Effective date: 28th May 2026 Last updated: 28th May 2026 Operated by: Third Time Lucky Corp Pty Ltd (ABN 94 612 461 800), Queensland, Australia Contact: support@vanishly.link
Plain English summary
This policy explains what data we collect about you, why we collect it, and what we do with it.
The short version:
- We cannot read your Secrets. They are encrypted in your browser before they reach us.
- We can see metadata: who is sending to whom, when, and how often. This is necessary for the Service to work.
- We collect the minimum personal data needed to run the service: your email, your password (hashed), your 2FA setup, and basic logs. We do not currently process payment information because the service is free.
- We do not sell your data. We do not advertise to you. We do not use trackers on the Service itself.
- We are governed by the Australian Privacy Act and the Australian Privacy Principles.
- If you are in the EU or UK, GDPR rights apply to you. You can request access, correction, deletion, or export of your data.
- You can delete your account at any time. We honour deletion requests promptly.
The full policy below has the detail. Read both.
1. About this policy
This Privacy Policy explains how Third Time Lucky Corp Pty Ltd (ABN 94 612 461 800), the operator of Vanishly (“we”, “us”, “our”), collects, uses, stores, and discloses personal information.
This policy applies to:
- Visitors to vanishly.link and related domains
- Account holders (“Senders”)
- Recipients of Shares and Requests created via the Service
- Anyone who contacts us about Vanishly
We comply with:
- The Privacy Act 1988 (Cth) and the Australian Privacy Principles
- The EU General Data Protection Regulation (GDPR) where it applies to our processing
- The UK Data Protection Act 2018 and UK GDPR where they apply
- The California Consumer Privacy Act (CCPA) where it applies
2. What personal data we collect
2.1 Account data (Senders)
When you create a Vanishly Account, we collect:
- Email address (required, used as your login identifier and for service-critical notifications)
- Hashed password (we never see your password in plaintext; we store an Argon2id hash)
- TOTP secret (encrypted at rest using a server-side key separate from the database)
- Recovery code hashes (we never see your recovery codes after generation)
- Account creation timestamp
- Last login timestamp
2.2 Subscription and billing data (currently not applicable)
The Service is currently free. We do not process payments. We do not have a billing relationship with you. We do not collect payment information.
If paid tiers are introduced in the future, we will:
- Use Stripe Inc. as payment processor
- Receive a Stripe customer ID (full payment details stay with Stripe)
- Store subscription tier and billing cycle
- Store currency selection
- Store subscription status and period dates
This Privacy Policy will be updated before any paid tier launches to reflect the actual billing data we collect at that time. You will be notified of changes as described in section 13.
2.3 Branding data (paid Plans)
If you configure branding for your recipient pages, we store:
- Display name
- Optional tagline (Pro tier)
- Primary and accent brand colours
- Logo image and favicon image (stored on our servers)
- Optional recipient page message (Pro tier)
2.4 Send and request metadata
For each Share or Request created:
- Sender Account ID (links to your Account)
- Creation timestamp
- Expiry timestamp
- Encrypted ciphertext (we cannot decrypt this)
- Number of times consumed
- For Requests: Recipient email address (we need this to deliver the deposit link)
- For Requests: Request message (the human-readable description you provided of what you’re asking for; this is NOT encrypted because we use it in the email body to the Recipient)
2.5 Recipient interaction data
When a Recipient accesses a Share or Request:
- Timestamp of access
- IP address hash (we hash with HMAC-SHA256 using a server-side secret rotated daily; we do not store raw IPs)
- Browser user agent (used for bot detection, not retained long-term)
- Deposit content (encrypted; we cannot decrypt)
2.6 Domain verification data
If you set up domain verification:
- Domain name
- Verification token
- Verification status and timestamp
2.7 Audit log
For your own visibility into Account activity, we keep an audit log of:
- Login events (successful and failed)
- Share and Request creation, consumption, expiry, and revocation
- Account setting changes (2FA enable/disable, password change)
- Tier changes via subscription events
2.8 Support communications
If you contact us via support@vanishly.link or other support channels:
- Your email address and any contact details you provide
- The content of your communication
- Our response and resolution notes
2.9 Aggregate analytics
We may collect aggregate, anonymised metrics about Service usage (total active accounts, total sends per day, error rates, performance metrics). These do not identify individuals and are used solely for capacity planning and Service improvement.
3. What we DO NOT collect or have access to
We want to be specific about what we cannot see, because the design of Vanishly depends on this:
- The plaintext content of any Secret. Secrets are encrypted in the Sender’s or Recipient’s browser before they reach our servers. We do not have the decryption keys.
- The encryption keys themselves. Symmetric keys for Shares live in URL fragments that browsers never transmit. ECDH private keys for Requests live in your retrieval URL fragment or in the Recipient’s ephemeral browser memory.
- Your account password. We store only an Argon2id hash. We cannot recover your password.
