when you use VinVault (the "Service") at vinvault.net. It complies with the EU General Data Protection Regulation (GDPR) and applicable UK data protection law.
1. Data We Collect
We collect the following categories of personal data:
- Account data: email address and password (hashed) when you create an account.
- Submission data: chassis records and associated vehicle details you submit to the registry, including your email address as submitter.
- Usage data: pages visited, browser type, and approximate geographic location via IP address, collected anonymously for analytics.
- Cookies: essential session cookies and optional analytics cookies (see Section 4).
We do not collect payment information, government ID, or sensitive personal data as defined by GDPR Article 9.
2. Legal Basis for Processing (GDPR)
We process your personal data under the following legal bases:
- Contract performance: to provide your account, manage your submissions, and operate the registry.
- Legitimate interests: to prevent fraud, improve the service, and maintain the integrity of registry records.
- Consent: for optional analytics cookies and newsletter communications.
3. How We Use Your Data
- To operate and maintain your account.
- To review and publish vehicle submissions.
- To send transactional emails (e.g. submission status updates) via Brevo.
- To detect and prevent fraudulent submissions.
- To analyse usage patterns and improve the service.
4. Cookies
We use the following types of cookies:
- Essential cookies: session authentication cookies required for logged-in functionality. These cannot be disabled without breaking the site.
- Analytics cookies: optional cookies that help us understand how visitors use the site. You can decline these via our cookie consent banner.
You can manage cookie preferences in your browser settings at any time.
5. Data Retention
We retain your data as follows:
- Account data: until you request deletion or 3 years after your last activity.
- Approved registry submissions: indefinitely, as these are part of the permanent public record. Your email address is not publicly displayed.
- Rejected submissions: deleted after 90 days.
6. Your Rights (GDPR)
If you are in the EU or UK, you have the following rights:
- Access: request a copy of the personal data we hold about you.
- Rectification: request correction of inaccurate data.
- Erasure: request deletion of your account and personal data.
- Restriction: request that we limit processing of your data.
- Portability: receive your data in a structured, machine-readable format.
- Objection: object to processing based on legitimate interests.
- Withdraw consent: withdraw consent for analytics cookies at any time.
To exercise any of these rights, contact us as described in Section 9.
7. Data Sharing
We do not sell your personal data. We share data only with:
- Supabase (database hosting, EU region).
- Brevo (transactional email delivery).
- Law enforcement, when legally required.
8. Security
We implement appropriate technical and organisational measures to protect your personal data, including TLS encryption in transit, hashed password storage, and access controls. No system is completely secure; please use a strong unique password.
9. Contact & Data Controller
VinVault is the data controller for personal data processed through this site. For privacy enquiries, data subject requests, or complaints, contact us via the FAQ page. You also have the right to lodge a complaint with your national data protection authority.