Privacy Policy

Data controller: ToyVault
Website: https://toyvault.app
Privacy contact: privacy@toyvault.app

For any request about your personal data — access, correction, deletion, or portability — email us at privacy@toyvault.app.

When you browse without an account, we process limited technical data needed to deliver the site (see our Cookie Policy). We do not require personal data to browse the public toy database.

When you create an account, we process:

• Email address and password (stored securely by our auth provider)
• Username and optional display name
• Optional country, bio, and collecting-since year
• Optional social handles (Instagram, eBay, YouTube, TikTok) for your public profile
• Collection data you enter: owned items, condition, packaging, quantities, purchase prices, notes, and photos you upload
• Wishlist entries linked to your account
• Catalog suggestions you submit (content and submission metadata)

Public profile information: if your profile is not private, your username, display name, country, bio, collecting-since year, social links, and aggregate stats (collection size and catalog suggestion counts) may be visible on your public profile page and when you submit catalog suggestions. You can set your profile to private in account settings. Do not share sensitive personal information in public fields.

We do not sell your personal data. We do not use third-party advertising or behavioural tracking cookies on ToyVault.

• Providing the service (GDPR Art. 6(1)(b) — contract): creating and managing your account, storing your collection and wishlist, authentication, and exporting your collection data on request.
• Community catalog (GDPR Art. 6(1)(b) and/or 6(1)(f) — legitimate interest): reviewing and publishing catalog suggestions you submit, and attributing contributions where appropriate.
• Security and abuse prevention (GDPR Art. 6(1)(f) — legitimate interest): protecting accounts, preventing fraud, and maintaining service integrity.
• Legal obligations (GDPR Art. 6(1)(c)): where we must retain or disclose data under applicable law.

Providing account data is voluntary for browsing, but required fields are necessary to register and use personal features. Without them we cannot provide those features.

We use trusted service providers who process data on our behalf under data processing agreements:

• Supabase — authentication, database, and image storage (hosted in the EU where configured for our project)
• Vercel — website hosting and content delivery

Our servers may fetch public marketplace listing data (e.g. from eBay) to estimate catalog values. That process does not share your personal account data with those marketplaces.

We may disclose data if required by law, court order, or to protect the rights and safety of users and the public.

Some processors may process data outside the European Economic Area (EEA). Where this occurs, we rely on appropriate safeguards such as the EU Standard Contractual Clauses and/or adequacy decisions, as applicable to each provider.

• Account and profile data: until you delete your account or ask us to erase it, plus a short period for backups and legal obligations.
• Collection and wishlist data: until deleted by you or with your account.
• Catalog suggestions and moderation logs: retained as long as needed for catalog integrity and audit purposes, typically after a suggestion is approved or rejected.
• Server and security logs: retained for a limited period necessary for security and troubleshooting.

If you are in the EEA, UK, or Switzerland, you have the right to:

• Access — obtain a copy of your personal data
• Rectification — correct inaccurate data (e.g. in your profile)
• Erasure — request deletion of your account and associated data
• Restriction — ask us to limit processing in certain cases
• Data portability — receive data you provided in a structured, machine-readable format (e.g. via collection export)
• Object — object to processing based on legitimate interests
• Withdraw consent — where processing is based on consent, without affecting prior lawful processing

To exercise these rights, email privacy@toyvault.app. We may need to verify your identity before responding. We aim to respond within one month.

You also have the right to lodge a complaint with your local data protection authority. Our lead supervisory authority is the Autoriteit Persoonsgegevens (AP), Netherlands.

ToyVault is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it.

We use industry-standard measures including encrypted connections (HTTPS), access controls, and row-level security on stored data. No method of transmission or storage is 100% secure; please use a strong, unique password.

We do not use automated decision-making or profiling that produces legal or similarly significant effects on you.

We may update this policy from time to time. The "Last updated" date at the top will change when we do. Material changes may be announced on the website. Continued use after changes means you accept the updated policy where permitted by law.