Privacy Policy
Last updated: 7/10/2026
1. Introduction
This Privacy Policy explains how HitVault, LLC ("we," "our," or "us") collect, use, disclose, and safeguard your information when you use our website, services, and any other sub-domains or products. We are committed to protecting your privacy and personal information.
2. Information We Collect
2a. Personal Data
We and our service providers collect the Personal Data set forth below in order to provide our Site to you, or because we are legally required to do so. If you do not provide the Personal Data we request, we may not be able to provide you with our Site. The Personal Data we and our service providers collect includes but is not limited to:
- Account information (name, email address, password)
- Profile information, username, avatar
- Collection and inventory data
- Transaction information
- Shop order information (items purchased, order and purchase history, and the shipping/delivery address you provide at checkout)
- For guest checkout, the email address you provide to place and receive updates about an order, even if you do not create an account
- Communication preferences
- Shop mailing list information — if you join our shop mailing list (which you can do even if you do not have an account or place an order), we collect the email address you provide, your subscription status, and the source and time of your subscription and of any unsubscribe
When you make a purchase, your shipping address is collected on our behalf through Stripe's hosted checkout, and your payment card details are provided directly to Stripe. We do not receive or store your full payment card details; see Section 2c (Stripe) below.
2b. Non-Personal Data
We automatically collect certain non-personal data when you use HitVault, including device and usage information. This data may be gathered directly and through third-party service providers operating on our behalf. For example:
- Device information (e.g., IP address, browser type, operating system, device type, unique device identifiers, and mobile network information)
- Usage information (e.g., pages visited, time spent on the site, referring URLs, and usage of features)
2c. Third-Party Service Providers
To operate HitVault, we work with third-party service providers who may collect, process, or store data on our behalf. Each service provider is governed by its own privacy policy and is required to handle your data in accordance with applicable law and best practices.
-
Stripe — Payment Processing
We use Stripe, Inc. to securely process all payment transactions, including subscription payments and one-time shop purchases of physical goods and HitPoints™ top-ups. When you provide payment information, it is transmitted directly to Stripe and is not stored by HitVault. For shop orders, Stripe's hosted checkout also collects your shipping address on our behalf so that we can fulfill your order and, where sales tax must be collected on an order, calculates the applicable tax at checkout. Stripe may collect payment card details, billing and shipping address, transaction history, and fraud prevention signals as described in its privacy policy and PCI-DSS standards.
- Data handled: Payment card details, billing and shipping address, transaction and order records, tax calculation data, fraud signals
- Data location: Stripe's infrastructure (U.S. and international)
- Privacy policy: stripe.com/privacy
-
Google Analytics — Site Analytics
We use Google Analytics (Google LLC) to analyze usage of HitVault. Google Analytics collects aggregate data through cookies and similar technologies, such as IP address, browser type, pages visited, and session information. This helps us understand user behavior and improve our service. We do not use Google Analytics to personally identify you.
You may opt out by using the Google Analytics Opt-out Browser Add-on: tools.google.com/dlpage/gaoptout.- Data handled: IP address, device/browser info, usage behavior, session data
- Data location: Google's infrastructure (U.S. and international)
- Privacy policy: policies.google.com/privacy
-
DigitalOcean — Cloud Infrastructure and Data Storage
We use DigitalOcean, LLC to host HitVault's infrastructure and to store application data, including user account information and transactional records. DigitalOcean serves as a data processor; it does not use your data for its own purposes and provides security measures as described in Section 7 of this Policy.
- Data handled: Account data, profile data, transaction records, application data
- Data location: DigitalOcean data centers (U.S. regions unless otherwise configured)
- Privacy policy: digitalocean.com/legal/privacy-policy
-
Postmark — Transactional and Marketing Email
We use Postmark (Wildbit LLC, an ActiveCampaign company) to send transactional emails (such as confirmations, password resets, and notifications) and, if you have subscribed to our shop mailing list, marketing emails about shop products and promotions. When an email is sent, your email address and message content pass through Postmark’s U.S.-based infrastructure. Postmark also reports delivery outcomes back to us — including bounces, spam complaints, and unsubscribes made through Postmark's own mechanisms — which we use to maintain the mailing list and honor opt-outs. Postmark does not use your data for its own marketing.
- Data handled: Email address, email content, delivery/open metadata, bounce and spam-complaint signals
- Data location: Postmark infrastructure (U.S.)
- Privacy policy: activecampaign.com/legal/privacy-policy
2d. Changes to Service Providers
We may update or replace our third-party service providers from time to time. If these changes materially affect how your personal data is handled, we will update this section and notify you in accordance with Section 9 (Changes to This Policy) of this Privacy Policy.
