Last updated February 20, 2026
We collect only what we need to provide and improve Exhale Vault. Here's the full list:
Account information. Your name and email address, which you provide when signing up. Your email is encrypted at rest in our database.
Vault contents. Everything you store in your vault — lists, items, collection items, documents, credentials, and contacts. All of this is encrypted at rest using field-level encryption. We never access your vault contents unless you explicitly ask us to for support purposes.
Photos and files. Photos of collection items, document attachments, and your avatar. These are stored on secure cloud servers in the United States and served through our application — never directly from the storage provider.
Coach messages. If you enable the AI Coach, your conversation messages are stored so the coach can maintain context across your session. See AI Coach & AI Providers for details on how these are processed.
Payment information. Payment is processed entirely by our payment provider. We never see, receive, or store your credit card number, CVV, or bank details for payment purposes. We store only a customer ID and billing email (encrypted at rest).
Usage information. We do not use any third-party analytics services. No tracking pixels, no usage analytics, nothing. We use standard server logs for debugging, and sensitive data (emails, IP addresses, names) is filtered out of those logs.
The AI Coach is an optional feature that helps you set up and manage your Exhale Vault. When you use it, your conversation messages are sent to external AI providers so the coach can respond. We carefully select providers who meet our standards for data handling and privacy.
What gets shared. When you chat with the coach, your recent messages are sent to our AI providers. If you've granted vault-level consent, the coach may also receive general information about your vault — like how many items you have or what your lists are called — so it can give you more relevant guidance.
What never gets shared. Your most sensitive data — document contents, saved credentials, banking details, billing information — is never sent to any AI provider, under any circumstances. We enforce this in our code, not just this policy.
No training on your data. We do not allow any AI provider to use your data to train their models. Your conversations are processed in real time and are not kept by providers afterward.
AI Coach features require your explicit consent before anything is shared. See Your Consent Choices for how that works.
When you upload photos of collection items, they can be processed by AI to help identify and catalog them. This helps populate details like item name, description, and attributes.
Photos are sent to an external AI provider for identification. Only collection item photos are processed this way — not your avatar, not document attachments, and not any other files.
We use a small number of third-party services to run Exhale Vault. Here's what they do:
Payment processing. When you purchase a plan, you're taken to a secure hosted checkout page. Your card details are entered directly on the payment provider's page and never touch our servers.
File storage. All uploaded files (photos, documents, avatars) are stored on secure cloud servers in the United States. Files are served through our application, not directly from the storage provider, so access always requires authentication.
AI providers. External AI providers power the AI Coach and Photo Identification features described above. We do not allow any provider to train on your data.
Web fonts. Our pages load fonts from an external service. This means your browser makes requests to that service when loading pages. No cookies are set and we don't share any information about you.
AI features in Exhale Vault are controlled by a three-tier consent model. You're always in control:
User Consent (master switch). This enables or disables all AI Coach features for your account. You can toggle this in your account settings or from the coach panel when it first appears. Turning it off immediately stops all AI processing of your conversations.
Vault Consent (per-vault). For each vault, you control whether the AI Coach can access vault data (item names, contact names, list names) to provide more contextual guidance. Three options:
Case Consent (per-session). When a vault is set to "case-by-case," you'll see a prompt at the start of each coaching session asking whether the coach can access that vault's data for this session only.
You can change any of these settings at any time. Revocations take effect immediately. We preserve a record of when consent was granted and revoked for audit purposes.
Session cookie. We use a single session cookie to keep you logged in. It's HTTP-only (not accessible to JavaScript), marked as secure (only sent over HTTPS), and same-site.
Local storage. We store a small number of user experience preferences in your browser's local storage — things like whether panels are open or collapsed. No personal data is stored there.
No tracking cookies. We do not use third-party tracking cookies. We do not use any analytics platform. There are no advertising cookies, no social media tracking pixels, and no cross-site tracking of any kind.
Form protection. We use an invisible timestamp-based check on forms to prevent automated submissions. No third-party CAPTCHA service (like reCAPTCHA) is used.
You have the right to:
To exercise any of these rights, email us. We will respond within 30 days.
Deleted items. When you delete items within your vault, they're soft-deleted (recoverable from trash) for 30 days, then permanently removed from the database.
Account deletion. When you delete your account, we immediately and permanently delete all your data: vaults, lists, items, documents, contacts, photos, conversations, and associated records. Uploaded files are removed from our storage servers within 30 days. This deletion is irreversible.
Consent records. We retain records of when consent was granted and revoked for legal compliance, even after account deletion.
AI Coach conversations. Conversations are deleted when the account is deleted.
We take the security of your data seriously. Here's a summary:
For full details on our security practices, see our Security Overview.
Our servers, database, and file storage are located in the United States. By using Exhale Vault, you consent to your data being processed and stored in the US.
If you are located in the European Union or other regions with data protection laws, please be aware that your data will be transferred to and processed in the US.
When we make significant changes to this policy, we'll notify you by prompting you to accept the updated version on your next login. Minor clarifications (fixing a typo, rewording for clarity) may be made without notice.
The "last updated" date at the top of this page always reflects the most recent revision.
For details on our security practices, see our Security Overview. For our terms of use, see our Terms of Service. Questions? Email us.
