Skip to content
HitVault

Privacy Policy

Last updated: 4/4/2026

1. Introduction

This Privacy Policy explains how HitVault, LLC ("we," "our," or "us") collect, use, disclose, and safeguard your information when you use our website, services, and any other sub-domains or products. We are committed to protecting your privacy and personal information.

2. Information We Collect

2a. Personal Data

We and our service providers collect the Personal Data set forth below in order to provide our Site to you, or because we are legally required to do so. If you do not provide the Personal Data we request, we may not be able to provide you with our Site. The Personal Data we and our service providers collect includes but is not limited to:

  • Account information (name, email address, password)
  • Profile information, username, avatar
  • Collection and inventory data
  • Transaction information
  • Communication preferences

2b. Non-Personal Data

We automatically collect certain non-personal data when you use HitVault, including device and usage information. This data may be gathered directly and through third-party service providers operating on our behalf. For example:

  • Device information (e.g., IP address, browser type, operating system, device type, unique device identifiers, and mobile network information)
  • Usage information (e.g., pages visited, time spent on the site, referring URLs, and usage of features)

2c. Third-Party Service Providers

To operate HitVault, we work with third-party service providers who may collect, process, or store data on our behalf. Each service provider is governed by its own privacy policy and is required to handle your data in accordance with applicable law and best practices.

  • Stripe — Payment Processing

    We use Stripe, Inc. to securely process all payment transactions. When you provide payment information, it is transmitted directly to Stripe and is not stored by HitVault. Stripe may collect payment card details, billing address, transaction history, and fraud prevention signals as described in its privacy policy and PCI-DSS standards.

    • Data handled: Payment card details, billing address, transaction records, fraud signals
    • Data location: Stripe's infrastructure (U.S. and international)
    • Privacy policy: stripe.com/privacy
  • Google Analytics — Site Analytics

    We use Google Analytics (Google LLC) to analyze usage of HitVault. Google Analytics collects aggregate data through cookies and similar technologies, such as IP address, browser type, pages visited, and session information. This helps us understand user behavior and improve our service. We do not use Google Analytics to personally identify you.
    You may opt out by using the Google Analytics Opt-out Browser Add-on: tools.google.com/dlpage/gaoptout.

    • Data handled: IP address, device/browser info, usage behavior, session data
    • Data location: Google's infrastructure (U.S. and international)
    • Privacy policy: policies.google.com/privacy
  • DigitalOcean — Cloud Infrastructure and Data Storage

    We use DigitalOcean, LLC to host HitVault's infrastructure and to store application data, including user account information and transactional records. DigitalOcean serves as a data processor; it does not use your data for its own purposes and provides security measures as described in Section 7 of this Policy.

    • Data handled: Account data, profile data, transaction records, application data
    • Data location: DigitalOcean data centers (U.S. regions unless otherwise configured)
    • Privacy policy: digitalocean.com/legal/privacy-policy
  • Postmark — Transactional Email

    We use Postmark (Wildbit LLC, an ActiveCampaign company) to send transactional emails (such as confirmations, password resets, and notifications). When an email is sent, your email address and message content pass through Postmark’s U.S.-based infrastructure. Postmark does not use your data for its own marketing.

    • Data handled: Email address, email content, delivery/open metadata
    • Data location: Postmark infrastructure (U.S.)
    • Privacy policy: postmarkapp.com/privacy-policy

2d. Changes to Service Providers

We may update or replace our third-party service providers from time to time. If these changes materially affect how your personal data is handled, we will update this section and notify you in accordance with Section 9 (Changes to This Policy) of this Privacy Policy.

3. How We Use Your Information

We use the information we collect to:

  • Provide and maintain our services
  • Process transactions
  • Send you important updates and notifications
  • Improve our services
  • Comply with legal obligations

4. Information Sharing and Disclosure

We do not sell your personal information. We may share your information with:

  • Service providers who assist in our operations
  • Legal authorities when required by law
  • Business partners with your consent

5. Your Rights and Choices

You have the right to:

  • Access your personal information
  • Correct inaccurate information
  • Request deletion of your information
  • Opt-out of marketing communications

6. California Privacy Rights (CCPA)

If you are a California resident, California Civil Code Section 1798.83 permits you to request information regarding the disclosure of Personal Data about you by HitVault, LLC to third parties for the third parties’ direct marketing purposes. To make such a request, please send an email to support@hitvaulthq.com:

  • Right to know what personal information is collected
  • Right to know if personal information is sold or disclosed
  • Right to access your personal information

7. Children's Privacy (COPPA)

HitVault is intended solely for users who are 18 years of age or older. We do not knowingly collect, solicit, or retain personal information from children under 13 years old, and our site is not directed to children under 13. If you are under 13, please do not use or access this site, create an account, or provide any personal information to us.

If we become aware that we have inadvertently collected personal information from a child under 13, we will take immediate steps to delete such information from our systems. If you believe that a child under 13 may have provided us with personal information, please contact us promptly at support@hitvaulthq.com.

Parents or guardians who believe their child under 13 has provided information to HitVault without consent may contact us at support@hitvaulthq.com to request a review and deletion of that information. Verified parental requests will be addressed within 30 days.

Because users must be 18 or older to use this site, HitVault does not offer any features directed at children between the ages of 13 and 17, nor do we knowingly collect personal information from minors in that age range. Any account found to belong to a user under 18 will be suspended and its data scheduled for deletion.

