Privacy policy

At a glance:VptTips is operated by Vanpaultek (the “Company,” “we,” or “us”) from the United States. We collect the minimum personal information needed to run the Service, we do not sell or share personal information, we do not process sensitive personal information for profiling, and we honor deletion and access requests from any US resident regardless of state.

1. Scope

This policy applies to the VptTips website and any related product or admin console that links to it. It is governed by the laws of the State of Maryland and, where applicable, federal United States law.

2. Contact us

Vanpaultek · Maryland, United States
Privacy: privacy@vpttips.com
Security: security@vpttips.com

3. Information we collect

3.1 Automatically on every visit

• Server-side request signals — IP address, request timestamp, URL visited, HTTP status, referrer. Used for security, rate-limiting, fraud prevention, and service reliability. Retained for 30 days.
• Browser signals (client-side) — User-Agent, language, timezone, screen size, device class, touch capability. Stored only in the current session unless attached to your user record on sign-in.

3.2 Account information

• Email address (required for sign-up).
• A password hash (bcrypt/Argon2 when wired to a real backend) or a WebAuthn passkey credential identifier. We never see your plaintext password or biometric sample.
• Optional display name.

3.3 Information you provide

• Precise geolocation — only if you click “Allow precise location” and grant permission in the browser prompt.
• Music-app connection records — kept locally on your device in localStorage.

3.4 What we do NOT collect

• MAC addresses. Not technically available to a website.
• Biometric data.Passkey flows happen entirely in your device’s secure enclave.
• Sensitive personal information as defined by the California Privacy Rights Act (CPRA), Maryland Online Data Privacy Act (MODPA), and analogous state laws — including racial origin, religion, union membership, health or genetic data, sex life or orientation, immigration status, or precise geolocation beyond the opt-in described above.
• Children’s data. The Service is not directed at children under 13 (COPPA). If we learn we have collected information from a child under 13, we will delete it.

4. Why we use your information

• To operate the Service — authenticate sign-ins, show you content in your language and theme, keep you logged in.
• To secure the Service — detect abuse, log security events, enforce rate limits, respond to vulnerability reports.
• To meet legal obligations — respond to lawful subpoenas, defend legal claims, comply with court orders.

We do not use your information for behavioural advertising, third-party analytics, cross-context tracking, or automated decision-making that produces legal or similarly significant effects on you.

5. Sharing & sale

We do not sell your personal information. We do not “share” it for cross-context behavioural advertising. (Both terms as defined by the California Privacy Rights Act.)

We may disclose limited information in these situations:

• Service providers under written agreements that restrict their use of the data to operating the Service on our behalf (e.g., hosting, email delivery if wired).
• Legal process — to comply with subpoenas, court orders, or valid government requests; to protect the rights, property, or safety of VptTips, our users, or the public.
• Business transfers — as part of a merger, acquisition, or asset sale, in which case we will post notice before personal information becomes subject to a different policy.

6. Third-party embeds

When you play a “Famous music” track, a YouTube privacy-enhanced embed (youtube-nocookie.com) loads inside an iframe and plays the video under YouTube’s terms and privacy policy. We do not share your VptTips session with YouTube.

6a. Phone Link (device-to-device pairing)

The Phone Linkfeature (the phone-icon button on the blue bar) lets you pair your phone’s browser with the desktop session over an end-to-end-encrypted WebRTC channel. Here’s exactly what the server sees — and what it does not see.

6a.1 What we process

• Pairing code: a random 6-character code generated on our server, stored in volatile server memory, and discarded within 5 minutes of idle or 30 minutes of absolute age, whichever comes first. Codes are single-use.
• WebRTC signaling frames (the SDP offer, answer, and ICE candidates) relayed between the two peers to set up their direct connection. These are WebRTC protocol metadata — they describe how the two devices can reach each other but contain no user content. Frames are forwarded immediately and never written to disk.
• IP address and User-Agentof both peers, incidentally, via normal HTTP request logs — retained on the same 30-day / aggregate schedule as any other request log (see “Data retention” below).

6a.2 What we deliberately do not process

• Clipboard text you send between the devices.
• File contents or metadata (beyond filename appearing in your own browser tab).
• Camera frames / audio. Microphone is never engaged by Phone Link. Camera frames travel directly between the two browsers over the peer connection.

All three data classes above flow through the WebRTC data and media channels which are encrypted with DTLS-SRTP in the browsers themselves. Our server is not on the data path.

