PRIVACY &
COOKIE POLICY
Vault 40K is a community archive, not an ad network. We collect only what we need to keep the site running and improving. This document explains what is collected, by whom, and how you control it.
What we collect
When you create an account we store your email address and any OAuth profile data (display name, avatar URL) provided by your sign-in provider. Your email is used solely for authentication — it is never shared with third parties or used for marketing.
When you post a recipe, attempt, or profile we store the content you submit along with a timestamp and your user ID. Content you publish is visible to other users of the archive.
Anonymous visitors are not tracked beyond the privacy-safe aggregate metrics described in section 02.
Analytics & tracking
We use two tiers of analytics, each with different privacy implications.
Vercel Analytics and Vercel Speed Insights are loaded unconditionally. They measure page views and Core Web Vitals using a hash of your IP address and user agent — no cookies are set, no personal data is stored, and no cross-site tracking occurs. These tools are designed to be GDPR-compliant without requiring consent.
Google Analytics 4 (GA4) and PostHog are loaded only after you accept cookies. GA4 provides aggregate traffic data. PostHog tracks page navigation and, for signed-in users, associates events with your account handle — this helps us understand how the archive is used and prioritise improvements. You can withdraw consent at any time by clearing your cookies or using a browser extension to block analytics scripts.
Third-party services
Supabase — our database and authentication provider. Your account data and content is stored in a Supabase-managed PostgreSQL instance hosted in the EU (West). Supabase processes data under a Data Processing Agreement compliant with GDPR.
Google Analytics — consent-gated. Data is processed by Google LLC under their standard data processing terms. IP anonymisation is enabled.
PostHog — consent-gated. We self-configure PostHog with person_profiles: 'identified_only', meaning anonymous visitors generate no individual profile. Data is processed by PostHog Inc.
Vercel — our hosting and infrastructure provider. Vercel processes request logs and performance data as part of running the service. See vercel.com/legal/privacy-policy.
We do not sell, rent, or trade your personal data to any third party.
Data retention
Account data is retained for as long as your account is active. If you delete your account, your profile and any content you have posted will be removed within 30 days, except where content has been incorporated into other users' submissions (e.g. referenced recipes).
Analytics data held by Google and PostHog is subject to their respective retention policies. GA4 data is retained for 14 months by default. PostHog event data is retained for 12 months on our current plan.
Server-side request logs retained by Vercel are deleted within 30 days.
Your rights
Under GDPR and UK GDPR you have the right to access the personal data we hold about you, request correction of inaccurate data, request deletion of your data, object to processing based on legitimate interests, and withdraw consent for analytics cookies at any time.
To exercise any of these rights, or to request a copy of your data, contact us at the address in section 07. We will respond within 30 days.
You also have the right to lodge a complaint with your local data protection authority. In the UK this is the ICO (ico.org.uk).
Contact & updates
Questions about this policy or your data can be directed to the Vault 40K team via the GitHub repository or the contact details listed on the site.
We may update this policy from time to time. When we make material changes we will update the version number and date at the top of this page. Continued use of the archive after changes are posted constitutes acceptance of the revised policy.