Privacy Policy - How Vailo Protects Your Data

Your Data is Secure
    1. Introduction
      1. Vailo.io is a digital product developed and managed by CodeWizard, a registered business entity.
      2. Welcome to Vailo.io. This Privacy Policy outlines how we collect, use, and protect your personal information when you use our services.
    2. Definitions
      1. Application: Vailo.io, available at https://www.vailo.io.
      2. Workspace: The organizational area where teams collaborate on projects and tasks. Each user can only be a member of one workspace at a time.
      3. Owner: The person who creates the workspace and has full administrative privileges.
      4. Manager: A user with elevated privileges who can manage projects, tasks, teams, and workers.
      5. Finance Manager: A user with permissions to view billing and manage subscriptions.
      6. Worker: A standard team member who can work on tasks and collaborate with the team.
      7. Personal Data: Any information relating to an identified or identifiable natural person.
      8. Free Plan: No-cost account with limitations (10 users, unlimited teams and projects, 200MB storage, 90-day task history, no audit logging).
      9. Standard Plan: Paid subscription (€5.15/user/month) with unlimited users, teams, and projects, 10GB storage, unlimited task history, and 30-day audit log retention.
      10. Premium Plan: Paid subscription (€11.20/user/month) with unlimited users, teams, and projects, all Standard features plus advanced analytics, priority support, 250GB storage, and lifetime audit log retention.
    3. Information Collection and Use
      1. Personal Information: We collect name, email address, profile picture, job title, and password (encrypted) during registration.
      2. Payment Information: Billing details (credit card, address) are processed and stored securely by Stripe, our payment processor. We never store complete payment card numbers.
      3. Workspace Data: We collect and store project names, task details, team information, comments, file attachments, and workspace settings.
      4. Time Tracking Data: We collect and store time entries logged by workers on tasks, including: task ID, user ID, date, duration (in seconds), workspace ID, and locked status. Time entries are associated with weekly timesheets that track submission status, approval/rejection notes, and manager actions.
      5. Timesheet Data: Weekly timesheet records include: user ID, workspace ID, start/end dates, status (draft/submitted/approved/rejected), list of time entry IDs, submission timestamp, approval/rejection timestamp, manager notes, and approval metadata (approver/rejector user ID and timestamp).
      6. Approval Transparency: We track and store metadata for all timesheet approvals and rejections including: the manager's user ID who performed the action, timestamp of the action, and rejection reason (if applicable). This data is accessible to workers via hover popovers on status badges for transparency and accountability.
      7. Single Workspace Per User: Each user account is associated with exactly one workspace at a time. This limitation ensures clear data boundaries and proper access control.
      8. Usage Data: We collect information about how you use Vailo.io including login times, features accessed, task interactions, and notification preferences.
      9. Audit Logging: Standard and Premium plans include comprehensive audit logging that tracks all workspace activities (member management, project changes, team updates, billing events, timesheet approvals/rejections). Audit logs contain: user email, timestamp, action performed, before/after states, and action severity. These logs are accessible only to Workspace Owners and Managers.
      10. Timesheet Transparency: In addition to audit logs, timesheet approval and rejection actions are tracked with metadata (manager ID, timestamp, reason) that is directly accessible to workers via hover popovers on timesheet status badges, providing immediate transparency into the approval process.
      11. Email Communications: We send transactional emails (invitations, notifications, user removal notifications, subscription changes, receipts, email verification, timesheet approvals, timesheet rejections) and may send product updates (with opt-out option).
      12. Cookies and Tracking: We use essential cookies for authentication and session management. Analytics cookies may be used to improve service quality.
      13. File Uploads: Files attached to tasks and comments are stored in Firebase Cloud Storage with encryption at rest.
      14. All collected data is used to: provide and maintain our services, process payments, send notifications, improve user experience, ensure security, and comply with legal obligations.
      15. Data is preserved when changing subscription plans. Downgrading to Free plan may limit access to data exceeding plan limitations.
      16. Account Deletion Processing: User and workspace deletions are processed asynchronously through a secure background worker system. User accounts are disabled in Firebase Auth immediately upon removal.
    4. Data Security
      1. Encryption: All data is encrypted in transit using TLS 1.3 and at rest in Firebase Cloud Firestore and Cloud Storage.
      2. Authentication: We use Firebase Authentication with secure password hashing (bcrypt) and session management.
      3. Access Control: Role-based access control ensures users can only access data they're authorized to view.
      4. Payment Security: All payment processing is handled by Stripe, a PCI-DSS Level 1 certified payment processor. We never store complete payment card information.
      5. Infrastructure: Our services run on Google Cloud Platform with automatic security updates and monitoring.
      6. Backups: Automated daily backups ensure data recovery capability in case of system failures.
      7. Security Monitoring: We monitor for unauthorized access attempts, suspicious activity, and potential security vulnerabilities.