3. How We Use Your Information
We use the information we collect to:
- Provide and maintain our services
- Process transactions
- Fulfill and ship your shop orders, and process related refunds, cancellations, and payment disputes
- Calculate, collect, and remit sales tax on purchases where we are required to do so
- Detect, prevent, and address fraud, abuse, and security issues
- Send you important updates and notifications
- Send you marketing emails about shop products and promotions, where you have subscribed to our shop mailing list or opted in at checkout; every marketing email includes an unsubscribe link
- Improve our services
- Comply with legal obligations
4. Information Sharing and Disclosure
We do not sell your personal information. We may share your information with:
- Service providers who assist in our operations
- Shipping and fulfillment carriers, to the extent needed to deliver your physical shop orders (for example, your name and shipping address)
- Legal authorities when required by law
- Business partners with your consent
5. Your Rights and Choices
You have the right to:
- Access your personal information
- Correct inaccurate information
- Request deletion of your information
- Opt-out of marketing communications
You can opt out of shop marketing emails at any time, whether or not you have an account, by: (1) clicking the unsubscribe link included in every marketing email we send; (2) turning off the shop mailing list toggle in your Account Settings, if you have an account; or (3) emailing us at support@hitvaulthq.com. Opting out of marketing emails does not stop transactional emails we need to send you, such as order confirmations, shipping updates, receipts, password resets, and account notices.
These rights also apply to information we hold about you if you placed a guest checkout order without creating an account. To exercise any of these rights, contact us at support@hitvaulthq.com with enough information for us to locate your account or order (for example, the email address you used at checkout). Please note that we may retain transaction, order, and tax records for the periods described in Section 9 (Data Retention) even after a deletion request.
6. California Privacy Rights (CCPA)
If you are a California resident, California Civil Code Section 1798.83 permits you to request information regarding the disclosure of Personal Data about you by HitVault, LLC to third parties for the third parties’ direct marketing purposes. To make such a request, please send an email to support@hitvaulthq.com:
- Right to know what personal information is collected
- Right to know if personal information is sold or disclosed
- Right to access your personal information
7. Children's Privacy (COPPA)
HitVault is intended solely for users who are 18 years of age or older. We do not knowingly collect, solicit, or retain personal information from children under 13 years old, and our site is not directed to children under 13. If you are under 13, please do not use or access this site, create an account, or provide any personal information to us.
If we become aware that we have inadvertently collected personal information from a child under 13, we will take immediate steps to delete such information from our systems. If you believe that a child under 13 may have provided us with personal information, please contact us promptly at support@hitvaulthq.com.
Parents or guardians who believe their child under 13 has provided information to HitVault without consent may contact us at support@hitvaulthq.com to request a review and deletion of that information. Verified parental requests will be addressed within 30 days.
Because users must be 18 or older to use this site, HitVault does not offer any features directed at children between the ages of 13 and 17, nor do we knowingly collect personal information from minors in that age range. Any account found to belong to a user under 18 will be suspended and its data scheduled for deletion.
8. Data Security and Breach Notification
8a. Security Measures
HitVault implements robust technical and organizational measures to help safeguard your personal information against unauthorized access, alteration, disclosure, or destruction. Our security measures include:
- Encryption of data in transit using TLS (Transport Layer Security)
- Encryption of sensitive data at rest
- Access controls to limit employee and contractor access to personal data on a need-to-know basis
- Regular review of data collection, storage, and processing practices
- Use of vetted third-party service providers contractually obligated to maintain strong security standards
Please note: No method of transmission over the internet or electronic storage can be guaranteed 100% secure. While we use commercially reasonable means to protect your personal information, we cannot guarantee absolute security. In the event of a security incident, we will act promptly as described below.
8b. Breach Notification
In the event of a data breach affecting your personal information, HitVault will:
- Assess and contain the breach as quickly as reasonably practicable upon discovery.
- Notify affected users via email (using the address associated with your account) within 72 hours of confirming a breach that has impacted your personal data, where technically feasible. If direct email notification is not feasible within that period, a prominent notice will be posted on our website.
- Notify applicable state regulators as required by data breach notification laws of your state of residence. HitVault complies with all relevant U.S. state data breach statutes, including the Oregon Consumer Information Protection Act (ORS 646A.600 et seq.) and the California Consumer Privacy Act (Cal. Civ. Code § 1798.29).
- Provide breach details in our notification to you, including—where known—the nature of the breach, categories of personal information affected, steps we have taken to address the breach, and recommended actions you can take to protect yourself.
If you believe your account or personal information has been compromised, please contact us immediately at security@hitvaulthq.com.
9. Data Retention
9a. General Retention Principles
We retain your personal information only for as long as is necessary to fulfill the purposes for which it was collected, to provide our services to you, and to comply with our legal obligations. When personal information is no longer needed, we take reasonable steps to securely delete or anonymize it.
