Skip to content

Privacy Policy

Last updated: 3 April 2026 · Operator: Vault — not a registered legal entity (no commercial registration)

1. Who we are

Vault operates this website and online shop. References to "we", "us", and "our" mean Vault in that capacity. Vault is not registered as a company, commercial enterprise, or other separate legal entity for this activity in Lebanon. We therefore do not have a commercial registration number, registered company name, or registered business address to publish here; use the privacy contact below to reach us.

Privacy contact: vault-lebanon@hotmail.com

Use this contact for access, correction, deletion, and other privacy requests described in Your rights. We may ask you to verify your identity before acting on a request. We respond within a reasonable time, subject to legal limits on what we can delete or change (for example finalized transaction records we are allowed to keep in anonymized form).

2. Lebanese law and your consent

This policy is designed to align with Law No. 81/2018 (Electronic Transactions and Personal Data) and the Consumer Protection Law of Lebanon, among other applicable rules. Nothing here limits any stronger right you may have under local law.

Legal basis — explicit consent: By using this website (including browsing with cookies or similar technologies where applicable) and/or placing an order, you provide explicit consent to the collection and processing of your personal data as described in this Privacy Policy. If you do not agree, please do not use the site or submit an order.

3. Returns, cancellation, and the 10-day rule

Under Lebanese consumer protection rules, you may have a right to cancel or return certain purchases within a statutory period (often discussed as 10 days for distance contracts — see our Terms of Service for the conditions that apply to Vault).

If you exercise that right, we will process the personal data needed to handle your cancellation, return, refund, or exchange (for example order references, contact details, delivery information, and records of the goods). That processing is part of fulfilling our legal and contractual obligations. Details also appear in our Terms of Service.

4. Data we collect

Account and authentication (Clerk). We use Clerk as our authentication provider. Clerk processes data such as your account identifier, email address, session and security data, and, depending on what you provide, your name or profile image. See Clerk's privacy policy.

Orders and order history. When you checkout we collect what you submit: name, phone number, delivery address (including at least address line and city), and for guest orders an email address where applicable. We store each order's reference, line items (products, sizes, quantities, prices at purchase), amounts (subtotal, discounts, shipping, total), payment method (e.g. cash on delivery), promotional code usage where relevant, timestamps, and a link to your Clerk user ID when you are signed in. Together, these records form your order history in our systems (what you bought, when, and for how much), linked to you when you use an account or identified by the contact details you gave as a guest.

Wishlist. For signed-in users we store your user ID and the product IDs you save.

Security and audit logs. We may record technical and administrative events, including user identifiers where relevant, IP addresses, timestamps, and structured details (sometimes including email in security or account-deletion workflows).

Transactional email (Resend). We use Resend to send transactional emails, including order confirmations. Resend receives the recipient address and the content of those messages.

Locale, currency, and storefront preferences. Your language/locale is reflected in the site URL (e.g. /en, /fr, /ar) and may be supported by cookies used for internationalization. Your preferred storefront (e.g. streetwear vs classic) may be stored in a cookie to keep routing consistent. Your display currency preference (USD, EUR, or LBP) is stored in your browser's local storage so prices stay consistent between visits (this is not a server-side profile).

Guest wishlist. Before you sign in, product IDs may be kept in browser local storage and merged into your account wishlist after login.

Other cookies. We use cookies for sign-in sessions (Clerk), short-lived HttpOnly cookies for guest order activation where that flow is used, and admin-only cookies for staff.

Rate limiting. When configured, we use Upstash Redis to limit abuse; this can involve processing IP addresses and operation-specific keys.

Hosting. The application is hosted on Vercel, which processes typical request metadata and logs. Our database and media storage providers process data needed to run the shop.

5. International transfers

Your data may be processed on servers located outside of Lebanon (for example in the European Union, the United States, or other regions) by Vault and by our subprocessors, including Vercel, Clerk, Resend, and Upstash (when used), as well as our database and file-storage providers. Those transfers are carried out to operate the service; subprocessors' own terms and privacy notices apply to their processing.

6. Why we use your data

We process personal data to operate accounts and sign-in, process and deliver orders, send transactional emails, provide wishlists and promotions, support guest-to-account linking where offered, secure the site (including rate limits and audit logs), and comply with legal, tax, and consumer-protection obligations.

7. Your rights

Subject to Law No. 81/2018, the Consumer Protection Law, and other applicable Lebanese rules, you may have the following rights in relation to your personal data (some overlap with how we operate in practice):

  • Access: request a copy of or information about the personal data we hold about you, including order-related data and account data processed by us (Clerk holds authentication data under its own policy).
  • Rectification (correction): request correction of inaccurate or incomplete data we control (for example contact details on a recent order, where still editable under our processes).
  • Erasure / anonymization: request deletion or anonymization where the law allows. Signed-in users can trigger a large part of this through Delete My Account & Personal Data in account settings (see §9). Guests should email the privacy contact in §1 with enough detail to locate the order (e.g. order number and checkout email). We may retain anonymized transaction records where permitted.
  • Withdraw consent: where processing is based on your consent (see §2), you may withdraw it; withdrawing may mean you cannot use certain features (for example checkout or an account) if processing is necessary to provide them.
  • Object or restrict: where applicable law gives you the right to object to certain processing or to request restriction, you may contact us at the privacy address in §1 and we will respond in line with the law.
  • Complaints: you may lodge a complaint with a competent supervisory authority or court in Lebanon if you believe your rights have been infringed, without prejudice to any other remedy.

8. Security

We have implemented appropriate technical and organizational measures intended to protect personal data against unauthorized access, accidental loss, and misuse. No method of transmission or storage is completely secure; we work to keep safeguards consistent with the nature of the data and the risks involved.

9. Retention and account deletion

We keep data only as long as needed for the purposes above and to meet legal or accounting requirements. When you use Delete My Account & Personal Data in your account / privacy settings, we delete your wishlist, remove your link to past orders, and anonymize personal fields on orders that were tied to your account (for example name, phone, address lines, and guest email replaced with non-identifying placeholders) while retaining the underlying transaction record (amounts, items, order reference) where we need it for business, tax, or legal reasons. We also redact your identifiers in audit logs where applicable and delete your user record with Clerk. Clerk may retain certain data for a period under its own retention and backup practices.

Guests without an account should contact us (see above) to discuss access, correction, or anonymization of checkout data, subject to what the law allows us to retain.

10. Subprocessors

We rely on service providers including Clerk (authentication), Resend (transactional email), Vercel (hosting), Upstash (rate limiting when configured), and our database and object storage vendors. We share only what is needed for their services.

11. Changes

We may update this policy from time to time. The "Last updated" date at the top will change when we do. Material changes may be highlighted on the site where appropriate.

This document is provided for transparency and does not constitute legal advice. Have a qualified adviser review it for your specific situation under Lebanese and any other applicable law.