← Back
The Vault
Legal

Privacy Policy

Last updated: April 2026. This policy explains what data we collect and how we use it.

1. Data We Collect

When you create an account, we collect:

  • Email address — used for authentication and account communications
  • Account ID — a unique identifier generated by AWS Cognito
  • Watchlist — films you have saved, stored in our database
  • Subscription data — billing status and period, stored via Stripe and our database

We do not collect your name, address, or payment card details directly. Payment information is handled entirely by Stripe and is subject to Stripe's Privacy Policy.

2. How We Use Your Data

We use your data solely to provide and improve the service:

  • Authenticating you and managing your session
  • Processing and managing your subscription
  • Storing your watchlist preferences
  • Sending transactional emails (account verification, password reset)

We do not sell your data to third parties. We do not use your data for advertising.

3. Data Storage & Security

Your account data is stored on AWS infrastructure (Cognito, RDS) in the EU (eu-west-2, London). We use industry-standard security practices including encrypted connections (HTTPS/TLS) and access controls.

Authentication tokens are stored in your browser's local storage and expire after periods of inactivity.

4. Third-Party Services

We use the following third-party services that may process your data:

  • AWS Cognito — authentication and user management
  • Stripe — payment processing and subscription management
  • Internet Archive (archive.org) — film streaming (your IP may be visible to archive.org when streaming)
  • TMDB (The Movie Database) — film metadata (no personal data shared)
  • Google Fonts — font delivery (standard Google privacy policy applies)
5. Cookies & Local Storage

We use browser local storage (not cookies) to store your authentication tokens. This is necessary for the service to function — without it you would be signed out on every page visit.

We do not use tracking cookies or advertising cookies. We do not use analytics services that track individual users.

6. Your Rights (GDPR)

If you are in the European Economic Area or UK, you have the right to:

  • Access — request a copy of the data we hold about you
  • Rectification — correct inaccurate data
  • Erasure — delete your account and associated data (available from your account page)
  • Portability — receive your data in a portable format
  • Object — object to processing of your data

To exercise any of these rights, please use your account page or contact us via the About page.

7. Data Retention

We retain your account data for as long as your account is active. If you delete your account, your personal data is removed from our systems within 30 days. Subscription records may be retained for up to 7 years for financial compliance purposes.

8. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated by email. Continued use of the service after changes constitutes acceptance of the updated policy.

9. Contact

For privacy-related questions or to exercise your rights, please contact us.