Legal

Privacy Policy

Last updated 7 June 2026 · Effective immediately

The short version: Your travel history never leaves your device. It is encrypted on your phone and we cannot read it. The only personal data we ever receive is the email address (and optional phone number) you choose to give us for updates, plus what Apple shares with us when you subscribe. That's it.

Who we are
What data we collect — and what we don't
How we use it & our legal bases
Who we share it with
How long we keep it
Your rights
International transfers
Security
Children
Changes & contact

1. Who we are

Stay Vault Days is a product operated by Vaitly Ltd, a company registered in England & Wales (company number 16814185), registered office Mill House Penrhos Farm, Nantgarw, Cardiff, Wales, CF15 7UN. For the purposes of the UK GDPR and the EU GDPR, Vaitly Ltd is the data controller for the limited personal data described below. You can contact us at [email protected].

2. What data we collect — and what we don't

Travel data stays on your device (we never receive it)

The trips, day logs, counters and settings you create in the app are stored only on your device, encrypted at rest with AES-256. We operate no server that receives, stores, or can read your travel history. If you enable on-device location logging or photo import, that processing happens entirely on your device and the results stay there.

If you choose to make an encrypted backup, or to open your vault in our web tool, the file is encrypted with a passphrase only you hold. Where a backup file passes through any storage you select (for example your own iCloud Drive, Google Drive or Dropbox), it is ciphertext we cannot decrypt.

Data we do receive

Marketing / account contact details (optional): if you provide them, your email address and (optionally) phone number, plus your stated country of residence and the device platform/app version, so we can send you product updates and early-access information.
Subscription data from Apple: when you start a free trial or subscribe, Apple processes your payment and we receive Apple's confirmation that a subscription/entitlement is active, plus the anonymised, aggregated sales analytics Apple provides to every developer in App Store Connect. We never see your full payment card details. Your entitlement status is stored on your device — we operate no account system or server for it.
Support correspondence: if you email us, we keep that message and your contact details to reply.

We do not collect your travel history, your location, your photos, advertising identifiers, or run third-party advertising/tracking SDKs.

3. How we use it & our legal bases

To send updates you asked for — legal basis: your consent (UK/EU GDPR Art. 6(1)(a)). You can withdraw it any time.
To provide and manage your subscription — legal basis: performance of a contract (Art. 6(1)(b)).
To respond to support requests and keep the service secure and working — legal basis: our legitimate interests (Art. 6(1)(f)).

We share the limited data above only with service providers acting on our instructions, namely:

Apple — App Store distribution and subscription billing.
Google Firebase (Firestore) — to store the optional marketing contact details you submit.

We do not sell your personal data, and we never share your travel history because we do not have it.

5. How long we keep it

We keep marketing contact details until you unsubscribe or ask us to delete them. Subscription records are kept as long as required for accounting and tax purposes. On-device data is controlled entirely by you and is removed when you erase the vault or uninstall the app.

6. Your rights

Under the UK/EU GDPR you have the right to access, correct, delete, restrict or object to our processing of your personal data, and to data portability. Because your travel data lives only on your device, you already hold and control it directly. To exercise any right over data we hold (your contact details), email [email protected]. You also have the right to complain to the UK Information Commissioner's Office (ico.org.uk) or your local supervisory authority.

7. International transfers

Our service providers may process the limited contact/subscription data outside the UK/EEA (for example in the United States). Where they do, the transfer is protected by appropriate safeguards such as the UK International Data Transfer Addendum or the EU Standard Contractual Clauses. Your travel data is not transferred anywhere because it never leaves your device.

8. Security

Travel data is encrypted on your device with AES-256; the encryption key is held in the device's secure keychain/keystore. Encrypted backups use PBKDF2-derived keys with AES-256-GCM and a passphrase only you know — if you lose it, the data cannot be recovered by anyone, including us. Data in transit to our service providers is protected with TLS.

9. Children

Stay Vault Days is intended for adults managing their own residency and is not directed at children under 16. We do not knowingly collect data from children.

10. Changes & contact

We may update this policy; we'll change the "last updated" date above and, for material changes, notify you in-app or by email. Questions or requests: [email protected], or by post to Vaitly Ltd, Mill House Penrhos Farm, Nantgarw, Cardiff, Wales, CF15 7UN.