- Your TOTP authenticator app contents. We store an encrypted seed but the running codes are computed by your device.
- Your raw IP address (long-term). We hash IPs at log-write time. Raw IPs may exist transiently in Nginx access logs which are rotated daily and purged after 7 days.
4. Why we collect this data (lawful basis)
We collect each category of data for specific operational reasons:
| Category | Why | Lawful basis (GDPR) |
|---|---|---|
| Email, password hash, TOTP | To create and secure your Account | Contract performance (Art 6(1)(b)) |
| Send and request metadata | To deliver the core Service function | Contract performance |
| Recipient email on Requests | To deliver the deposit link to the Recipient | Contract performance (your contract with us; the Recipient is a third-party beneficiary of your sending action) |
| Branding data | To deliver Plan features you have subscribed to | Contract performance |
| Audit log | For your security and our service integrity | Contract performance and our legitimate interest in service security (Art 6(1)(f)) |
| IP address hashes | For abuse prevention, rate limiting, security investigation | Legitimate interest |
| Support communications | To respond to your requests | Contract performance |
| Aggregate analytics | For service improvement and capacity planning | Legitimate interest |
For EU/UK users, where we rely on legitimate interest, we have conducted a balancing test confirming our interest does not override your rights. You can object to processing based on legitimate interest at any time by contacting support@vanishly.link.
5. How long we keep your data
| Data | Retention period |
|---|---|
| Account data | While your Account is active; deleted within 30 days of Account deletion |
| Audit log | Preserved for 30 days after Account deletion, then purged |
| Send and request ciphertext | Deleted on first read (Shares with max_views=1), or on configured expiry, or on first retrieve (Requests), whichever comes first |
| Send and request metadata | Same as ciphertext (deleted together) |
| Stripe customer ID | Not applicable (no current billing). If paid tiers launch, while your subscription is active. |
| Branding data | While your Account is active; deleted on Account deletion |
| Domain verification records | Until you remove the domain or close your Account |
| IP address hashes in logs | 7 days |
| Support communications | 2 years from last contact |
| Aggregate analytics | Indefinite (does not identify individuals) |
| Backups | Schema and Account data backed up; Secret ciphertext is explicitly excluded from backups |
If we are required by law to retain certain data longer (for example, billing records under Australian tax law), we will do so for the legally required period.
6. Who we share your data with
We do not sell your personal data. We do not share it for marketing purposes. We share data only with:
6.1 Service providers we use to operate Vanishly
- Momentum Hosting (server hosting) — your data is stored on infrastructure operated by our hosting provider. The hosting provider does not access your data in the ordinary course; they provide raw infrastructure.
- Momentum Hosting (transactional email delivery) — outbound emails (verification emails, request notifications) are sent via this provider. They handle your email address and the email content.
- Stripe Inc. (payment processing) — only if paid tiers are introduced. Not currently in use because the service is free. If paid tiers launch, Stripe will process payments and we will share your email, billing address (if provided), and subscription information with them. This Privacy Policy will be updated at that time.
- Google Analytics NONE
We require these providers to handle data only as needed to provide their services to us, to maintain appropriate security, and to comply with applicable data protection law.
6.2 Legal compliance
We may disclose data when required by:
- Valid legal process from Australian authorities (search warrants, subpoenas, court orders)
- Foreign legal process where mandatory cooperation is required by Australian law or treaty
- A genuine emergency where disclosure is necessary to prevent imminent serious harm
Because of our zero-knowledge architecture, the data we can disclose is limited to what we have: metadata, Account email, Recipient email, timestamps, IP hashes. We cannot decrypt Secret content for any party, including law enforcement.
We will challenge requests we believe are overbroad or unlawful. Where legally permitted, we will notify the affected user before disclosure.
6.3 Business transfers
If we are acquired or merged, or substantially all our assets are transferred, your data may be transferred to the acquiring entity. We will notify you in advance and any successor will be bound by privacy commitments at least equivalent to this policy.
6.4 We do not share with advertisers
Vanishly does not display advertising and does not share your data with advertisers, ad networks, or data brokers.
7. International data transfers
Our primary infrastructure is located in Sydney Australia.
For EU/UK users, when your data is transferred outside the EU/UK to a country not deemed adequate by the European Commission or UK Information Commissioner, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Additional safeguards as appropriate to the nature of the data
You can request a copy of the SCCs we have with our processors by contacting support@vanishly.link.