      8. Incident Response: In case of a data breach, affected users will be notified within 72 hours as required by GDPR.
      9. Employee Access: Only authorized personnel can access user data, subject to strict confidentiality agreements.
      10. Regular Audits: We conduct regular security audits and penetration testing to identify and fix vulnerabilities.
    5. Data Sharing and Disclosure
      1. Within Workspace: Your workspace data (name, email, tasks, comments) is visible to other workspace members based on your role and project assignments.
      2. Service Providers: We share data with trusted third-party providers who help us operate Vailo.io:
      3. - Firebase (Google): Database, authentication, file storage, and hosting infrastructure.
      4. - Stripe: Payment processing, billing, and subscription management.
      5. - SendGrid: Transactional email delivery for notifications and invitations.
      6. - Sentry: Error tracking and performance monitoring (anonymized data).
      7. Legal Requirements: We may disclose data if required by law, court order, government request, or to protect our legal rights.
      8. Business Transfers: In case of merger, acquisition, or sale, user data may be transferred to the new entity (users will be notified).
      9. Aggregated Data: We may share anonymized, aggregated statistics about usage patterns for marketing purposes.
      10. No Sale of Data: We never sell your personal information to third parties for marketing purposes.
      11. Third-Party Links: Vailo.io may contain links to external websites. We are not responsible for their privacy practices.
    6. Time Tracking Data Privacy
      1. Time Entry Visibility: Time entries you log are visible only to you, your assigned managers, and workspace owners. Other workers cannot view your time tracking data.
      2. Manager Access: Managers can view time entries and timesheets for workers assigned to projects they manage. This access is necessary for the approval workflow.
      3. Workspace Owner Access: Workspace owners have full access to all time tracking data within their workspace for administrative and reporting purposes.
      4. Timesheet Approval Workflow: When you submit a timesheet for approval, assigned managers receive notifications and can view your time entries for that week to review and approve or reject.
      5. Approval Transparency: All approval and rejection actions are tracked with full transparency. Workers can view: who approved/rejected their timesheet (manager name), when the action was taken (timestamp), and why it was rejected (manager's note). This information is displayed via hover popovers on status badges in the timesheet interface.
      6. Locked Entries: Approved time entries are permanently locked and cannot be edited by workers or managers to maintain data integrity for payroll and billing purposes.
      7. Audit Trail: All timesheet submissions, approvals, and rejections are logged in audit logs (Standard: 30-day retention, Premium: lifetime retention) with timestamps and user actions.
      8. Email Notifications: Managers receive email notifications when workers submit timesheets. Workers receive email notifications when managers approve or reject their timesheets. Both notification types can be disabled in submission/approval dialogs.
      9. Data Retention: Time tracking data is retained according to your subscription plan: 90 days on Free plan, unlimited on Standard and Premium plans.
      10. No Third-Party Sharing: Time tracking data is never shared with external parties. It is used solely for internal workspace management and reporting.
      11. Payroll Processing: If you use time tracking data for payroll, you are responsible for exporting and processing this data. We do not integrate with payroll systems or share data with payroll providers.
      12. Export Capabilities: Premium plan users can export time tracking data for use in external payroll, billing, or reporting systems. Exported data remains your responsibility to protect.
      13. Deletion: When you delete your account, all your time entries and timesheets are permanently removed within 30 days. When a workspace is deactivated, all time tracking data is preserved for 90 days before permanent deletion.
    7. User Rights (GDPR Compliance)
      1. Right to Access: You can view and download your personal data through your profile settings or by contacting support.
      2. Right to Rectification: You can update your personal information (name, email, job title, avatar) in your profile settings at any time.
      3. Right to Erasure: You can delete your individual account from profile settings. Account deletion is processed asynchronously and may take up to 60 seconds. Firebase Auth account is disabled immediately. Workspace Owners can deactivate entire workspaces.
      4. Right to Data Portability: You can request a copy of your data in machine-readable format (JSON) by contacting support@vailo.io.
      5. Right to Restriction: You can limit how your data is processed by adjusting notification preferences or contacting support.
      6. Right to Object: You can opt-out of non-essential emails and notifications in your profile settings.
      7. Right to Withdraw Consent: You can revoke consent for data processing by deleting your account or contacting support.
      8. Right to Lodge a Complaint: You can file complaints with your local data protection authority if you believe your rights have been violated.
      9. Data Retention: Personal data is retained as long as your account is active. After account deletion, data is removed within 30 days. Deactivated workspace data is preserved for 90 days.
      10. Automated Decision-Making: We do not use automated decision-making or profiling that significantly affects users.
      11. Workspace Deactivation: Only workspace owners can deactivate workspaces. Deactivation uses soft delete - data preserved for 90 days for audit and recovery purposes.
      12. User Removal Notifications: Users removed from workspaces receive email notification with removal details and support contact information. Firebase Auth accounts are disabled immediately upon removal.