9b. Retention Periods by Data Type
| Data Type | Retention Period |
|---|---|
| Account information (name, email, password) | Duration of account, plus 30 days following account deletion to allow for recovery requests |
| Profile information (username, avatar) | Duration of account, deleted within 30 days of account closure |
| Transaction and financial records | 7 years from the date of the transaction, in compliance with U.S. tax and financial recordkeeping obligations |
| Shop order and fulfillment records (items purchased, order history, tax records) | 7 years from the date of the order, in compliance with U.S. tax and financial recordkeeping obligations |
| Shipping/delivery address provided at checkout | Retained with the associated order record; retained for the order-record period above to support delivery, returns, and recordkeeping |
| Shop mailing list records (email address, consent status, subscribe/unsubscribe dates, subscription source) | While you remain subscribed; after you unsubscribe (or after a hard bounce or spam complaint), your email address and opt-out status are retained on a suppression list so that we continue to honor your opt-out and do not email you again |
| Marketing email send records (which campaigns were sent to which subscribers, delivery outcome) | 3 years from the date of the send, to demonstrate consent and compliance with email marketing laws |
| HitPoints balance and history | Duration of account; forfeited and deleted upon account closure |
| Giveaway entry records | 1 year following the conclusion of the relevant giveaway, or as required by applicable law |
| Communications with support | 3 years from the date of the last communication |
| Device and usage data (non-personal) | 13 months on a rolling basis |
| Legal hold data | Indefinitely, until the applicable legal matter is resolved |
9c. Account Deletion and Data Erasure
When you request deletion of your account, we will initiate deletion of your personal information within 30 days of receiving your verified request, subject to the following exceptions:
- Legal obligations: We may retain certain information where required to do so by applicable law, regulation, or legal process, including tax and financial recordkeeping requirements.
- Dispute resolution: We may retain information necessary to resolve an open dispute, enforce our Terms of Use, or protect the rights and safety of HitVault or its users.
- Legitimate business interests: Anonymized or aggregated data that cannot reasonably be used to identify you may be retained indefinitely for analytics and service improvement purposes.
- Marketing suppression: If you have unsubscribed from our shop mailing list (or your address was suppressed following a bounce or spam complaint), we retain your email address and opt-out status on a suppression list even after account deletion, so that we continue to honor your opt-out and do not email you again.
To request deletion of your account and associated personal data, contact us at support@hitvaulthq.com with the subject line "Account Deletion Request." We will respond to verified requests within 30 days.
9d. HitPoints and Giveaway Entries Upon Account Closure
Upon account deletion, all HitPoints balances and active giveaway entries associated with your account will be permanently forfeited and are not recoverable. If you have an active giveaway entry at the time your account is deleted, that entry will be voided. We recommend redeeming or reviewing any outstanding HitPoints activity before submitting a deletion request.
10. Modifications to This Policy
10a. Right to Modify
HitVault reserves the right to revise, update, or replace this Privacy Policy at any time. All changes become effective upon posting to this page unless a later effective date is specified. Your continued use of the service following the posting of the revised Privacy Policy constitutes your acceptance of those changes.
10b. Notice of Material Changes
For changes that we determine, in our reasonable judgment, to be material—including changes that affect your rights, how your personal data is handled, or the core features of the site—we will provide advance notice by:
- Sending an email notification to the address associated with your account at least 30 days before the changes take effect
- Posting a prominent notice on the HitVault website for the duration of the notice period
- Where required by applicable law, obtaining your affirmative re-acknowledgment of the updated terms before you continue using the service
10c. What Constitutes a Material Change
For purposes of this section, material changes include but are not limited to:
- Changes to the categories of personal data we collect about you
- Changes to the purposes for which we use your personal data
- Changes to how long we retain your personal data
- The addition of new third-party service providers who will access or process your personal data
- Changes to how or whether we share your personal data with third parties
- Changes to your rights regarding your personal data, including access, correction, or deletion rights
- Changes to our security practices that reduce the level of protection applied to your personal data
- Changes to the categories of sensitive data we collect, including financial or payment-related data
- Changes to how we respond to legal requests for your data from law enforcement or regulatory authorities
- Changes to the minimum age requirement for use of the service
- Changes to the contact information for our designated privacy or security contacts
- Any change that would require fresh consent under applicable law
10d. Non-Material Changes
We may make non-material changes—such as corrections to typographical errors, clarifications that do not alter the substance of any provision, or updates to contact information—without advance notice and without those changes constituting a material modification. The "Last updated" date at the top of this page will be updated to reflect any change, material or otherwise.
10e. Rejection of Changes
If you do not agree with a material change, you may close your account before the effective date of the change in accordance with the voluntary termination procedure described in Section 10a of the Terms of Use. Continued use of the service after the effective date of any change constitutes your acceptance of the revised policy.
11. Contact Us
If you have any questions about this Privacy Policy, please contact us at: