Privacy Policy

This Privacy Policy describes how Vittaly, Inc. ("Vittaly," "we," "us," or "our") processes personal information in connection with the Vittaly platform, the vittaly.com website, our marketing pages, and any related products, integrations, mobile experiences, APIs, and customer support (collectively, the "Services").

Vittaly is generally a data processor (or "service provider" under California law) acting on behalf of the business or accounting firm that has signed up for a Vittaly account (the "Customer" or "Organization"). The Customer is the data controller for the books, invoices, vendor records, employee data, and other information loaded into their Vittaly workspace. If you are an employee, contractor, vendor, or customer of a business that uses Vittaly and you want to exercise rights against that data, please contact the Customer directly. We will support them in responding to your request.

When you visit our marketing site, sign up for an account, or contact us, Vittaly acts as the data controller for that information.

We collect information in three ways:

Information you give us. Account and billing information (name, business name, work email, phone number, mailing address, role, password hash via our identity provider, billing contact, tax identification numbers where required), workspace configuration (chart of accounts, fiscal year, currency, tax settings), uploaded content (invoices, receipts, statements, documents), customer and vendor records, employee and contractor records (if you use payroll-adjacent features in later phases), messages you send to support, and survey or research responses.

Information from connected services. With your explicit authorization, we receive data from third-party services you connect — for example, banking data via Plaid, payment data via Stripe, e-commerce data via Shopify, identity data via Clerk, and email delivery telemetry via Resend. The specific fields depend on the connection and on the scopes you grant.

Information collected automatically. Usage data (pages viewed, features used, approximate latency), device and browser data (IP address, user agent, operating system, screen dimensions), session identifiers, error and crash data via Sentry, and product analytics. We use first-party cookies and similar technologies — strictly necessary cookies for authentication and security, and limited analytics cookies to understand product performance. We do not sell this information and we do not use it for cross-context behavioral advertising.

Vittaly is an accounting product. We are intentionally minimal about sensitive data. We do not store full card numbers — payment card processing is handled by Stripe in tokenized form so that Vittaly stays out of PCI scope. We do not knowingly collect health information, biometric data, precise geolocation, or information from children under 13.

Where the Services involve financial account numbers, taxpayer identification numbers (EIN, SSN where unavoidable), or bank routing information, we encrypt that information at rest and apply additional access controls. PII is scrubbed from application and audit logs before write.

We use personal information for the following purposes:

• Provide the Services — creating workspaces, keeping double-entry books, generating reports, syncing with connected services, generating PDFs, delivering email receipts.
• Secure the Services — authentication, abuse and fraud detection, vulnerability response, and enforcing our terms.
• Operate and improve — monitoring reliability, debugging incidents, evaluating feature usage, and shaping product improvements. Our AI suggestions are advisory only; a human approves any journal entry before it posts.
• Communicate with you — service announcements, security alerts, and (with your consent or where permitted by law) educational and marketing content from Vittaly.
• Comply with law — including tax, accounting, and financial recordkeeping retention obligations described in the "Retention" section below.

We do not use Customer Content to train general-purpose AI models. Where AI features process Customer Content, processing occurs under contractual zero-retention terms with our model providers (for example, through the Vercel AI Gateway).

Vittaly is currently a US-only Service. We treat all US users as protected under the California Consumer Privacy Act, as amended ("CCPA/CPRA"), and we apply that framework uniformly to residents of other US states with comparable laws (including Colorado, Virginia, Connecticut, Utah, and Texas). We rely on the following bases for processing under CCPA: performance of our contract with the Customer, legitimate business purposes (including security and fraud prevention), legal obligations (including tax recordkeeping), and, where required, your consent.

