What we store, and what we don't.

This policy covers personal data we collect through theprodvault.com ("the site"). The operator of the site is the data controller. Contact for any privacy request: hi@theprodvault.com.

What we collect

• Drop subscriptions. If you subscribe to the weekly drop we store your email, the date you subscribed, and the page you came from.
• Studio accounts. If you create a Studio account we store your email, a hashed password, and an authenticated session cookie (HTTP-only, SameSite=Lax). We also keep your active subscription state.
• Orders. When you buy a pack or subscription we store the order ID, your email, the items purchased, the amount, and the country reported by the payment processor. We never see or store your card number.
• Product analytics. Aggregate page views, clicks, and feature usage via PostHog (see "Cookies" below). We do not buy or join external profile data.
• Server logs. Cloudflare records request metadata (IP, user agent, timestamp) for abuse prevention and debugging. We retain logs for 30 days.

Who processes it

• Cloudflare — hosting, edge cache, DNS, database (D1), file storage (R2), session storage (KV).
• Polar — payments and subscription billing. Card data goes directly to Polar / its underlying processor; we receive only the order metadata above.
• Resend — transactional and weekly drop email.
• PostHog — product analytics. Configured to run on our domain so analytics requests don't leave the site origin.

Each processor has its own privacy policy. We share only what's necessary to deliver the site, fulfil orders, and prevent fraud. We do not sell personal data and we do not use it for third-party advertising or retargeting.

Cookies

• Authentication. A session cookie (tpv.*) is set when you sign in to a Studio account. Required for the account to work.
• Cart. A small cookie holds your in-progress cart so it survives page reloads.
• Analytics. PostHog sets a cookie to attribute repeat visits to the same anonymous device. No third-party ad cookies are set.

How long we keep it

• Drop subscriber list: until you unsubscribe.
• Studio account + subscription history: while the account is open, then deleted on request.
• Orders: 7 years (tax and accounting records).
• Server logs: 30 days.
• Analytics events: 12 months, then aggregated.

Your rights

You can request access to your data, correction of anything wrong, export in a portable format, or full deletion. The drop list also has a one-click unsubscribe link in every email. To exercise any of the above, email hi@theprodvault.com from the address on file. We respond within 30 days. If you're in the EU/UK you also have the right to lodge a complaint with your local data protection authority.

Children

The site is not directed to children under 13 (under 16 in the EU). We don't knowingly collect data from children. If you believe a child has signed up, email us and we'll delete the record.

Changes

Material changes to this policy are reflected here with a new "last updated" date. Continuing to use the site after a change means you accept the updated policy. See also our terms.

Last updated: 2026-04-24