Privacy Policy

Version 1.0 · Effective date: 7 May 2026

This Privacy Policy describes how Meranex Ltd (a company registered in England and Wales, company number 13730629, registered office: 4 Hatchlands, Milton Keynes MK8 9DN, United Kingdom) ("we", "us") collects, uses and protects your personal data when you use Vailto ("Service"). It is written to comply with the UK GDPR, the EU GDPR and the UK Data Protection Act 2018.

1. Controller

The data controller is Meranex Ltd. Contact: ar@meranex.com.

2. What we collect

Category	Data	Lawful basis
Account	Email, optional name, language and tax region preferences	Performance of contract
User content	Receipt images, product details, notes, contacts (recipients), AI assistant conversations	Performance of contract
Usage logs	API call timestamps, AI cost tracking, error logs	Legitimate interest (service operation, fraud prevention)
Analytics	Anonymous interaction recordings via Microsoft Clarity (clicks, scrolls)	Legitimate interest (improving the product)
Payments (when active)	Subscription status only — card details handled by Stripe	Performance of contract

3. What we do NOT collect

Passwords (we use Supabase Auth — passwords, when set, are hashed and never visible to us);
Credit card numbers (handled directly by Stripe);
Behavioural advertising profiles;
Data for AI model training (Anthropic does not retain your data after processing).

4. AI processing (Anthropic Claude)

When you upload a receipt or use the conversational assistant, the relevant content is sent to Anthropic (Claude API) for processing. Anthropic processes data on our behalf as a sub-processor under their Enterprise Data Privacy terms:

Anthropic does not retain inputs/outputs after processing;
Anthropic does not use your data to train models;
Inputs may be retained briefly for trust & safety review (Anthropic policy).

Note: Anthropic processes data in the United States. The transfer is covered by the EU-US Data Privacy Framework and standard contractual clauses (SCCs) where applicable.

5. Where your data is stored

Database, account, receipts: Supabase, hosted on AWS Frankfurt (EU).
Receipt images: Supabase Storage (same region, EU).
AI processing: Anthropic, ephemeral processing (US).
Email delivery: Resend (EU + US).
Inbound email: Postmark (US).
Analytics: Microsoft Clarity (cloud).
Hosting: Vercel (EU edge).
Payments (when active): Stripe (EU + US).

6. How long we keep your data

Account and user content: until you delete your account, or 24 months of inactivity (whichever first);
Usage logs: 12 months from the event;
Email forwarding audit (Postmark webhook): 30 days;
Backup snapshots: max 7 days (rolling).

7. Sharing with third parties

We do not sell your data. We share data only with the sub-processors listed in section 5, strictly to provide the Service. We may disclose data if required by law or to protect our rights.

8. Your rights

Under GDPR you have the right to:

Access: download a copy of your data via Settings → Export my data;
Rectification: correct inaccurate data via the app;
Erasure: delete your account via Settings → Delete account;
Restriction: ask us to limit processing;
Portability: receive your data in a structured format (the Export ZIP);
Objection: object to processing based on legitimate interest;
Withdraw consent: where processing is based on consent.

To exercise any right, write to ar@meranex.com. We respond within 30 days.

9. Complaints

If you believe we have not handled your data properly, you can complain to a supervisory authority:

UK: Information Commissioner's Office (ICO) — ico.org.uk;
Italy: Garante per la protezione dei dati personali — garanteprivacy.it.

10. Cookies and analytics

Vailto uses Microsoft Clarity to anonymously record usage sessions (clicks, scrolls, navigation) to understand what to improve. Personal data entered in forms is masked. To opt out, enable "Do Not Track" in your browser. Clarity uses cookies and similar technologies — see Microsoft Clarity's terms.

The app itself uses minimal first-party cookies for session authentication.

11. Children

Vailto is not directed at children under 18. We do not knowingly collect data from minors. If you believe we have collected data from a minor, contact us and we will delete it.

12. Changes to this policy

We may update this Privacy Policy. For material changes we will notify you by email and via an in-app banner at least 30 days before the new version takes effect.

13. Contact

Questions about privacy or to exercise your rights: ar@meranex.com.