Privacy Policy

Effective date: 23rd March, 2026

vin.gs (the "Site") and the Vings mobile applications (the "Apps") are operated by Christopher Krogh. Christopher Krogh is the data controller and can be contacted at:

chris@vin.gs

This Privacy Policy describes how we collect, use, and share personal data when you use our website, web application, and mobile apps (together, our "services"). Unless we say otherwise, it applies whether you access Vings on the web or through an App.

Purpose

The purpose of this privacy policy (this Privacy Policy) is to inform users of our services of the following:

The personal data we will collect;
Use of collected data;
Who has access to the data collected;
The rights of users; and
Cookies and similar technologies.

This Privacy Policy applies in addition to the terms and conditions of our Site.

Personal Data We Collect

Depending on how you use our services, we may collect:

Account and identity data such as name, email address, authentication provider, and profile details you provide.
Financial and transaction-related data you choose to connect or import, including data from linked financial institutions (via Plaid or similar), transactions, categories, budgets, goals, portfolio or wallet information, and documents you upload (for example CSV or PDF imports) where supported.
Usage and technical data such as app or site interactions, approximate location derived from IP or device settings where applicable, device identifiers, crash and performance data, and product analytics events.
Security and MFA-related data such as device fingerprints or verification signals we use to protect your account.
Support and feedback you send us, including bug reports and messages submitted through in-product forms or third-party feedback tools.
Copilot content when you use Copilot or similar features: your messages and related context may be sent to our AI inference provider to generate responses (see AI-assisted features below).

GDPR

For users in the European Union, we adhere to the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, known as the General Data Protection Regulation (the GDPR). For users in the United Kingdom, we adhere to the GDPR as enshrined in the Data Protection Act 2018.

Consent

By using our services you agree that you consent to the conditions set out in this Privacy Policy where consent is the appropriate legal basis.

When the legal basis for us processing your personal data is that you have provided your consent to that processing, you may withdraw your consent at any time. If you withdraw your consent, it will not make processing which we completed before you withdrew your consent unlawful.

You can withdraw consent or exercise privacy requests by emailing us at chris@vin.gs. You may also use in-product feedback for general support; for legal requests or consent withdrawal, email is the appropriate channel.

Legal Basis for Processing

We collect and process personal data about users in the EU only when we have a legal basis for doing so under Article 6 of the GDPR.

We rely on the following legal bases to collect and process the personal data of users in the EU:

Users have provided their consent to the processing of their data for one or more specific purposes; and
Processing of user personal data is necessary for us or a third party to pursue a legitimate interest. Our legitimate interest is not overridden by the interests or fundamental rights and freedoms of users. Our legitimate interest(s) include providing expense tracking, portfolio, and related financial tools.

How We Use Personal Data

Data collected through our services will only be used for the purposes specified in this Privacy Policy or indicated on the relevant screens. We will not use your data beyond what we disclose in this Privacy Policy.

AI-assisted features

Certain features (such as Copilot) send your prompts and limited contextual information to AWS Bedrock (Amazon Web Services’ managed foundation-model service) in supported regions (for example, inference using regional inference profile identifiers). Bedrock is designed for secure enterprise use: inference runs in AWS’s managed environment with strong isolation, encryption, and governance controls, which helps keep sensitive prompts and outputs within our cloud boundary rather than routing them through a general-purpose consumer AI platform. Content is processed to generate responses. AWS acts as a service provider; refer to AWS Bedrock documentation and terms for details on how inference requests are handled. Do not include information in Copilot you do not want processed for this purpose.

Financial account linking

When you connect a bank or other account through our integration partner Plaid (or similar providers we may use), Plaid receives information from financial institutions as described in Plaid's own policies and passes data to us so we can display balances and transactions in Vings. We use that data to provide the service, not to sell it to unrelated advertisers. Review Plaid's privacy notice when you link an institution.

Who We Share Personal Data With

Employees

We may disclose user data to any member of our organization who reasonably needs access to user data to achieve the purposes set out in this Privacy Policy.