6a.3 Your controls

• Pairing only happens when you explicitly open the Phone Link drawer on one device and scan the code on the other. There is no auto-pair.
• Closing either tab instantly terminates the session. The server purges the code on the next sweep.
• Sharing your camera requires an additional explicit tap on the phone plus a native OS permission prompt. You can stop it at any time via the Stop sharing button or by closing the tab.

5b. Passwordless sign-in (passkey & magic link)

We actively promote passwordless sign-in because it removes the single largest account-compromise vector — reusable passwords.

• Passkeys (WebAuthn). The private key lives on your device (in Secure Enclave, TPM, or a hardware security key) and is never sent to us. We only store the public key and a credential id, which are useless for anyone else to sign in with.
• Magic links. When you request one we store a SHA-256 hashof the token alongside an expiry (15 minutes) and a single-use flag. The plaintext token lives only in the email we send you; a database leak cannot be replayed to sign in. Expired rows are purged opportunistically.
• Magic-link sign-in on a new email auto-creates a minimal account with no password. You can add a passkey or password later from Account if you want one.
• We respond with a generic 200 to every magic-link request, whether the email exists on file or not, so the endpoint can never be used to enumerate accounts.

5d. Device & network audit for safety

For fraud prevention, abuse investigation, and incident response, we record a device snapshot every time a user signs in, loads a page, or crosses an admin-access or broadcast- join gate. The snapshot lives in the DeviceAudittable and applies to every user — signed-in general users, signed-in administrators, and anonymous visitors.

This is collected under the “legitimate interest in service safety” basis. The W3C Do-Not-Track spec and CCPA both exempt short-term security logging from opt-out; our DNT-honouring analytical telemetry (§5c) is separate.

The per-row fields:

• Server-observed (cannot be forged by the client): IP address, Accept-Language, request timestamp.
• Client-reported (stored verbatim, treated as hints): User-Agent string, UA Client Hints (platform, platform version, architecture, bitness, device model, full version list), screen + viewport size, device pixel ratio, touch capability, CPU cores (hardwareConcurrency), RAM class (deviceMemory), network effective type, timezone, language list, referrer, and the user’s DNT / GPC signals (stored so you know whether the user had signalled a preference).
• Mobile Chromium devices additionally expose a device model string (e.g. “Pixel 8”, “SM-S911U”) via UA Client Hints; Safari and Firefox do not.

We cannot capture MAC addresses, hardware serial numbers, or device GUIDs from a browser.These are blocked by the browser’s security model. The macAddress column in DeviceAuditexists for a possible future native-app integration and is always blank for browser sessions. Any website claiming MAC capture from a website alone is incorrect or lying.

Retention: 90 days for routine rows, longer only when pinned to an active security investigation. Access is admin-only and every read is itself logged to AuditLog.

5c. Do-Not-Track & Global Privacy Control

If your browser sends the W3C DNT: 1 header or the Sec-GPC: 1 signal, we skip all optional telemetry capture. We still record the strictly necessary session cookie and the session-binding user-agent fingerprint (required for the session to function at all), but we do not capture your timezone, screen size, language preferences, device class, or referrer. You do not need an account or any extension to enable this; any mainstream browser can switch it on in Settings.

6a. Admin two-factor authentication

Administrator accounts are required to enrol a second authentication factor before any admin-only feature is available. One of the following must be configured:

• An authenticator app (Google Authenticator, 1Password, Aegis, etc.) — we store only the shared TOTP secret.
• A recovery email address — stored server-side to deliver a 6-digit code on sign-in.
• A mobile phone number — stored in E.164 form to deliver a 6-digit SMS code. We only accept numbers assigned to mainstream mobile carriers; Google Voice, toll-free, and other virtual / forwarded numbers are rejected at enrolment. We do not store carrier names or subscriber details beyond the number itself.

A successful 2FA verification is valid for 4 hours; after that, the admin must re-verify. All enrolment, challenge, and disable events are written to AuditLog with actor id, method, and timestamp.

6b. Admin screen broadcast

A Vanpaultek administrator can start a screen broadcast from the admin console. Temporary posture: any viewer with the link and a valid email address can watch — sign-in and allowlist enforcement are disabled pending the next release. Up to 5 concurrent viewers per session; sessions hard-stop after 2 hours.

On each join we store: the email entered by the viewer (not verified to be theirs right now), the server-observed IP, the viewer’s User-Agent, and a DeviceAudit row (§5d) with device + network details. Rejections (room full / broadcast ended) are logged too.

