Privacy

Draft — pending operator review. This text is a minimum-disclosure baseline reflecting the technical reality of the platform. It will be reviewed and ratified before public launch.

Vested collects the minimum data required to operate. We do not sell or share user data with third parties. There are no third-party trackers, no cookie consent banner because there are no cookies requiring one.

What we collect

• Server access logs. IP address, user-agent, request path, response status, timestamp. Retained 30 days for security and abuse detection, then deleted.
• Self-hosted analytics. Aggregate page views, referrer host, country (geolocated from IP at the edge — IP is not stored against the analytics record). No individual-user profiles.
• Newsletter subscribers. Email address only, plus subscribed/unsubscribed status. Email is stored pseudonymised (hashed lookup) and used solely to deliver the digest you signed up for.
• Pro tier customers. The minimum identifying data required by Stripe to process payment, plus an email for account access. Stripe handles cards directly; we never see card details.
• Sponsorship inquiries. Whatever you put into the contact form, used to respond to that inquiry.

What we do not collect

• No third-party trackers (no Google Analytics, no Facebook pixel, no Hotjar).
• No advertising cookies.
• No fingerprinting beyond standard server logs.
• No social media login data.

How long we keep it

• Server logs: 30 days, then deleted.
• Newsletter subscriber records: until you unsubscribe; 30 days after unsubscribe, the record is deleted.
• Pro tier customer records: until you close the account; we keep payment receipts as long as legally required for tax purposes (typically 7 years), the rest is deleted at account closure.
• Analytics aggregates: 12 months, then archived.

Your rights

You have the right to request a copy of any personal data we hold, correct it, or have it deleted. Contact [email protected] with the request. We respond within 30 days. EU and California residents have specific rights under GDPR and CCPA respectively; those rights are honoured globally.

Cookies and similar

Functional cookies only — currently a session cookie for Pro-tier auth (single-purpose, first-party, expires on logout) and an opt-out cookie if you've explicitly opted out of self-hosted analytics aggregation. Nothing else.

Data security

Data is stored encrypted at rest. Backups are encrypted before they leave the server. Access to the production environment is limited to operating-entity personnel via key-based SSH only. Tier-A credentials are never stored on the public-facing server.

Operating entity

Vested is operated by Auva Labs FZE. The operating entity is the data controller for the purposes of GDPR and analogous regimes. Contact: [email protected].

Last reviewed: 2026-05-02. See also methodology and terms.