      13. Email Verification: All new accounts registered via email/password must verify their email address before accessing workspace features. Email verification is not required for Google OAuth accounts.
    8. International Data Transfers
      1. Vailo.io is operated from the European Union. Data is primarily stored in Google Cloud Platform data centers in Europe.
      2. By using Vailo.io, you consent to the transfer of your data to servers located in the EU and other countries where our service providers operate.
      3. We ensure appropriate safeguards are in place for international data transfers as required by GDPR (Standard Contractual Clauses).
      4. If you are located outside the EU, your data protection rights may differ based on local laws.
    9. Children's Privacy
      1. Vailo.io is not intended for users under the age of 16. We do not knowingly collect personal information from children.
      2. If we become aware that a user is under 16, we will immediately delete their account and associated data.
      3. Parents or guardians who believe their child has provided personal information to us should contact support@vailo.io.
    10. Email Notifications and Preferences
      1. We send transactional emails (invitations, email verification, user removal notifications, task assignments, mentions, deadline reminders, timesheet approvals, timesheet rejections, timesheet submissions to managers, subscription changes) necessary for service operation.
      2. Email Verification: New accounts registered via email/password receive an automatic verification email. This email must be verified before accessing workspace features. Google OAuth accounts do not require email verification.
      3. Timesheet Notifications: Workers receive email notifications when managers approve or reject their timesheets. Managers receive email notifications when workers submit timesheets. These emails can be optionally disabled during the approval/submission process.
      4. You can customize email notification preferences in your profile settings for: task assignments, mentions, deadlines, project updates, timesheet events, and digest frequency.
      5. Marketing emails (product updates, feature announcements) include an unsubscribe link in every message.
      6. Unsubscribing from marketing emails does not affect transactional notifications necessary for service operation.
      7. Email delivery is handled by SendGrid. Email open/click tracking may be used to improve service quality.
      8. User Removal Notifications: When removed from a workspace, you receive an automated email with details and support contact information.
      9. Subscription Change Notifications: Plan upgrades, downgrades, and cancellations trigger automatic confirmation emails.
      10. Help Center Access: Free plan users have access to Help Center link in navigation for self-service support. Standard and Premium users have access to Feedback system for direct communication.
    11. Data Retention and Deletion
      1. Active Accounts: Data is retained as long as your account remains active.
      2. Deleted Accounts: Upon account deletion, personal data is permanently removed within 30 days. Account deletion is processed asynchronously through a secure background worker. Firebase Auth account is disabled immediately.
      3. User Status Tracking: User accounts go through status transitions: active → removing → deleted. Firestore document is marked with status 'deleted' for audit trail, while Firebase Auth account is disabled immediately.
      4. Workspace Deactivation: Workspace deactivation uses soft delete - data is preserved for 90 days for audit and compliance purposes. Deactivated workspaces can be recovered by contacting support within 90 days.
      5. After 90 Days: Deactivated workspace data may be permanently deleted after the 90-day recovery period.
      6. Archived Data: Task history and audit logs may be retained for up to 90 days for security and compliance purposes.
      7. Audit Log Retention: Audit logs are retained based on subscription plan: Free (no logs), Standard (30 days), Premium (lifetime). After subscription downgrade, audit logs are retained according to the new plan limitations.
      8. Payment Records: Billing and invoice data is retained for 7 years to comply with tax and accounting regulations.
      9. Backup Data: Deleted data may persist in encrypted backups for up to 90 days before permanent removal.
      10. Subscription Cancellation: Upon workspace deactivation, Stripe subscriptions are automatically cancelled and no further charges occur.
      11. User Removal Processing: User removals are processed through an asynchronous background worker system with status tracking and audit logging. Users are removed from all tasks, teams, and projects automatically.
    12. Changes to the Privacy Policy
      1. We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or service features.
      2. Significant changes will be communicated via: email notification to all users, in-app notification banner, and prominent notice on our website.
      3. The 'Last Updated' date at the top of this policy indicates when changes were last made.
      4. Continued use of Vailo.io after changes are posted constitutes acceptance of the updated Privacy Policy.
      5. If you do not agree with changes, you should discontinue use and may delete your account.
    13. Contact Us
      1. Data Controller: CodeWizard (Vailo.io operator), registered business entity in the European Union.
      2. Email: support@vailo.io for general inquiries and data protection requests.
      3. Privacy Requests: For GDPR-related requests (access, deletion, portability), email support@vailo.io with 'Privacy Request' in the subject line.
      4. Response Time: We aim to respond to all privacy inquiries within 72 hours and fulfill requests within 30 days as required by GDPR.
      5. Support Portal: Visit https://www.vailo.io/support for additional help and documentation.
      6. Mailing Address: Available upon request for formal legal notices.
Last update: 31.10.2025