Server-side we process only the broadcast code, the admin user id, the title, the informational invitee list, and the SDP offer / answer / ICE-candidate signaling metadata. Screen frames and tab audio flow peer-to-peer over DTLS-SRTP; our server is not on the media path and cannot view, scan, or record the broadcast.

6c. Content-safety signals & CSAM reporting

To enforce the Prohibited Content clause of the Terms, every prompt sent to an AI feature (search and the writing-helper tools) is screened before it reaches the model. When a prompt is blocked, we record:

• the category of rule that was matched (CSAM, weapons-synthesis, targeted-violence, self-harm-method, malware, or controlled-substance synthesis);
• the length of the input (not the raw text);
• the actor id (if signed in), IP address, user-agent, and timestamp via the normal audit pipeline (§5d).

We do notstore the verbatim blocked text — the audit row is length + category only — so we aren’t creating a retained corpus of prohibited queries.

CSAM reports. When we become aware of suspected child sexual abuse material on the Service, we are legally obligated under 18 U.S.C. § 2258A to report it to the National Center for Missing & Exploited Children (NCMEC) CyberTipline, to preserve records associated with the report for at least 90 days, and to make those records available to law-enforcement under lawful process. We do not voluntarily scan unrelated content for this purpose; this obligation attaches only when the Service’s own screening pipeline surfaces a specific event.

Law-enforcement cooperation. We respond to valid subpoenas, court orders, and other lawful process. We publish transparency figures annually (starting with the first full calendar year after public launch).

7. Cookies & local storage

All keys below are first-party. None are used for cross-site tracking.

8. Your US privacy rights

All US residents may exercise the rights below at privacy@vpttips.com. We respond within 45 days (extendable once by another 45 days with notice). You may appeal a denied request by replying to our response; appeals receive an answer within 60 days.

• Right to know / access. Get a copy of the personal information we hold about you and how it is processed.
• Right to delete. Request deletion of your data (subject to narrow exceptions like legal-hold and fraud prevention).
• Right to correct. Fix inaccurate personal information.
• Right to portability. Receive your data in a structured, machine-readable format.
• Right to opt out of sale, sharing, targeted advertising, and profiling that produces significant decisions. See our Do Not Sell or Share My Informationpage. (We don’t do any of these, but the page is available to make the option explicit.)
• Right to non-discrimination. We will not deny service, charge a different price, or provide a different quality of service because you exercised a right.
• Right of an authorized agent. You may designate someone to submit a request on your behalf with written verification.

8.1 Maryland residents (MODPA, effective Oct 1 2025)

In addition to the rights above, Maryland law prohibits the sale of sensitive personal information and the sale of the personal data of consumers known to be under 18. We comply: we do not sell any of this data. If you believe we have mis-handled your data and our response is unsatisfactory, you may appeal to the Maryland Attorney General’s Consumer Protection Division at marylandattorneygeneral.gov.

8.2 California residents (CCPA / CPRA)

You have the right to limit the use and disclosure of sensitive personal information. We do not collect or process sensitive personal information for purposes beyond those permitted without consent under Cal. Civ. Code § 1798.121.

California users may also request the disclosures specified by the Shine the Light law (Cal. Civ. Code § 1798.83). We do not disclose personal information to third parties for their direct marketing purposes.

8.3 Virginia, Colorado, Connecticut, Utah residents

Your state’s consumer privacy law (VCDPA, CPA, CTDPA, UCPA) grants rights equivalent to those above. Submit a request via the email in § 2.

9. Data retention

10. Security

We employ layered controls: HTTPS with HSTS preload, strict Content-Security-Policy with hash-whitelisted inline scripts, frame protection, non-root production containers, weekly dependency scanning, and a published vulnerability disclosure policy. Under Maryland’s Personal Information Protection Act (Md. Code, Com. Law § 14-3501 et seq.) we will notify affected residents and the Attorney General if a security breach materially compromises their personal information.

11. International transfers

The Service is operated from the United States. If you access it from outside the US, your information will be transferred to and processed in the US.

12. Children under 13 (COPPA)

The Service is not directed at and does not knowingly collect information from children under 13. Parents or guardians who believe a child has provided personal information should email privacy@vpttips.com and we will delete the information promptly.

13. Changes

For material changes we will post a notice here and, where required, request renewed consent on your next sign-in. We will not apply material changes retroactively without your consent.

This policy provides a reasonable baseline but is not legal advice. Have a licensed attorney review before commercial launch.