Service providers (processors)

We use trusted third-party service providers to host, operate, and improve our services. They process personal data on our instructions and under contractual obligations appropriate to their role. We do not sell your personal data. Categories of providers include:

Supabase — authentication and database hosting.
Vercel — website and API hosting; may include web analytics and performance insights on our site.
PostHog — first-party product analytics and related event data.
Sentry — error monitoring, diagnostics, and (where enabled) session replay for debugging.
Stripe — payment processing for web subscriptions and billing where applicable.
RevenueCat — in-app subscription management on mobile.
Plaid — bank and financial institution linking.
AWS (including Bedrock) — cloud infrastructure and AI inference for assistant features.
Canny — optional product feedback and roadmap widgets where we enable them.
Google — where you choose Google Sign-In on mobile, Google processes authentication according to its terms.

This list may change as we add or replace vendors; we will update this Privacy Policy when we make material changes to how we share data.

Other disclosures

Beyond service providers, we may disclose information in the following cases:

If the law requires it;
If it is required for any legal proceeding;
To prove or protect our legal rights; and
To buyers or potential buyers of this company in the event that we seek to sell the company.

If you follow hyperlinks from our Site to another site, please note that we are not responsible for and have no control over their privacy policies and practices.

How Long We Store Personal Data

User data will be stored until the purpose the data was collected for has been achieved. You will be notified if your data is kept for longer than this period.

How We Protect Your Personal Data

We use industry-standard safeguards including encryption in transit and at rest where appropriate, access controls, and confidentiality commitments for staff. Service providers we use are vetted under contracts that require appropriate security and confidentiality. Our employees with access to personal data are bound by confidentiality expectations. While we take reasonable precautions to protect user data, no method of transmission or storage is completely secure; we cannot guarantee absolute security beyond what is reasonably practical.

Your Rights as a User

Under the GDPR, you have the following rights:

Right to be informed;
Right of access;
Right to rectification;
Right to erasure;
Right to restrict processing;
Right to data portability; and
Right to object.

Children

We do not knowingly collect or use personal data from children under 16 years of age. If we learn that we have collected personal data from a child under 16 years of age, the personal data will be deleted as soon as possible. If a child under 16 years of age has provided us with personal data their parent or guardian may contact our data protection officer.

How to Access, Modify, Delete, or Challenge the Data Collected

If you would like to know if we have collected your personal data, how we have used your personal data, if we have disclosed your personal data and to whom we disclosed your personal data, if you would like your data to be deleted or modified in any way, or if you would like to exercise any of your other rights under the GDPR, please contact our data protection officer here:

Christopher Krogh

chris@vin.gs

Do Not Track Notice

Do Not Track (DNT) is a privacy preference that you can set in certain web browsers. We do not use DNT signals to opt you out of first-party product analytics and similar technologies we describe in this policy (for example PostHog on our own domain). We do not participate in cross-site behavioral advertising tracking across unrelated third-party sites in the way DNT was often intended to address. You can control cookies and similar technologies through your browser where available.

Cookie Policy

We use cookies and similar technologies (including local storage) for the purposes below. You can often control cookies through your browser; blocking some cookies may affect how certain features work.

Strictly necessary — These include cookies and similar storage needed to maintain your session, security, multi-factor authentication, and related preferences (for example authentication state, device or verification signals where we use them).
Analytics and monitoring — We use first-party and vendor tools that may set cookies or identifiers to measure product usage, diagnose errors, and improve reliability (including PostHog and Sentry as described above).

Modifications

This Privacy Policy may be amended from time to time in order to maintain compliance with the law and to reflect any changes to our data collection process. When we amend this Privacy Policy we will update the Effective Date at the top of this Privacy Policy. We recommend that our users periodically review our Privacy Policy to ensure that they are notified of any updates. If necessary, we may notify users by email of changes to this Privacy Policy.

Complaints

If you have any complaints about how we process your personal data, please contact us through the contact methods listed in the Contact Information section so that we can, where possible, resolve the issue. If you feel we have not addressed your concern in a satisfactory manner you may contact a supervisory authority. You also have the right to directly make a complaint to a supervisory authority. You can lodge a complaint with a supervisory authority by contacting the Information Commissioner's Office in the UK.

