Privacy Policy

This policy covers anyone who signs in to or uploads files through Total Vault. If you’re a photographer’s second shooter or wedding couple using a scoped upload link, the customer who invited you is the controller of the resulting data; we process it on their behalf under the same protections described here.

We collect three categories of information:

Account information. Your email address (used as your identifier), your role within an organization, the date you joined, and timestamps recording when you last signed in.

Content you upload.The files you put in Total Vault — photos, videos, RAWs, and anything else you choose to store — along with their filenames, sizes, MIME types, and any embedded metadata (EXIF, capture time, camera, lens, ISO, GPS). We also keep a SHA-256 hash of every file so we can verify it hasn’t changed.

Activity data.A record of actions you take in the Service: uploads completed, files moved or renamed, folders created or trashed, verification runs, and the natural-language search queries you type. We retain a per-org audit log so administrators can answer “who did what when.”

• Passwords. We use one-time magic links instead.
• Browser-fingerprinting data, third-party advertising identifiers, or social-network sign-on data.
• File contents for AI training. Anthropic and Cohere are configured not to use your data to train their general models.
• Anything from minors. The Service is not intended for anyone under 18.

• To operate the Service — store, retrieve, verify, search, and present your files.
• To send you transactional emails: magic sign-in links, manifest receipts after a wedding is fully verified, and security alerts about your account.
• To run integrity checks. We periodically re-read each file from storage and re-compute its SHA-256 to detect silent corruption or bitrot. The result is recorded on the file’s row.
• To generate derived assets — thumbnails, EXIF extracts, and AI embeddings — to power browsing and search. Only thumbnails and structured metadata are sent to AI providers; full-resolution originals never leave our storage.
• To diagnose problems, prevent abuse, and improve the Service in aggregate.
• To comply with legal obligations (subpoena, audit, tax records).

We do not use your data for advertising, profile-based marketing, or any purpose beyond providing the Service.

File contents are stored in Backblaze B2 (US data centers). The database that tracks file metadata, hashes, folders, and activity runs on Neon Postgres (US-East). The web application is hosted on Vercel (US edge with US-East origin). Background jobs run on Inngest. Email is sent via Resend.

A complete list of third parties we share data with, what they receive, and where they operate is on our subprocessors page. We update it whenever we add or remove a vendor.

Total Vault uses exactly one cookie — vault_session— which holds your signed session JWT. It’s HTTP-only, Secure in production, SameSite=Lax, and expires after 30 days of inactivity. We do not use third-party analytics or tracking cookies.

• Active files stay in Total Vault as long as the owning organization’s account is open.
• Soft-deleted files (Trash) stay recoverable for 30 days before permanent deletion from both the database and Backblaze.
• Account and activity records are retained for the lifetime of the account and for up to 12 months after closure, then purged.
• Email magic-link tokens expire 15 minutes after issue and are destroyed once consumed.
• Backups of the database are kept for 7 days on Neon’s point-in-time recovery, then expire.

• Every file is hashed in your browser before upload and re-hashed server-side after upload. The two must match before the file is marked verified.
• Files are stored encrypted at rest in Backblaze B2, and all in-transit traffic uses TLS.
• Database access is over TLS to a per-environment Neon endpoint; credentials live in encrypted secrets and never in code.
• Sign-in is by single-use, time-limited magic link sent to a known email address. We don’t store passwords because there aren’t any.
• Access to your data inside our team is limited to staff who need it and is logged.
• If we ever detect that a file’s hash no longer matches its original, we mark it as failed verification, surface it prominently in your dashboard, and notify the account owner by email.

You can ask us to:

• Access a copy of everything we hold about you, in machine-readable form.
• Correctinformation that’s wrong.
• Delete your account and the files associated with it. Once a deletion request is honored, we hard-delete from the database within 7 days and from object storage within 30 days (allowing for backup expiry).
• Exportyour files. You can download originals individually or, for whole weddings, request a streaming ZIP. We don’t lock you in.
• Opt outof any AI-powered feature on a per-wedding basis (we’ll keep the metadata; we just won’t generate embeddings or tags for those files).

To exercise any of these, email patrick@lifestyleaviation.com. We respond within 30 days; usually faster.

We share your data only as needed to provide the Service: with the subprocessors listed on the subprocessors page, with people you explicitly invite (second shooters, members of your organization, share-link recipients), and where compelled by law. We will challenge any government request that appears overbroad. We will not sell, rent, or trade your data, ever.

The Service operates from the United States. If you upload from outside the US, your data will be transferred to and stored in the US. We rely on standard contractual clauses with vendors who process EU/UK personal data on our behalf.

When this policy changes, we’ll update the “Effective” date at the top and email account owners if the changes are material. Older versions stay available on request. Continuing to use the Service after a change means you accept the new policy.

Questions about this policy, requests under it, or anything else: patrick@lifestyleaviation.com.