Privacy Policy

What Data Do You Collect from Me Directly?

When you register for or use Vacalion, we collect information you provide to us, including:

• Account information: your name, email address, password (stored as a secure hash), and profile picture
• Identity verification data: government-issued ID, date of birth, address, and taxpayer identification number — required for regulated payment features
• Financial data: bank account details, transaction history, receipts, and documents you upload or import
• Tax information: income figures, deduction details, and other data you provide when using tax return generation features
• Payment method: billing address and payment card details (stored and processed securely by Stripe; we do not store raw card numbers)
• Communications: messages you send to our support team, feedback submissions, and survey responses

What Data Is Collected When I Use the App?

When you access our website or mobile application, we automatically collect certain technical and usage information:

• Device information: device type, operating system, browser type and version, screen resolution, and unique device identifiers
• Log data: IP address, timestamps, pages or screens viewed, links clicked, and error reports
• Location data: approximate geolocation derived from your IP address; precise GPS location only if you explicitly grant permission
• Usage patterns: features used, frequency of use, navigation paths, and session duration
• Cookies and similar technologies: see our Cookie Policy for full details

Do You Receive Data from Other Sources?

We may receive information about you from third parties in order to provide our Services:

• Open banking providers (such as Plaid or MX) when you connect your bank accounts — including account balances, transaction history, and account holder information
• Payment processors (Stripe) — transaction confirmations, payment status, and risk signals
• Identity verification providers — the result of KYC/AML checks where applicable
• Single sign-on providers (Google, Apple) — your name and email address if you use social login
• Marketing and analytics partners — aggregated audience insights if you have consented to analytics cookies

How Do You Use My Data to Deliver the Service?

We use your personal data primarily to operate and improve Vacalion, including:

• Creating and managing your account
• Processing payments and transfers you initiate
• Aggregating and displaying your connected bank account data
• Scanning, parsing, and categorising receipts you upload
• Generating tax return documents from your financial data
• Running fraud detection on transactions to protect you and our platform
• Providing customer support and responding to your enquiries

Will You Email or Notify Me?

We will send you communications related to your account and our Services, including:

• Transactional emails: receipts, payment confirmations, security alerts, and subscription notifications — these are required and cannot be opted out of while you hold an account
• Service updates: changes to our Terms, Privacy Policy, or features that affect you
• Marketing communications: product updates, tips, and promotional offers — only with your explicit consent, and you may unsubscribe at any time via the link in any marketing email or by adjusting your notification preferences in account settings

How Do You Use AI and Analytics?

Our AI models process your financial data to provide intelligent features such as spending categorisation, predictive cash flow, deduction identification, and anomaly detection. This processing is carried out on our servers and, where applicable, within isolated processing environments that restrict access to your raw data.

We also use aggregated and anonymised data — from which individuals cannot be identified — to train and improve our machine learning models and to generate product analytics. Individually identifiable data is never used to train shared models without your explicit consent.

What Is Your Legal Basis for Processing?

We process your personal data under the following lawful bases (under GDPR and equivalent frameworks):

Which Service Providers Can Access My Data?

We share personal data only with trusted third-party service providers who help us operate Vacalion. All such providers are contractually bound to process data only as instructed and to maintain appropriate security standards. Our key service providers include:

• Stripe — payment processing and billing
• Plaid / MX — open banking connectivity and account aggregation
• Google Cloud, AWS — cloud infrastructure, OCR services (receipt scanning), and storage
• Supabase / PostgreSQL — database hosting
• SendGrid / Postmark — transactional email delivery
• Sentry — error monitoring and crash reporting
• Google Analytics / Mixpanel — product analytics (where you have consented)

Do You Share My Data with Banks?

When you use payment features, we share the minimum data necessary with financial institutions and payment networks (such as Visa or Mastercard via Stripe) to process your transactions. This may include your name, account number, and payment amount.

When you link a bank account, the open banking provider (e.g. Plaid) facilitates the connection between Vacalion and your bank. Your login credentials for external banks are never stored by Vacalion — they go directly and securely to the open banking provider.

Can You Share My Data with Authorities?

We may disclose your personal data where we believe in good faith that disclosure is required to:

• Comply with applicable law, regulation, or a valid legal process (such as a court order or subpoena)
• Meet anti-money-laundering (AML) or know-your-customer (KYC) reporting obligations
• Protect the rights, property, or safety of Vacalion, our users, or the public
• Detect, investigate, or prevent fraudulent or illegal activity

Where legally permitted and practicable, we will notify you before disclosing your data to authorities.

