Privacy Policy
Last updated: March 4, 2026
1. Overview
VynFi (“we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our platform at vynfi.com, including the dashboard, API, documentation, and related services (the “Service”).
This policy is provided in accordance with Articles 13 and 14 of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and applicable data protection laws.
2. Data Controller
VynFi.com LLC (i.G.) is the data controller responsible for your personal data. For questions about this policy or our data practices, contact our Data Protection Officer (see Section 14).
This policy complies with the EU General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection (FADP / DSG).
3. Data We Collect
We collect the following categories of personal data:
3.1 Account Data
- Full name, email address, and organization name
- Password (stored as Argon2 hash; we never store plaintext passwords)
- Account role and team membership information
- Communication preferences
3.2 Usage Data
- API request logs (endpoint, timestamp, response code, latency)
- Credit consumption and generation job metadata
- Dashboard interaction patterns (pages visited, features used)
- Subscription tier and billing cycle information
3.3 Payment Data
- Billing address and company details for invoicing
- Payment method type and last four digits (full card details are processed and stored exclusively by Stripe; we never store full card numbers)
- Transaction history and invoice records
3.4 Technical Data
- IP address and approximate geolocation (country/region level)
- Browser type, version, and operating system
- Device identifiers and screen resolution
- Referring URL and landing page
4. Legal Bases for Processing
We process your personal data on the following legal bases under GDPR Article 6(1):
| Purpose | Legal Basis |
|---|---|
| Providing the Service | Contract performance (Art. 6(1)(b)) |
| Processing payments | Contract performance (Art. 6(1)(b)) |
| Security and fraud prevention | Legitimate interest (Art. 6(1)(f)) |
| Service improvements and analytics | Legitimate interest (Art. 6(1)(f)) |
| Marketing communications | Consent (Art. 6(1)(a)) |
| Legal and regulatory compliance | Legal obligation (Art. 6(1)(c)) |
5. How We Use Your Data
- To provision and maintain your account, API keys, and subscription
- To process generation jobs and track credit consumption
- To charge fees, process refunds, and generate invoices
- To send transactional emails (account confirmations, billing receipts, security alerts)
- To detect and prevent abuse, fraud, and unauthorized access
- To improve the Service through aggregated, anonymized analytics
- To provide customer support and respond to inquiries
- To send marketing communications (only with your explicit opt-in consent)
7. Data Retention
| Data Category | Retention Period |
|---|---|
| Account data | Duration of account + 30 days after deletion |
| API request logs | 90 days (rolling) |
| Generation output data | 30 days after job completion (then purged) |
| Billing and transaction records | 7 years (legal/tax obligation) |
| Technical/analytics data | 24 months (anonymized after 12 months) |
| Support correspondence | 3 years after ticket resolution |
8. Your Rights
Under GDPR and applicable data protection laws, you have the following rights regarding your personal data:
- Right of Access (Art. 15). You may request a copy of the personal data we hold about you.
- Right to Rectification (Art. 16). You may request correction of inaccurate or incomplete personal data.
- Right to Erasure (Art. 17). You may request deletion of your personal data, subject to legal retention obligations.
- Right to Restriction (Art. 18). You may request that we restrict processing of your data in certain circumstances.
- Right to Data Portability (Art. 20). You may request your data in a structured, commonly used, machine-readable format (JSON or CSV).
- Right to Object (Art. 21). You may object to processing based on legitimate interests, including direct marketing.
- Right to Withdraw Consent. Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, email privacy@vynfi.com or use the self-service tools described below.
8.1 How to Exercise Your Rights
- Self-service: Most rights can be exercised directly from your dashboard at Settings → Privacy.
- Data export: Download all your data in JSON format from Settings → Privacy → Export Data.
- Account deletion: Request full account deletion from Settings → Privacy → Delete Account. This permanently removes all personal data within 30 days.
- API for rights: Use the
DELETE /v1/accountendpoint for programmatic account deletion.
8.2 Response Timeline
- We respond to all data subject requests within 30 days of receipt.
- Complex requests may take up to 60 days; we will notify you of any extension and the reasons for the delay within the initial 30-day period.
- All requests are logged and tracked for compliance audit trail purposes.
8.3 Right to Lodge a Complaint
If you are unsatisfied with our response to a data subject request, you have the right to lodge a complaint with your local supervisory authority:
- EU residents: Find your national data protection authority at the European Data Protection Board (EDPB) members list.
- UK residents: Contact the Information Commissioner's Office (ICO) at ico.org.uk.
10. International Transfers
Our primary infrastructure is hosted on Microsoft Azure in the United States and Western Europe. Where personal data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards through:
- EU-US Data Privacy Framework certification (where applicable)
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Data Processing Agreements with all subprocessors
For details on international transfer mechanisms, see our Data Processing Agreement.
11. Security Measures
We implement technical and organizational measures to protect your personal data, including:
- TLS 1.3 encryption for all data in transit
- AES-256 encryption for data at rest (Azure Storage Service Encryption)
- Argon2id hashing for passwords and API key secrets
- Role-based access controls with principle of least privilege
- Regular penetration testing and vulnerability assessments
- Audit logging of all administrative and data access operations
12. Children's Privacy
The Service is not intended for individuals under 16 years of age. We do not knowingly collect personal data from children. If we learn that we have collected personal data from a child under 16, we will promptly delete that data.
13. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email and/or a prominent notice on the dashboard at least 30 days before taking effect. The “Last updated” date at the top reflects the most recent revision.
14. Data Protection Officer
Our Data Protection Officer can be reached at:
If you are unsatisfied with our response to a privacy concern, you have the right to lodge a complaint with your local data protection supervisory authority.
See also: Terms of Service | Data Processing Agreement | Service Level Agreement