Who we are

The Identity Vault is operated by Kathryn Jones, doing business as The Identity Vault, based in the United States. We provide identity protection education, guided lockdown walkthroughs, and a community-sourced scam reporting platform. Throughout this policy, “we,” “us,” and “our” mean The Identity Vault.

Section 14 has our contact information for any privacy question.

What this policy covers

This policy describes how we collect, use, and protect information across:

• theidentityvault.com: our marketing website, blog, free resources, and Privacy Promise.
• app.theidentityvault.com: the platform itself, including the scam map, scam report submission, account dashboard, and paid walkthroughs.
• Email communications we send about your account, your walkthroughs, or scam alerts you’ve subscribed to.

This policy does not cover websites operated by other companies that we link to. We send you to credit bureaus, government agencies, and third-party services to complete certain steps. Each of those companies has its own privacy policy that governs what they collect.

Information we collect

We collect the smallest amount of information needed to operate the service. The categories below match the data categories defined under the California Consumer Privacy Act (CCPA).

Information you give us directly

• Account information: your email address and a password. Optionally, a first name for personalization.
• Purchase information: your name and billing address as required to process payment. Card details go directly to Stripe and never touch our servers (see Section 6).
• Phone verification status: if you verify a phone number, we store an encrypted hash that confirms verification happened. The number itself is not stored.
• Scam reports you submit: the scammer’s contact details, the type of scam, the location, and any narrative you choose to add. Do not include your own sensitive personal information in a scam report.
• Walkthrough progress: which steps you’ve marked complete in our paid walkthroughs.
• Encrypted vault contents: if you use the vault feature, your saved confirmation numbers and reference IDs are encrypted in your browser using a passphrase only you know. We store the encrypted blob. We cannot read it.
• Communications you send us: the content of emails or support requests you send.

Information collected automatically

• Anonymous analytics: aggregate page views and referrers via Plausible Analytics. Plausible does not use cookies and does not collect IP addresses or device fingerprints. See Section 10.
• Server logs: standard request logs (timestamp, requested URL, response code, user-agent) retained for up to 30 days for security and debugging. Email addresses appearing in logs are truncated.

Information from third parties

• Government scam data: our scam map ingests publicly available complaint data from sources such as the Consumer Financial Protection Bureau and the Federal Trade Commission. This data is about reported scammers, not about our users.
• Payment confirmations: Stripe sends us confirmation that a payment succeeded along with a session ID. We do not receive your full card number.

Information we never collect

The following categories of information are never collected, stored, or processed by The Identity Vault, regardless of which feature you use or which plan you purchase:

• Social Security numbers, in whole or in part.
• Credit card numbers, bank account numbers, or routing numbers (Stripe handles payment data; we never receive it).
• Credit reports or credit scores.
• Driver’s license numbers or passport numbers.
• Medical records or health insurance ID numbers.
• Passwords for any of your other accounts.
• Your home address or date of birth, except where billing requires it for a purchase.
• Biometric information of any kind.

This is not a list of things we promise to handle carefully. It is a list of things our systems are not built to receive. If you ever encounter a form on our platform asking for one of these, treat it as a sign that something is wrong. Contact us right away.

How we use your information

We use the information described in Section 3 only for the following purposes:

• Running the service: creating your account, delivering your purchased walkthroughs, saving your progress, and storing your encrypted vault.
• Processing payments: via Stripe, with the minimum information needed to complete the transaction.
• Communicating with you: account confirmations, password resets, receipts, scam alerts you’ve opted into, and replies to support requests.
• Improving the service: using anonymous, aggregate analytics that cannot identify individual users.
• Operating the scam map: displaying scam reports so the community can warn each other. Reports you submit are reviewed before they appear publicly.
• Meeting legal obligations: retaining tax-relevant purchase records, responding to lawful requests, and protecting against fraud or abuse of the service.

None of this information is used for behavioral advertising, profiling, or sale to third parties. We do not train artificial intelligence models on your personal information.

Service providers we use

We rely on a small number of carefully chosen service providers to operate the platform. Each one receives only the information needed to perform their specific function. We do not sell or rent your information to anyone, including these providers.

If we ever add or change a service provider in a way that affects how your information is handled, we will update this section. Members will get an email before the change takes effect.

Legal disclosures

We may disclose information if a valid legal process requires it, such as a court order or subpoena. We may also disclose information if we believe it is necessary to protect our rights, your safety, or the safety of others. Where the law allows, we will tell you before complying with such a request.