What Happens to My Data in a Sale or Merger?

If Vacalion undergoes a merger, acquisition, or sale of all or substantially all of its assets, your personal data may be transferred to the acquiring entity. We will provide reasonable notice before your data becomes subject to a different privacy policy, and you will have the right to close your account and request deletion of your data at that time.

Can I Access My Data?

You have the right to request a copy of the personal data we hold about you. You can access most of your account and financial data directly within the app. For a full data export, please contact us at privacy@vacalion.com and we will provide your data in a machine-readable format (e.g., JSON or CSV) within 30 days.

Can I Correct or Delete My Data?

You can update most account information directly in your profile settings. If you need to correct data that you cannot edit yourself, contact our support team.

You may request deletion of your account and associated personal data at any time. We will fulfil deletion requests within 30 days, subject to any legal retention obligations (for example, we are required to retain certain financial records for a minimum period under applicable law). Retained data will be isolated and not used for any other purpose.

How Do I Opt Out?

You may opt out of the following at any time:

• Marketing emails: click "Unsubscribe" in any marketing email or visit Privacy Settings in your account
• Analytics cookies: update your cookie preferences via the cookie settings banner
• Push notifications: disable in your device's notification settings or in the Vacalion app settings

Please note that opting out of certain data processing (such as fraud detection) may limit the functionality of your account.

I Live in California — What Are My CCPA Rights?

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) give you additional rights:

• Right to Know: you may request disclosure of the categories and specific pieces of personal information we have collected about you in the past 12 months
• Right to Delete: you may request deletion of your personal information, subject to certain exceptions
• Right to Correct: you may request correction of inaccurate personal information
• Right to Opt Out of Sale or Sharing: we do not sell your personal information and do not share it for cross-context behavioural advertising
• Right to Non-Discrimination: we will not discriminate against you for exercising any of your CCPA rights

To exercise your CCPA rights, email privacy@vacalion.com with the subject line "CCPA Request". We will respond within 45 days.

I Live in Europe — What Are My GDPR Rights?

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights under the GDPR (or equivalent legislation):

• Right of access (Art. 15): obtain confirmation of whether we process your data and receive a copy
• Right to rectification (Art. 16): have inaccurate data corrected or incomplete data completed
• Right to erasure (Art. 17): have your data deleted in certain circumstances ("right to be forgotten")
• Right to restriction of processing (Art. 18): restrict how we use your data in certain circumstances
• Right to data portability (Art. 20): receive your data in a structured, machine-readable format
• Right to object (Art. 21): object to processing based on legitimate interests or for direct marketing
• Rights related to automated decision-making (Art. 22): not be subject to solely automated decisions that produce significant legal effects

To exercise any of these rights, contact our Data Protection Officer at dpo@vacalion.com. You also have the right to lodge a complaint with your local data protection authority.

How Do You Protect My Data?

We implement industry-standard technical and organisational security measures to protect your personal data, including:

• TLS 1.2+ encryption for all data in transit
• AES-256 encryption for sensitive data at rest
• Strict access controls and role-based permissions for internal staff
• Multi-factor authentication for all internal systems
• Regular third-party penetration testing and security audits
• PCI DSS compliance for payment data handling (via Stripe)
• Automated fraud monitoring and anomaly detection via FraudGuard

No system is completely secure. In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify you and relevant supervisory authorities as required by applicable law, typically within 72 hours of discovery.

How Long Do You Keep My Data?

We retain your personal data for as long as your account is active and for a period thereafter as necessary for legitimate business and legal purposes:

After the applicable retention period, we securely delete or anonymise your data.

Do You Collect Children's Data?

Our Services are not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@vacalion.com and we will take prompt steps to delete such information.

Can This Policy Change?

We may update this Privacy Policy to reflect changes in our data practices, technology, legal requirements, or business operations. When we make material changes, we will notify you by email and post a prominent notice on our website at least 14 days before the changes take effect.

We encourage you to review this Policy periodically. Your continued use of our Services after the effective date of any updated Policy constitutes your acceptance of the changes.

How Do I Contact Your Privacy Team?

If you have questions, concerns, or requests relating to this Privacy Policy or how we handle your personal data, please contact us: