Privacy Policy

Last updated: January 20, 2026

1. Data Controller

The controller of your personal data within the meaning of Art. 4(7) of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR) is:

WGM Michał Gałecki
NIP (Tax ID): 5223233991
Email: contact@vaulito.com

The Controller has not appointed a Data Protection Officer. For all matters concerning personal data processing, please contact us at the email address above.

2. Data We Collect

When you use Vaulito, we collect the following categories of personal data:

  • Account data: email address, first name, last name, hashed password (bcrypt), or Google identifier (when using Google OAuth sign-in).
  • Financial data: expenses, income, budgets, loans, savings goals, recurring expenses, categories, and tags you create within the app.
  • Household data: household names, members, roles, and invitations.
  • Planner data: events, schedules, and reminders.
  • Documents: files uploaded to the Document Vault (warranties, contracts, receipts, etc.).
  • Bank import data: bank statements (CSV, XLSX, PDF) uploaded for transaction import.
  • Scan data: receipt and invoice images processed through OCR and AI.
  • Subscription data: subscription plan, payment history, Paddle transaction identifier.
  • Technical data: IP address, browser type, access timestamps, session identifiers.
  • Communication data: messages from contact and suggestion forms.

3. Purposes and Legal Bases for Processing

We process your personal data for the following purposes and on the following legal bases:

  • Providing the service (Art. 6(1)(b) GDPR — performance of a contract): creating and maintaining your account, storing financial records, delivering app features, managing subscriptions and payments.
  • Security (Art. 6(1)(f) GDPR — legitimate interests): authenticating your identity, protecting against unauthorized access, detecting abuse, rate limiting.
  • Communication (Art. 6(1)(f) GDPR): responding to contact form messages, sending household invitations, weekly digest emails (when opted in).
  • AI-powered features (Art. 6(1)(a) GDPR — consent, expressed by actively using AI features): processing data through Azure OpenAI (Microsoft) for transaction categorization, bank statement parsing, receipt scanning, and AI chat (Vaultie).
  • Analytics (Art. 6(1)(a) GDPR — consent via cookie acceptance): Google Analytics 4 for aggregated, anonymized traffic analysis on the landing page. Analytics are activated only after cookie consent is given.
  • Legal obligations (Art. 6(1)(c) GDPR): fulfilling obligations under applicable law, including tax and accounting regulations.

4. AI Data Processing

Vaulito uses Azure OpenAI Service (Microsoft) to power the following features:

  • Smart Scan: text extraction from receipts and documents (OCR) with automatic categorization.
  • Vaultie (AI Chat): a conversational assistant that can look up, create, and modify your data.
  • Bank Import: automatic format detection, transaction parsing, and categorization.
  • AI Reports: spending analysis and suggestions (Premium subscribers).

Important information regarding AI:

  • Data sent to AI features is processed by Microsoft Azure OpenAI Service within the European data boundary (EU Data Boundary).
  • Your data is not used to train or improve AI models. See: Microsoft’s Azure OpenAI data privacy policy.
  • Microsoft acts as a sub-processor under a GDPR-compliant Data Processing Agreement (Microsoft Products DPA).
  • AI-generated content may contain errors, inaccuracies, or omissions. You are responsible for verifying all data processed by AI features.
  • All actions initiated by AI (e.g., creating or modifying transactions) require your explicit confirmation before execution.

5. Data Recipients (Sub-Processors)

We do not sell, trade, or share your personal data with third parties for marketing purposes. Data may be disclosed to the following categories of recipients:

  • Microsoft Azure (hosting, database, file storage, Application Insights) — acting as a data processor under standard contractual clauses and the Microsoft Products DPA. Data is stored in EU data centers (West Europe region, Netherlands).
  • Microsoft Azure OpenAI Service — sub-processor handling data submitted to AI features. Processing occurs within the EU Data Boundary. Data is not used for model training.
  • Microsoft Azure Document Intelligence — sub-processor handling receipt and document image processing (OCR). Processing within the EU.
  • Microsoft Azure Communication Services — sub-processor sending emails (confirmations, invitations, weekly digests).
  • Paddle.com Market Limited (Judd House, 18–29 Mora Street, London, EC1V 8BT, United Kingdom) — Merchant of Record handling subscription payments, invoicing, tax collection, and refunds. Paddle processes data necessary for payment execution under its own privacy policy: https://www.paddle.com/legal/privacy.
  • Google LLC (Google Analytics 4) — only after cookie consent. IP anonymization enabled. See: Google Privacy Policy.
  • Public authorities — when required by applicable law or a valid court order.

6. International Data Transfers

Personal data processed by Vaulito is stored on Microsoft Azure servers in the European Union (West Europe region, Netherlands).

If you consent to analytics cookies (Google Analytics 4), data may be transferred to the United States. Such transfer is based on the European Commission’s adequacy decision (EU-U.S. Data Privacy Framework) and standard contractual clauses.

For Azure OpenAI and Azure Document Intelligence, processing occurs within the Microsoft EU Data Boundary.

7. Data Storage & Security

Your data is stored on Microsoft Azure infrastructure in the European Union. We employ the following security measures:

  • Encrypted data transmission (TLS 1.2+ / HTTPS).
  • Encrypted database at rest (Azure SQL Transparent Data Encryption).
  • Secure password hashing (bcrypt).
  • JWT-based authentication with short-lived access tokens and refresh token rotation.
  • Encrypted file storage in Azure Blob Storage (SSE).
  • Per-IP rate limiting and API key protection.
  • HTTP security headers (CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy).

8. Data Retention

  • Account and financial data: retained for as long as your account is active. When you delete your account, all associated data is permanently removed.
  • Trash items: automatically permanently deleted 30 days after being moved to trash.
  • Contact form messages: retained for up to 12 months.
  • Payment data: retained for the period required by tax law (5 years from the end of the tax year in which the payment was made).
  • Technical logs: Application Insights — 90 days (production), 30 days (test).
  • Demo accounts: automatically cleaned every 10 minutes.

9. Your Rights (GDPR)

Under the General Data Protection Regulation, you have the following rights:

  • Right of access (Art. 15 GDPR): request a copy of your personal data.
  • Right to data portability (Art. 20 GDPR): export your data in a machine-readable format (JSON) using the “Export My Data” feature in Settings.
  • Right to rectification (Art. 16 GDPR): update your personal information through the app.
  • Right to erasure (Art. 17 GDPR — “right to be forgotten”): permanently delete your account and all associated data using the “Delete Account” feature in Settings.
  • Right to restriction of processing (Art. 18 GDPR): request restriction of processing in certain circumstances.
  • Right to object (Art. 21 GDPR): object to processing based on legitimate interests.
  • Right to withdraw consent (Art. 7(3) GDPR): for processing based on consent (AI features, analytics cookies), you may withdraw consent at any time without affecting the lawfulness of processing carried out before the withdrawal.
  • Right to lodge a complaint: you may file a complaint with the Polish supervisory authority — President of the Personal Data Protection Office (PUODO), ul. Stawki 2, 00-193 Warsaw, Poland, https://uodo.gov.pl.

To exercise your rights, contact us at: contact@vaulito.com. We respond to requests within 30 days.

10. Cookies

Vaulito uses the following types of cookies:

  • Essential cookies: required for authentication, session management, and proper app functionality. Legal basis: Art. 6(1)(f) GDPR (legitimate interests). No consent required.
  • Analytics cookies (optional): Google Analytics 4 — collecting anonymized traffic data on the landing page. Activated only after consent via the cookie banner. Legal basis: Art. 6(1)(a) GDPR (consent).

We do not use advertising or tracking cookies. You may withdraw analytics cookie consent at any time by clearing your browser cookies or clicking “Essential Only” on the cookie banner.

11. Automated Decision-Making and Profiling

Vaulito does not engage in automated decision-making within the meaning of Art. 22 GDPR that produces legal effects or similarly significantly affects you.

Financial data analysis (charts, category breakdowns, spending trends) is purely informational and serves only to present your data. AI categorization is a suggestion that requires your confirmation.

Vaulito is not a financial advisor. All data, analyses, charts, and AI suggestions presented in the application are for informational purposes only and do not constitute financial, investment, tax, or legal advice. You make all financial decisions at your own risk.

12. Children’s Privacy

Vaulito is not intended for children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated “Last updated” date. Continued use of the service after changes constitutes acceptance of the revised policy.

For material changes, we will make reasonable efforts to notify users via the application or email.

14. Contact

For any privacy-related questions or to exercise your rights, please contact us:

WGM Michał Gałecki
NIP (Tax ID): 5223233991
Email: contact@vaulito.com