This Privacy Policy explains what information Vault collects, why we collect it, and what we do with it. We've tried to keep it short and plain โ if anything is unclear, contact us at chriscui1203@gmail.com.
"Vault," "we," "us," and "our" refer to Cui Labs Ltd., the developer of the Vault iOS application (the "App").
1. Who this applies to
This Privacy Policy applies to anyone who downloads, registers for, or uses Vault. The App is intended for users 17 and older. We do not knowingly collect personal information from anyone under 17. If you believe a minor has provided us information, contact us and we will delete it.
2. What we collect, and why
We try to collect as little as possible. Here is everything:
2.1 Account information
- Phone number โ used solely to send you a one-time SMS code (via Twilio) so you can sign in. We do not use it for marketing, do not store it in plaintext after verification, and do not share it with third parties for advertising.
- Username โ chosen by you, displayed to other lobby participants and friends.
- Avatar (optional) โ image you upload, displayed to other lobby participants and friends.
- Push notification token โ required to send you alerts about your active challenges (e.g., a challenge starting or ending).
2.2 Challenge ("lobby") activity
When you create or join a challenge, we store:
- The challenge's name, description, duration, list of apps and categories you chose to block, and entry fee.
- Your participation status (in progress, won, forfeited, completed).
- The number of in-app tokens you've used during the challenge and your "discipline score" derived from time elapsed and tokens unburned. Other participants in the same challenge can see this score and your username/avatar; this is the entire point of a leaderboard.
- Posts and comments you write inside a lobby. These are visible to other participants of that lobby.
2.3 Screen Time / Family Controls (iOS)
Vault uses Apple's Family Controls and Managed Settings frameworks to block the apps and categories you choose during a challenge. Vault does not measure your screen time and does not transmit your per-app or per-category usage to our servers, to other users, or to anyone else. What stays on your device, stays on your device.
We do record one signal related to Family Controls authorization โ whether you have granted or revoked Vault's permission to block apps โ so that, if you revoke permission mid-challenge, we can mark you as having forfeited (this is what you agreed to when you joined a paid challenge with money at stake).
2.4 In-app purchases
All purchases (token packs and Vault Premium subscription) are processed by Apple through the App Store. RevenueCat (our subscription middleware) stores a transaction identifier so we know what you've purchased and can grant you the corresponding tokens or subscription benefits. We do not see your card details, billing address, or Apple ID.
2.5 What we do NOT collect
For clarity, Vault does not collect:
- Your contacts, calendar, photos (beyond a profile picture you upload), microphone, or precise location.
- Your screen time or per-app usage data.
- Web browsing history.
- Analytics events, behavioral telemetry, or marketing identifiers (no SDKs from Mixpanel, Amplitude, Segment, Firebase Analytics, Facebook, Google Ads, etc.).
3. Who we share data with
We share information only with these service providers, only as needed to operate the App:
| Service | Role | What it sees |
|---|---|---|
| Supabase | Database and authentication backend | Your account, lobby, and friendship records |
| Railway | Hosting our backend API | Transient API requests; does not retain user data |
| RevenueCat | In-app purchase / subscription management | Apple transaction IDs and your in-app user ID |
| Twilio | SMS one-time codes | Your phone number, only at the moment of code delivery |
| Expo Push Service | Push notifications | Your push token and notification payload |
We do not sell your personal information to anyone. We do not share it for advertising. We do not let third parties use it to build profiles of you outside our App.
We may disclose information if required by valid legal process (subpoena, court order) or if necessary to investigate fraud, abuse, or threats to our users.
4. How long we keep your data
- Account data: as long as your account is active.
- Challenge records: retained so historical lobbies remain visible to past participants.
- Purchase records: transaction identifiers for in-app purchases are retained for as long as needed to honor your subscription or restore prior purchases.
- Phone number / OTP codes: OTP codes are short-lived; we do not retain plaintext phone numbers in our user database (a derived synthetic email is used instead).
When you delete your account (see ยง5), we anonymize your record and clear personal fields; some non-personal historical data (challenge participation, scoring) is retained in anonymized form so other participants' historical lobbies remain coherent.
5. Your choices and rights
- Access and update: view and edit your profile (username, avatar) inside the App.
- Delete your account: Settings โ Delete Account. This anonymizes your account, clears your push token and avatar, forfeits any active challenges, and severs your friend connections. This is irreversible.
- Revoke Family Controls / Screen Time permission: iOS Settings โ Screen Time โ at any time. (Revoking mid-challenge will forfeit you, per the rules you agreed to.)
- Disable push notifications: iOS Settings โ Notifications โ Vault.
- Export your data: Settings โ Account โ Export my data. The app generates a JSON file containing every record we have about you (profile, lobby participations, in-app purchases, friendships, posts, and more) and hands it to the iOS share sheet so you can save it to Files, Mail it to yourself, or AirDrop it to another device. You don't have to wait or email us. If the in-app export ever fails, email chriscui1203@gmail.com and we will respond within 30 days.
If you are in the European Economic Area, United Kingdom, California, or another jurisdiction with data-protection rights, you also have the right to lodge a complaint with your local data protection authority. The legal basis for our processing is (a) performance of our contract with you (operating the App and your lobby participation) and (b) your consent (notifications, optional avatar).
6. Security
We use TLS for all network communication and store data with industry-standard providers (Supabase, AWS-hosted infrastructure). No system is perfectly secure; if you discover a vulnerability, please report it to chriscui1203@gmail.com.
7. International transfers
Our infrastructure is hosted in the United States. If you use Vault from outside the United States, you understand and agree that your information will be processed in the United States.
8. Changes to this policy
We may update this Privacy Policy from time to time. If we make material changes we will notify users in-app or via push notification. The "Last updated" date at the top of this document always reflects the current version.
9. Contact
Questions, requests, or complaints:
Cui Labs Ltd.
Email: chriscui1203@gmail.com