Privacy Policy
Last updated: April 2026
1. Who We Are
ClaudeVault is a digital product store operated from Spain under the trade name "ClaudeVault." For data protection purposes, ClaudeVault is the data controller responsible for your personal data. We do not have a designated Data Protection Officer. For all data protection inquiries, contact support@claudevault.dev.
2. What We Collect
| Data | Source | Purpose |
|---|---|---|
| Name and email | Google or GitHub OAuth | Account creation, order communication |
| Purchase history | Stripe + our database | Order fulfillment, support |
| Payment metadata | Stripe (we do not store card numbers) | Transaction records |
| Device identifiers | CLI tool (anonymous UUIDs) | Enforcing 3-device license limit |
| API request logs | Server logs | Rate limiting, error tracking, security |
| Cart contents | Browser localStorage + database | Maintaining your shopping cart |
3. Legal Basis for Processing
Under GDPR Article 6, we process your data on the following legal bases:
- Contract performance: Account creation, payment processing, order confirmation emails, and delivering purchased content.
- Legitimate interest: Device limit enforcement (license compliance), API rate limiting, error tracking, and service security.
- Strictly necessary: Session cookies for authentication (no consent required).
We do not currently process data based on consent. If we add analytics or marketing features in the future, we will update this policy and implement appropriate consent mechanisms.
4. What We Don't Collect
- We do not read or store your Claude conversations.
- We do not track your browsing across other websites.
- We do not sell, rent, or share your personal data with third parties for their own marketing.
- We do not use your data for advertising or profiling.
5. Cookies & Local Storage
Session cookies: We use functional cookies (via NextAuth) for authentication. These are strictly necessary for the service to work and do not require consent. They expire when you sign out or after the session timeout.
Local storage:Your cart contents are stored in your browser's localStorage so items persist between visits. This is not a cookie and does not track you across sites.
No tracking cookies: We do not currently use analytics cookies, advertising pixels, or any non-essential tracking technologies. If this changes, we will update this policy and implement a cookie consent mechanism before deploying them.
6. Third-Party Services
We use the following services that may process your data:
Authentication providers (data flows from them to us):
- Google OAuth: Provides your name and email when you sign in with Google. See Google's Privacy Policy.
- GitHub OAuth: Provides your name and email when you sign in with GitHub. See GitHub's Privacy Statement.
Service providers (data flows from us to them):
- Stripe: Payment processing. Receives your email and payment details. See Stripe's Privacy Policy.
- Resend: Transactional email delivery. Receives your email address. See Resend's Privacy Policy.
- Vercel: Website hosting. Processes server requests. See Vercel's Privacy Policy.
- Neon: Database hosting. Stores account and purchase data. See Neon's Privacy Policy.
- Upstash: Redis hosting for API rate limiting. Processes anonymous request counts. See Upstash's Privacy Policy.
- Cloudflare: DNS and network security. Processes connection metadata. See Cloudflare's Privacy Policy.
7. International Data Transfers
Your data may be processed in countries outside the European Economic Area (EEA), including the United States, where our service providers operate. These providers maintain their own data protection agreements and transfer mechanisms (such as Standard Contractual Clauses) to ensure adequate protection of your data. We select processors that demonstrate compliance with applicable data protection standards.
8. Data Retention
- Account and purchase data is retained for as long as your account is active.
- API logs are retained for up to 90 days.
- You may request deletion of your account and associated data at any time by emailing support@claudevault.dev.
- Some data may be retained longer where required by law (e.g., tax and accounting records).
9. Your Rights Under GDPR
As a data subject, you have the right to:
- Access: Request a copy of the personal data we hold about you.
- Rectification: Request correction of inaccurate data.
- Erasure:Request deletion of your data ("right to be forgotten").
- Data portability: Receive your data in a structured, machine-readable format.
- Restriction: Request that we limit processing of your data.
- Objection: Object to processing based on legitimate interest.
- Complaint:Lodge a complaint with the Agencia Española de Protección de Datos (AEPD) at aepd.es or your local supervisory authority.
To exercise any of these rights, email support@claudevault.dev. We will respond within 30 days.
10. Automated Decision-Making
We do not use automated decision-making or profiling that produces legal or similarly significant effects on you. Rate limiting is applied uniformly and does not constitute profiling under GDPR.
11. Children's Privacy
ClaudeVault is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will delete it promptly.
12. Changes to This Policy
We may update this policy to reflect changes in our practices or legal requirements. Material changes will be communicated via email to registered users. The "Last updated" date at the top of this page will always reflect the most recent revision.
13. Contact
For any privacy-related questions or to exercise your data rights, email support@claudevault.dev.