How we protect your information

• Encryption in transit: all pages on theidentityvault.com and app.theidentityvault.com use HTTPS with current TLS standards.
• Password protection: passwords are stored only as one-way hashes by Clerk. Nobody at The Identity Vault, including the founder, can read your password.
• Vault encryption: the vault feature encrypts your saved data in your browser using a passphrase only you know. We store the encrypted ciphertext and have no ability to decrypt it. If you lose your passphrase, your vault contents cannot be recovered.
• Phone number hashing: verified phone numbers are stored as one-way encrypted hashes, not as readable numbers.
• Minimum-data architecture: our systems are designed not to receive sensitive personal information at all. The strongest protection against a breach is to never collect the data.
• Regular reviews: we review our security practices on a recurring basis.

No system is perfectly secure. If a security incident ever affects your information, we will notify the affected members in line with applicable law.

How long we keep your information

• Account information: kept while your account is active. Deleted within 30 days after you close your account, with the exceptions noted below.
• Purchase records: kept for up to 7 years after the transaction in anonymized form, as required for tax and accounting compliance. Personal identifiers are removed when no longer needed.
• Walkthrough progress and encrypted vault contents: deleted within 30 days after you close your account.
• Scam reports: reports you submit may stay on the platform indefinitely as part of the public scam database. They are stored without identifying you as the submitter. To remove a report you submitted, email privacy@theidentityvault.com.
• Server logs: rotated and deleted within 30 days.
• Support communications: kept for up to 2 years to maintain a record of issues and how we resolved them.

Your privacy rights

Wherever you live, you have the following rights with respect to the information we hold about you:

• The right to know what information we have collected about you.
• The right to access a copy of that information in a portable format.
• Correction: you can ask us to fix inaccurate information.
• Deletion: you can ask us to delete your information, subject to limited exceptions for records we are legally required to keep.
• Opt-out: you can unsubscribe from any optional communications at any time.
• Non-discrimination: we will not refuse service, charge a different price, or downgrade your service because you exercised a privacy right.

To exercise any of these rights, email privacy@theidentityvault.com. We will verify your identity using your account email before fulfilling the request. Most responses go out within 45 days. There is no fee for processing a privacy request.

For California residents

The rights above satisfy our obligations under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). We do not sell or share personal information for cross-context behavioral advertising as those terms are defined under California law. There is no “Do Not Sell My Personal Information” link on our site because nothing is being sold.

For European Economic Area, UK, and Swiss residents

If you live in the EEA, the UK, or Switzerland, you also have the right to lodge a complaint with your local data protection authority. We process your information on four legal bases. Performance of a contract covers delivering the service you purchased. Legitimate interests covers operating and improving the service. Consent covers optional emails. Legal obligation covers our tax and accounting records.

Cookies and tracking

We use the smallest possible number of cookies to operate the service.

• Essential cookies: a session cookie set by Clerk after you log in, so the platform knows who you are as you navigate. This cookie is required for the service to function.
• No advertising cookies: we do not use Google Analytics, Meta Pixel, or any third-party advertising tracker.
• No fingerprinting: our analytics provider, Plausible, does not use cookies and does not fingerprint your browser.

Because we do not place tracking cookies, we do not display a cookie consent banner. If your browser sends a Global Privacy Control (GPC) signal, we honor it as a valid opt-out request.

Children’s privacy

The Identity Vault is intended for adults. We do not knowingly collect information from children under 16. If you believe a child has given us personal information, email privacy@theidentityvault.com and we will delete it promptly.

International users

The Identity Vault is operated from the United States. If you visit the service from outside the United States, your information will be transferred to and processed in the United States. By using the service, you consent to that transfer. The protections in this policy apply wherever you are.

Changes to this Privacy Policy

The Identity Vault Privacy Policy may change as our practices, services, or legal obligations evolve. When we make material changes, we will:

• Update the effective date at the bottom of this page.
• Post a notice on theidentityvault.com.
• Email registered members at least 14 days before the change takes effect.

If you keep using the service after a change takes effect, that means you accept the updated policy. If you do not agree, you can close your account at any time using the deletion process in Section 9.

How to contact us

For privacy questions, data requests, or anything else covered by this policy:

• Privacy and data requests: privacy@theidentityvault.com
• General inquiries and support: info@theidentityvault.com or support@theidentityvault.com

We aim to respond to all privacy inquiries within 5 business days. Formal data requests are handled within the legal deadlines that apply to you: 45 days under CCPA, 30 days under GDPR.