1. Information We Collect

We collect information you provide directly: email address, display name, and financial transaction data you upload (CSV files). We also collect usage data including login timestamps and feature usage metrics.

2. How We Use Your Information

To provide and maintain the Vaultledge service
To categorize your transactions using a third-party AI provider
To send you service-related notifications
To improve our service and develop new features

3. AI Data Processing

Transaction descriptions are sent to a third-party AI provider for categorization. Our AI provider operates under a zero data retention (ZDR)policy for API payloads. No transaction data is stored on the provider's servers beyond the duration of the API call.

4. Data Storage & Security

Your data is stored in Supabase (PostgreSQL) with row-level security policies ensuring users can only access their own data. All data is encrypted in transit (TLS) and at rest. Authentication is handled by Supabase Auth with bcrypt password hashing.

5. Data Sharing

We do not sell your personal information. We share data only with:

Supabase (database hosting)
Vercel (application hosting)
Anthropic (AI categorization, zero data retention)

6. Your Rights (GDPR)

You have the right to:

Access — Request a copy of your personal data
Rectification — Correct inaccurate personal data
Erasure — Request deletion of your account and data
Portability — Export your data in CSV format
Restrict processing — Limit how we use your data

To exercise these rights, visit Settings → Privacy in your dashboard or contact us.

7. Your Rights (CCPA — California)

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you additional rights regarding your personal information:

Right to Know — You can request what personal information we collect, use, and disclose.
Right to Delete — You can request deletion of your personal information. Use Settings → Privacy → Delete Account, or email privacy@vaultledge.com.
Right to Opt-Out of Sale — VaultLedge does not sell your personal information to third parties. We have never sold personal information and have no plans to do so.
Right to Non-Discrimination — We will not deny you services or charge different prices for exercising your CCPA rights.

To submit a CCPA request, email privacy@vaultledge.comwith the subject "CCPA Request" or use the data deletion tools in your dashboard under Settings → Privacy. We will verify your identity and respond within 45 days.

8. Data Processing Agreement (DPA)

For organizations subject to the EU General Data Protection Regulation (GDPR) that require a Data Processing Agreement, VaultLedge provides a standard DPA that covers:

Nature and purpose of data processing
Categories of personal data processed
Technical and organizational security measures
Sub-processor obligations (Supabase, Vercel, Anthropic, Stripe, Plaid)
Data breach notification procedures (within 72 hours)
Data subject rights procedures

To request a signed DPA, email legal@vaultledge.com. You can also view our standard DPA at /dpa.

9. Payment Data

Payment card data is handled entirely by Stripe and is never stored on VaultLedge servers. Bank account information for payroll direct deposits is encrypted using AES-256-GCM before storage, and only the last 4 digits are displayed in the application. Plaid bank connections are read-only and cannot initiate transfers.

10. Cookies

We use essential cookies only for authentication session management. We do not use tracking cookies, advertising cookies, or analytics cookies.

11. Data Retention

We retain your data for as long as your account is active. When you delete your account, all associated data (companies, transactions, categories) is permanently deleted within 30 days.

12. Changes to This Policy

We may update this policy from time to time. We will notify you of significant changes via email or in-app notification.

13. Contact

For privacy-related inquiries, contact us at privacy@vaultledge.com.

Privacy Policy