Contact Information

If you have any questions, concerns or complaints, you can contact our data protection officer, Christopher Krogh, at:

chris@vin.gs

Privacy Policy

Effective date: 23rd March, 2026

vin.gs (the "Site") and the Vings mobile applications (the "Apps") are operated by Christopher Krogh. Christopher Krogh is the data controller and can be contacted at:

chris@vin.gs

Purpose

The purpose of this privacy policy (this Privacy Policy) is to inform users of our services of the following:

The personal data we will collect;
Use of collected data;
Who has access to the data collected;
The rights of users; and
Cookies and similar technologies.

This Privacy Policy applies in addition to the terms and conditions of our Site.

Personal Data We Collect

Depending on how you use our services, we may collect:

Account and identity data such as name, email address, authentication provider, and profile details you provide.
Financial and transaction-related data you choose to connect or import, including data from linked financial institutions (via Plaid or similar), transactions, categories, budgets, goals, portfolio or wallet information, and documents you upload (for example CSV or PDF imports) where supported.
Usage and technical data such as app or site interactions, approximate location derived from IP or device settings where applicable, device identifiers, crash and performance data, and product analytics events.
Security and MFA-related data such as device fingerprints or verification signals we use to protect your account.
Support and feedback you send us, including bug reports and messages submitted through in-product forms or third-party feedback tools.
Copilot content when you use Copilot or similar features: your messages and related context may be sent to our AI inference provider to generate responses (see AI-assisted features below).

GDPR

Consent

By using our services you agree that you consent to the conditions set out in this Privacy Policy where consent is the appropriate legal basis.

Legal Basis for Processing

We collect and process personal data about users in the EU only when we have a legal basis for doing so under Article 6 of the GDPR.

We rely on the following legal bases to collect and process the personal data of users in the EU:

Users have provided their consent to the processing of their data for one or more specific purposes; and
Processing of user personal data is necessary for us or a third party to pursue a legitimate interest. Our legitimate interest is not overridden by the interests or fundamental rights and freedoms of users. Our legitimate interest(s) include providing expense tracking, portfolio, and related financial tools.

How We Use Personal Data

AI-assisted features

Financial account linking

Who We Share Personal Data With

Employees

We may disclose user data to any member of our organization who reasonably needs access to user data to achieve the purposes set out in this Privacy Policy.

Service providers (processors)

Supabase — authentication and database hosting.
Vercel — website and API hosting; may include web analytics and performance insights on our site.
PostHog — first-party product analytics and related event data.
Sentry — error monitoring, diagnostics, and (where enabled) session replay for debugging.
Stripe — payment processing for web subscriptions and billing where applicable.
RevenueCat — in-app subscription management on mobile.
Plaid — bank and financial institution linking.
AWS (including Bedrock) — cloud infrastructure and AI inference for assistant features.
Canny — optional product feedback and roadmap widgets where we enable them.
Google — where you choose Google Sign-In on mobile, Google processes authentication according to its terms.

This list may change as we add or replace vendors; we will update this Privacy Policy when we make material changes to how we share data.

Other disclosures

Beyond service providers, we may disclose information in the following cases:

If the law requires it;
If it is required for any legal proceeding;
To prove or protect our legal rights; and
To buyers or potential buyers of this company in the event that we seek to sell the company.

If you follow hyperlinks from our Site to another site, please note that we are not responsible for and have no control over their privacy policies and practices.

How Long We Store Personal Data

User data will be stored until the purpose the data was collected for has been achieved. You will be notified if your data is kept for longer than this period.

How We Protect Your Personal Data

Your Rights as a User

Under the GDPR, you have the following rights:

Right to be informed;
Right of access;
Right to rectification;
Right to erasure;
Right to restrict processing;
Right to data portability; and
Right to object.

Children

How to Access, Modify, Delete, or Challenge the Data Collected

Christopher Krogh

chris@vin.gs

Do Not Track Notice

Cookie Policy

Strictly necessary — These include cookies and similar storage needed to maintain your session, security, multi-factor authentication, and related preferences (for example authentication state, device or verification signals where we use them).
Analytics and monitoring — We use first-party and vendor tools that may set cookies or identifiers to measure product usage, diagnose errors, and improve reliability (including PostHog and Sentry as described above).

Modifications

Complaints

Contact Information

If you have any questions, concerns or complaints, you can contact our data protection officer, Christopher Krogh, at:

chris@vin.gs