Privacy Policy

Last updated: 3 April 2026 · Terms and Conditions · PullVault, Sydney NSW Australia · hello@pullvault.app

PullVault ('we', 'us', 'our') is committed to protecting your personal information. This Privacy Policy explains how we collect, use, store, and disclose your personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). By accessing or using the PullVault platform (including our website at www.pullvault.app, our web application, and any associated mobile applications), you consent to the practices described in this policy.

We may collect the following categories of personal information:

• ▸Identity information: display name, email address, and profile details you provide.
• ▸Account credentials: email address and hashed password (we never store plain-text passwords).
• ▸Collection data: card names, set information, condition grades, estimated values, and card images you upload.
• ▸Usage data: pages visited, features used, scan history, and interaction logs.
• ▸Payment information: billing details processed by Stripe. We do not store full card numbers.
• ▸Communications: messages and support enquiries you send to us.
• ▸Device and technical data: IP address, browser type, device identifiers, and cookies.

• ▸Directly from you when you register an account, update your profile, scan cards, or contact support.
• ▸Automatically through cookies, analytics tools, and server logs when you use the Platform.
• ▸From third-party services such as Supabase (authentication), Stripe (payments), and Vercel (hosting).

We use your personal information to:

• ▸Provide, operate, and improve the PullVault services.
• ▸Process your subscription payments and manage your account.
• ▸Identify and authenticate you when you log in.
• ▸Analyse card images using AI to identify cards, assess condition, and estimate value.
• ▸Send transactional communications (account confirmations, password resets, billing receipts).
• ▸Respond to your support enquiries.
• ▸Monitor for fraud, abuse, and security threats.
• ▸Comply with our legal obligations under Australian law.
• ▸Conduct internal analytics to improve our product.

We will only use your personal information for the purposes for which it was collected, or purposes reasonably expected by you, unless you have consented to another use or we are required by law.

We may share your personal information with:

• ▸Supabase (Supabase Inc.) — database and authentication services. Supabase stores data on AWS in us-east-1 by default.
• ▸Stripe (Stripe Inc.) — payment processing. Stripe is PCI-DSS compliant.
• ▸Vercel (Vercel Inc.) — hosting and serverless functions.
• ▸Anthropic (Anthropic PBC) — AI image analysis. Card images are transmitted to Anthropic's API for identification.
• ▸TCGPlayer / Pokémon TCG API — pricing and card metadata lookups.
• ▸Law enforcement or regulatory bodies — where required by law or to protect our legal rights.

We do not sell your personal information to third parties. We do not use your personal information for targeted advertising.

Some of our third-party service providers are located outside Australia, including in the United States. By using the Platform, you consent to the transfer of your personal information to these overseas recipients. We take reasonable steps to ensure those recipients handle your information consistently with Australian privacy law.

We take reasonable steps to protect your personal information from misuse, interference, loss, unauthorised access, modification, or disclosure. Measures include: • Encrypted storage of passwords using industry-standard hashing • HTTPS encryption for all data in transit • Role-based access controls on our database • Regular security reviews of our service providers No method of transmission over the internet is 100% secure. You should take care to protect your account credentials.

We retain your personal information for as long as your account is active or as needed to provide the Services. If you delete your account, we will delete your personal data within a reasonable period, except where we are required to retain it by law (for example, financial records may be retained for up to 7 years under Australian tax law).

We use cookies and similar technologies to maintain your session, remember your preferences, and analyse usage patterns. You can control cookies through your browser settings, but disabling cookies may affect the functionality of the Platform. We do not use third-party advertising cookies.

Under the Australian Privacy Principles, you have the right to:

• ▸Access the personal information we hold about you.
• ▸Request correction of inaccurate or out-of-date information.
• ▸Request deletion of your personal information (subject to legal obligations).
• ▸Complain about our handling of your personal information.
• ▸Opt out of direct marketing communications.

To exercise these rights, please contact us at hello@pullvault.app. We will respond within 30 days.

The Platform is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information without parental consent, please contact us and we will delete it.

If you have a complaint about how we have handled your personal information, please contact us first at hello@pullvault.app. We will attempt to resolve your complaint within 30 days. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and updating the 'Last updated' date. Continued use of the Platform after the effective date constitutes acceptance of the revised policy.

PullVault Sydney, New South Wales, Australia Email: hello@pullvault.app Website: www.pullvault.app

© 2026 PullVault · Sydney, NSW, Australia · hello@pullvault.app