The Vault

Points & Miles Experiences
Experiences Blog Alerts Sign in

Privacy Policy

Last updated: February 25, 2026

What We Collect

When you create an account, we store:

  • Email address — provided via Google sign-in or magic link
  • Name and profile photo — from Google, if you sign in that way
  • Alert preferences — the programs, categories, and filters you configure

We do not collect passwords. Authentication is handled through Google OAuth or one-time email links.

Payment Information

Premium subscriptions are processed by Stripe. We never see or store your card number. Stripe provides us with a customer ID and subscription status, which we store to manage your account.

Cookies

We only use essential cookies to keep you signed in and protect your account. We do not use advertising, tracking, or third-party cookies.

Analytics

We use Plausible Analytics, a privacy-focused service that does not use cookies, does not track individuals, and does not collect personal data. All data is aggregated. No data is sold or shared with advertisers.

Email

We send emails for:

  • Sign-in magic links (when you request one)
  • Alert notifications (based on your alert preferences)

Emails are sent via Resend. Every alert email includes an unsubscribe link. You can also disable or delete alerts from your account at any time.

Third-Party Services

  • Google OAuth — for sign-in (we receive your name, email, and profile photo)
  • Stripe — for payment processing
  • Resend — for transactional email delivery
  • Plausible — for anonymous, cookie-free analytics

We Do Not Sell Your Data

We do not sell, rent, or share your personal information with third parties for marketing or advertising purposes. Your data is only shared with the service providers listed above, solely to operate the Service.

Links to Other Websites

Our Service links to third-party loyalty program websites. We have no control over the content or privacy practices of these sites and are not responsible for them. We recommend reviewing the privacy policy of any site you visit.

Data Retention

Your account data is retained as long as your account is active. Sessions expire after 30 days of inactivity. Magic link tokens expire after 15 minutes. If you'd like your account deleted, contact us and we'll remove your data.

Data Security

All traffic is served over HTTPS. Session tokens are stored as httponly cookies. API keys and secrets are never exposed to the browser. We use timing-safe comparisons for all authentication checks.

Changes

We may update this policy from time to time. The "last updated" date at the top will reflect any changes.

Contact

Questions about this policy? Email us at hello@thevault.fyi.