We share personal information only as described here:

• With your Organization. Other authorized members of your workspace, and accountants you invite, can see Customer Content per the roles assigned in Vittaly.
• Service providers and subprocessors. We rely on vetted vendors to operate the platform — including, today, Vercel (hosting and edge), Neon (Postgres), Clerk (identity), Inngest (durable background jobs), Upstash (Redis cache and idempotency), Vercel Blob (file storage), Resend (transactional email), Sentry (error monitoring), Stripe (payments and billing), Plaid (bank connectivity), and our AI providers via the Vercel AI Gateway. Each subprocessor is bound by a written data-processing agreement. A current list is available on request and will be maintained at vittaly.com/legal/subprocessors once published.
• Connected services you authorize. When you connect Stripe, Plaid, Shopify, or another integration, we exchange data with that service to provide the integration. Each integration is governed by that provider's own terms and privacy policy.
• Professional advisors. Our auditors, lawyers, insurers, and accountants, under confidentiality obligations.
• Legal and safety. When required by law, court order, or regulatory request, or to protect the rights, safety, and property of Vittaly, our Customers, or the public.
• Corporate transactions. If Vittaly is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, information may be transferred as part of that transaction, subject to the receiving party honoring the commitments in this policy.

We do not sell personal information, and we do not share personal information for cross-context behavioral advertising, as those terms are defined under US state privacy laws.

We protect information using administrative, technical, and physical safeguards designed to be appropriate for an accounting platform: encryption in transit (TLS 1.2+) and at rest, tenant isolation via Postgres row-level security, least-privilege access for engineers, append-only audit logs for ledger actions, separation of duties between web and ledger services, and a SOC 2 Type II program in progress. No method of transmission or storage is perfectly secure; we work hard, and we ask you to use strong, unique passwords and to report anything suspicious to security@vittaly.com.

Because Vittaly is a system of record for financial books, we retain information for the periods required by US tax and accounting law, and we publish those defaults transparently. Typical retention:

• Tax records — seven (7) years (IRS minimum)
• Banking transactions — seven (7) years
• Payroll records — seven (7) years (where applicable)
• Audit logs — seven (7) years
• Application logs — ninety (90) days
• Closed accounts — soft-delete and archive; hard-delete after seven (7) years, subject to regulatory hold

When you close your Vittaly account, your Customer Content is retained per the schedule above. You can request an export at any time. Backups roll off on the schedules described in our security documentation.

Depending on where you live and your relationship to Vittaly, you may have the right to:

• Know what personal information we hold about you
• Receive a portable copy of that information
• Correct inaccurate personal information
• Delete personal information (subject to legal hold)
• Opt out of any "sale" or "sharing" — which Vittaly does not do
• Not be discriminated against for exercising these rights
• Designate an authorized agent to act on your behalf

To exercise a right, email privacy@vittaly.com. If you are an employee, vendor, or customer of a business that uses Vittaly, please direct your request to that business first — we will assist them in responding. We will verify your request using the information already associated with your account and respond within the time frames required by applicable law (typically 45 days, with one 45-day extension where permitted). If we decline a request, we will tell you why and explain how to appeal.

Vittaly is a business tool. It is not directed to children and we do not knowingly collect personal information from children under 13. If you believe a child has provided personal information to us, contact privacy@vittaly.com and we will delete it.

Vittaly is currently offered to US-based businesses and operates in the United States. We do not target the Service to residents of the European Economic Area, the United Kingdom, or other regions with comprehensive data protection laws beyond the US. If you access the Service from outside the US, you understand that your information will be processed in the US under US law. EU and UK regions are on our roadmap; this section will be updated before that launch.

Vittaly uses AI to suggest transaction categorizations, draft journal entries, parse receipts, and answer questions about your books. These suggestions are advisory only. A human must approve any change before it posts to your ledger. Each suggestion is recorded with its source, model version, confidence score, the user who approved it, and a timestamp.

We do not allow our AI providers to retain or train on your Customer Content. When you ask Vittaly a question that references your books, the relevant context is sent to a model provider under zero-retention terms and then discarded.

We may update this Privacy Policy from time to time to reflect new features, legal requirements, or operational practices. If we make a material change, we will notify you by email or via an in-app notice at least thirty (30) days before it takes effect (or sooner where the law requires). The "Last updated" date at the top of this page always reflects the current version.

Privacy questions, data subject requests, and concerns:privacy@vittaly.com

Security disclosures:security@vittaly.com

General legal:legal@vittaly.com

Mailing address: Vittaly, Inc., 15858 River Glen Dr, Frisco, TX 75035, United States.