8. Data Security and Breach Notification

8a. Security Measures

HitVault implements robust technical and organizational measures to help safeguard your personal information against unauthorized access, alteration, disclosure, or destruction. Our security measures include:

  • Encryption of data in transit using TLS (Transport Layer Security)
  • Encryption of sensitive data at rest
  • Access controls to limit employee and contractor access to personal data on a need-to-know basis
  • Regular review of data collection, storage, and processing practices
  • Use of vetted third-party service providers contractually obligated to maintain strong security standards

Please note: No method of transmission over the internet or electronic storage can be guaranteed 100% secure. While we use commercially reasonable means to protect your personal information, we cannot guarantee absolute security. In the event of a security incident, we will act promptly as described below.

8b. Breach Notification

In the event of a data breach affecting your personal information, HitVault will:

  • Assess and contain the breach as quickly as reasonably practicable upon discovery.
  • Notify affected users via email (using the address associated with your account) within 72 hours of confirming a breach that has impacted your personal data, where technically feasible. If direct email notification is not feasible within that period, a prominent notice will be posted on our website.
  • Notify applicable state regulators as required by data breach notification laws of your state of residence. HitVault complies with all relevant U.S. state data breach statutes, including the Oregon Consumer Information Protection Act (ORS 646A.600 et seq.) and the California Consumer Privacy Act (Cal. Civ. Code § 1798.29).
  • Provide breach details in our notification to you, including—where known—the nature of the breach, categories of personal information affected, steps we have taken to address the breach, and recommended actions you can take to protect yourself.

If you believe your account or personal information has been compromised, please contact us immediately at security@hitvaulthq.com.

9. Data Retention

9a. General Retention Principles

We retain your personal information only for as long as is necessary to fulfill the purposes for which it was collected, to provide our services to you, and to comply with our legal obligations. When personal information is no longer needed, we take reasonable steps to securely delete or anonymize it.

9b. Retention Periods by Data Type

Data Type Retention Period
Account information (name, email, password) Duration of account, plus 30 days following account deletion to allow for recovery requests
Profile information (username, avatar) Duration of account, deleted within 30 days of account closure
Transaction and financial records 7 years from the date of the transaction, in compliance with U.S. tax and financial recordkeeping obligations
HitPoints balance and history Duration of account; forfeited and deleted upon account closure
Giveaway entry records 1 year following the conclusion of the relevant giveaway, or as required by applicable law
Communications with support 3 years from the date of the last communication
Device and usage data (non-personal) 13 months on a rolling basis
Legal hold data Indefinitely, until the applicable legal matter is resolved

9c. Account Deletion and Data Erasure

When you request deletion of your account, we will initiate deletion of your personal information within 30 days of receiving your verified request, subject to the following exceptions:

  • Legal obligations: We may retain certain information where required to do so by applicable law, regulation, or legal process, including tax and financial recordkeeping requirements.
  • Dispute resolution: We may retain information necessary to resolve an open dispute, enforce our Terms of Use, or protect the rights and safety of HitVault or its users.
  • Legitimate business interests: Anonymized or aggregated data that cannot reasonably be used to identify you may be retained indefinitely for analytics and service improvement purposes.

To request deletion of your account and associated personal data, contact us at support@hitvaulthq.com with the subject line "Account Deletion Request." We will respond to verified requests within 30 days.

9d. HitPoints and Giveaway Entries Upon Account Closure

Upon account deletion, all HitPoints balances and active giveaway entries associated with your account will be permanently forfeited and are not recoverable. If you have an active giveaway entry at the time your account is deleted, that entry will be voided. We recommend redeeming or reviewing any outstanding HitPoints activity before submitting a deletion request.

10. Modifications to This Policy

10a. Right to Modify

HitVault reserves the right to revise, update, or replace this Privacy Policy at any time. All changes become effective upon posting to this page unless a later effective date is specified. Your continued use of the service following the posting of the revised Privacy Policy constitutes your acceptance of those changes.

10b. Notice of Material Changes

For changes that we determine, in our reasonable judgment, to be material—including changes that affect your rights, how your personal data is handled, or the core features of the site—we will provide advance notice by:

  • Sending an email notification to the address associated with your account at least 30 days before the changes take effect
  • Posting a prominent notice on the HitVault website for the duration of the notice period
  • Where required by applicable law, obtaining your affirmative re-acknowledgment of the updated terms before you continue using the service

10c. What Constitutes a Material Change

For purposes of this section, material changes include but are not limited to:

  • Changes to the categories of personal data we collect about you
  • Changes to the purposes for which we use your personal data
  • Changes to how long we retain your personal data
  • The addition of new third-party service providers who will access or process your personal data
  • Changes to how or whether we share your personal data with third parties
  • Changes to your rights regarding your personal data, including access, correction, or deletion rights
  • Changes to our security practices that reduce the level of protection applied to your personal data
  • Changes to the categories of sensitive data we collect, including financial or payment-related data
  • Changes to how we respond to legal requests for your data from law enforcement or regulatory authorities
  • Changes to the minimum age requirement for use of the service
  • Changes to the contact information for our designated privacy or security contacts
  • Any change that would require fresh consent under applicable law

10d. Non-Material Changes

We may make non-material changes—such as corrections to typographical errors, clarifications that do not alter the substance of any provision, or updates to contact information—without advance notice and without those changes constituting a material modification. The "Last updated" date at the top of this page will be updated to reflect any change, material or otherwise.

10e. Rejection of Changes

If you do not agree with a material change, you may close your account before the effective date of the change in accordance with the voluntary termination procedure described in Section 6a of the Terms of Use. Continued use of the service after the effective date of any change constitutes your acceptance of the revised policy.

11. Contact Us

If you have any questions about this Privacy Policy, please contact us at:

support@hitvaulthq.com