Legal

Privacy Policy

Last updated: April 12, 2026

1. What Data We Collect

When you create an account and use Vigis, we collect the following categories of information:

  • Account information: Your name, email address, and password (stored as a salted hash — we never see your plaintext password).
  • Business details: Information you enter about your business, including industry, state, employee count, revenue range, and operational characteristics. This data is used exclusively to generate your compliance audit.
  • Usage data: Pages visited, features used, audit history, compliance to-do interactions, and other product analytics. This helps us understand how the product is being used and where to improve it.
  • Payment information: Billing details (e.g., card type and last four digits) are collected and stored by Stripe on our behalf. We do not store full card numbers on our servers.
  • Technical data: IP address, browser type, device type, and operating system collected automatically when you use the service.

2. How We Use Your Data

We use the data we collect to:

  • Provide, operate, and improve the Vigis service.
  • Generate compliance audits and regulatory alerts tailored to your business profile.
  • Send transactional emails such as audit-ready notifications, regulatory alerts, and account security messages.
  • Process payments and manage your subscription.
  • Analyze aggregate usage patterns to improve product quality and coverage.
  • Comply with legal obligations and enforce our Terms of Service.

We do not use your business details or audit results for any purpose other than providing the service to you. We do not train AI models on your individual data.

3. Data Sharing

We do not sell your personal data. We share data only with the following trusted sub-processors, each of whom is contractually obligated to handle it securely:

  • Stripe — payment processing. Your billing information is transmitted directly to Stripe and governed by Stripe's Privacy Policy.
  • Resend — transactional email delivery. We send your email address and message content to Resend solely to deliver emails you have requested or that are required for the service.
  • Anthropic— AI compliance analysis. Your business profile (industry, state, size, and operational attributes) is sent to Anthropic's API to generate audit findings. No personally identifiable information such as your name or email is included in these prompts.
  • Supabase— database and authentication infrastructure. All data is stored in Supabase's managed PostgreSQL database hosted in the US.

We may also disclose your information if required to do so by law or in the good-faith belief that such disclosure is necessary to comply with a legal obligation, protect our rights, or prevent fraud.

4. Data Retention

We retain your account and business data for as long as your account is active or as needed to provide you with the service. Audit results are stored for the duration of your subscription and for 30 days after cancellation, after which they are permanently deleted from our systems. You can request earlier deletion at any time (see Section 5).

Usage logs and anonymized analytics may be retained for up to 24 months for product improvement purposes. Payment records are retained for the period required by applicable financial regulations (typically 7 years).

5. Your Rights

Depending on where you are located, you may have certain rights with respect to your personal data, including the right to access, correct, or delete the data we hold about you. Specifically:

  • Access and portability: You can view and export your compliance history from your account settings at any time.
  • Correction: You can update your account information and business details directly in the app.
  • Deletion: You can delete your account and all associated data from your account settings. Deletion is permanent and takes effect within 30 days.
  • Opt-out of marketing: You can unsubscribe from non-essential communications using the unsubscribe link in any email we send. Transactional emails (e.g., audit alerts, billing receipts) cannot be disabled while your account is active.

To exercise any of these rights, contact us at privacy@vigis.app. We will respond within 30 days.

6. Security

We use industry-standard measures to protect your data, including TLS encryption in transit, AES-256 encryption at rest, and row-level security on our database. Access to production data is restricted to authorized personnel on a need-to-know basis. While we take security seriously, no system is perfectly secure, and we cannot guarantee the absolute security of your information.

7. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date and notify you by email or in-app notice when changes are material. Your continued use of Vigis after the effective date constitutes acceptance of the revised policy.

8. Contact Us

If you have any questions or concerns about this Privacy Policy or how we handle your data, please contact us at privacy@vigis.app.