8. Your rights
8.1 Rights for all users (under the Privacy Act)
Australian residents and users from countries without specific data protection law nonetheless have the following rights, which we honour as a matter of policy:
- Access: You can request a copy of the personal data we hold about you
- Correction: You can request that we correct inaccurate or incomplete data
- Deletion: You can delete your Account via Account settings, which removes most data. For data we cannot remove from your Account interface (audit log, billing history) you can request deletion via email
- Complaint: You can complain to us about how we have handled your data, and if unsatisfied, escalate to the Office of the Australian Information Commissioner (OAIC)
8.2 Additional rights for EU/UK users (under GDPR)
If you are in the EU or UK, you also have:
- Right of access (Art 15)
- Right to rectification (Art 16)
- Right to erasure (“right to be forgotten”, Art 17)
- Right to restriction of processing (Art 18)
- Right to data portability (Art 20) — we will provide your data in a structured, commonly used, machine-readable format
- Right to object to processing based on legitimate interest (Art 21)
- Right to lodge a complaint with a supervisory authority in your country
We will respond to verified requests within 30 days. We may need to verify your identity before fulfilling a request to prevent unauthorised disclosure.
8.3 Additional rights for California users (under CCPA)
If you are a California resident and CCPA applies to our processing of your data:
- Right to know what personal information we collect
- Right to delete your personal information
- Right to opt-out of sale (we do not sell personal information, so this is moot)
- Right to non-discrimination for exercising your rights
REVIEW: confirm whether CCPA applies based on current revenue and California user thresholds. If yes, expand this section. If clearly not, consider removing.]
8.4 How to exercise your rights
Contact us at PRIVACY_EMAIL] with:
- Your Account email (if you have an Account)
- A clear description of your request
- Verification of your identity (we may ask for additional verification)
We will respond within:
- 30 days for GDPR requests
- 30 days for CCPA requests
- A reasonable time (typically within 30 days) for other requests
There is no fee for reasonable requests. We may charge for excessive or repetitive requests as permitted by law.
9. Security
We protect your data through:
- End-to-end encryption of Secret content (described in detail in our Security Policy)
- Argon2id hashing of passwords
- Mandatory two-factor authentication for Accounts
- Encryption at rest for sensitive database fields (TOTP secrets)
- TLS 1.3 for all data in transit
- Hashed IP addresses
- Restrictive Content Security Policy on all pages
- Regular security review and incident response procedures
See our Security Policy for full detail.
In the event of a data breach that poses a real risk of serious harm to affected users, we will notify the OAIC and affected individuals as required by the Notifiable Data Breaches scheme. For EU/UK users, we will notify the relevant supervisory authority and you as required by GDPR Art 33-34.
10. Cookies and similar technologies
Vanishly uses minimal cookies and no third-party tracking technology on our recipient-facing pages.
10.1 Authenticated pages (dashboard, settings)
We use:
- Session cookies to keep you logged in. These are HTTPOnly, Secure, SameSite=Strict.
- CSRF tokens to prevent cross-site request forgery on state-changing requests.
These are strictly necessary cookies and do not require consent under EU law.
10.2 Recipient pages (deposit and reveal)
We use only:
- CSRF tokens to prevent cross-site request forgery.
These are strictly necessary cookies and do not require consent under EU law.
10.3 No analytics cookies, no tracking pixels, no advertising
We do not use Google Analytics, Facebook Pixel, or similar tracking technologies on the Service. We do not load third-party scripts on recipient-facing pages.
If we add any analytics in the future, we will:
- Prefer privacy-preserving, self-hosted options (Plausible, Umami)
- Update this policy
- Add a cookie banner if EU consent is required
11. Children’s privacy
Vanishly is not directed at children under 18 (or the age of digital consent in your jurisdiction, whichever is higher). We do not knowingly collect data from children. If you believe a child has provided us with personal information, contact PRIVACY_EMAIL] and we will delete the data.
12. Privacy questions and complaints
For privacy-related questions, requests, or complaints:
Email: PRIVACY_EMAIL] Post: Privacy Officer, Third Time Lucky Corp Pty Ltd, REGISTERED_ADDRESS], Queensland, Australia
12.1 Escalation
If you are unhappy with how we have handled your privacy complaint:
- Australian users can complain to the Office of the Australian Information Commissioner (OAIC). Contact: https://www.oaic.gov.au or 1300 363 992.
- EU users can complain to the data protection authority in your country.
- UK users can complain to the Information Commissioner’s Office (ICO) at https://ico.org.uk.
- California users can complain to the California Attorney General’s office.
13. Updates to this policy
We may update this Privacy Policy from time to time. Material changes (such as changes to the categories of data we collect, how we use it, or who we share it with) will be notified to Account holders by email and in-app notification at least 14 days before they take effect.
The “Last updated” date at the top of this policy will always reflect the most recent revision. Previous versions are available on request.
Contact summary
| Purpose | Address |
|---|---|
| Privacy questions and requests | PRIVACY_EMAIL] |
| Security incidents and disclosure | SECURITY_EMAIL] |
| General support | SUPPORT_EMAIL] |
| Billing | BILLING_EMAIL] |
| Legal notices | LEGAL_EMAIL] |
Postal address: Third Time Lucky Corp Pty Ltd REGISTERED_ADDRESS] Queensland, Australia