Privacy Policy

1. Introduction and Scope

VYN ("we," "us," or "our") is committed to protecting your privacy and handling your personal information responsibly. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform (the "Service").

This policy applies to all users of VYN, including organization owners, staff members, and administrators. It also covers information about your clients that you store in our platform as part of your business operations.

By using VYN, you consent to the data practices described in this policy. If you do not agree with this policy, please do not use our Service.

2. Information We Collect

2.1 Information You Provide Directly

When you register for and use VYN, we collect information that you voluntarily provide:

• Account Information: Name, email address, password, organization name, business type
• Profile Information: Phone number, job title, profile photo, time zone preferences
• Business Information: Organization details, location addresses, business hours, services offered
• Payment Information: Billing address, payment method details (processed securely by Stripe)
• Client Data: Information about your customers that you enter into the system (names, contact details, appointment history, notes)

2.2 Information Collected Automatically

When you access VYN, we automatically collect certain information about your device and usage:

• Usage Data: Pages viewed, features used, actions performed, time spent, search queries
• Device Information: IP address, browser type and version, operating system, device type
• Log Data: Access times, error logs, referring URLs, page load times
• Cookies and Similar Technologies: Session identifiers, authentication tokens, preference settings

2.3 Information from Third Parties

We may receive information from third-party services you connect to VYN, such as payment processors (Stripe), analytics providers, or authentication services. This information is used solely to provide and improve the Service.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Service Provision: To create and manage your account, process transactions, and deliver the features you use
• Communication: To send transactional emails (appointment confirmations, password resets, billing notifications)
• Customer Support: To respond to your inquiries, troubleshoot issues, and provide technical assistance
• Service Improvement: To analyze usage patterns, identify bugs, and enhance user experience
• Security: To detect and prevent fraud, abuse, unauthorized access, and other harmful activities
• Compliance: To comply with legal obligations, enforce our Terms of Service, and protect our rights
• Marketing: To send promotional emails about new features, updates, or offers (with your consent, where required)

We do not sell your personal information to third parties. We do not use your client data for any purpose other than providing the Service to you.

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), UK, or Switzerland, we process your personal data under the following legal bases:

• Contractual Necessity: Processing is necessary to perform our contract with you (providing the Service)
• Legitimate Interests: Processing is necessary for our legitimate business interests (fraud prevention, service improvement, security)
• Legal Obligation: Processing is required to comply with legal or regulatory requirements
• Consent: You have given explicit consent for specific processing activities (marketing emails, optional features)

You have the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

5. Data Sharing and Third Parties

5.1 Service Providers

We share your information with trusted third-party service providers who help us operate the Service:

• Supabase: Database hosting, authentication, and infrastructure (SOC 2 Type II certified)
• Stripe: Payment processing for subscriptions (PCI DSS Level 1 certified)
• Email Service Providers: Transactional email delivery (account notifications, password resets)
• Analytics Providers: Aggregated usage analytics and performance monitoring
• Cloud Infrastructure: Hosting, content delivery, and backup services

These providers are contractually obligated to protect your data and use it only for the purposes we specify.

5.2 Legal Requirements

We may disclose your information if required by law, legal process, or government request, or if we believe in good faith that disclosure is necessary to:

• Comply with legal obligations or court orders
• Protect our rights, property, or safety
• Prevent fraud or security threats
• Enforce our Terms of Service

5.3 Business Transfers

If VYN is involved in a merger, acquisition, or asset sale, your information may be transferred as part of that transaction. We will notify you before your information is transferred and becomes subject to a different privacy policy.

6. Cookies and Tracking Technologies

VYN uses cookies and similar technologies to provide functionality and improve your experience:

• Essential Cookies: Required for authentication, session management, and basic functionality (cannot be disabled)
• Functional Cookies: Remember your preferences (theme, location selection, language)
• Analytics Cookies: Help us understand how you use the Service to improve performance
• Security Cookies: Detect and prevent fraudulent or malicious activity

You can control cookies through your browser settings. However, disabling essential cookies may affect your ability to use certain features of the Service.

We do not use advertising cookies or tracking pixels for marketing purposes.

7. Data Security

We implement industry-standard security measures to protect your information from unauthorized access, disclosure, alteration, or destruction:

• Encryption: All data is encrypted in transit (TLS/SSL) and at rest (AES-256)
• Access Controls: Role-based permissions limit who can view or modify data
• Row-Level Security (RLS): Database-level tenant isolation prevents cross-organization data access
• Authentication: Secure password hashing (bcrypt), multi-factor authentication support
• Monitoring: Real-time security monitoring and automated threat detection
• Backups: Regular automated backups with point-in-time recovery
• Auditing: Comprehensive audit logs track all privileged operations

While we use commercially reasonable efforts to protect your data, no security system is impenetrable. You are responsible for maintaining the confidentiality of your account credentials and for any activity under your account.

8. Your Privacy Rights

Depending on your location, you may have certain rights regarding your personal information:

8.1 GDPR Rights (EEA, UK, Switzerland)

• Right to Access: Request a copy of your personal data
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure: Request deletion of your data ("right to be forgotten")
• Right to Restriction: Limit how we process your data
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent for processing at any time
• Right to Lodge a Complaint: File a complaint with your local data protection authority

8.2 CCPA Rights (California Residents)

• Right to Know: Request disclosure of personal information collected, used, or shared
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out: Opt out of the "sale" of personal information (we do not sell data)
• Right to Non-Discrimination: Equal service regardless of exercising privacy rights

8.3 How to Exercise Your Rights

To exercise any of these rights, please contact us at privacy@vyn.com. We will respond to your request within 30 days (GDPR) or 45 days (CCPA). We may require verification of your identity before processing your request.

You can also manage certain data directly through your account settings, including updating profile information, exporting data, and deleting your account.

9. Data Retention

We retain your information for as long as necessary to provide the Service and fulfill the purposes described in this policy:

• Active Accounts: We retain your data while your account is active and for 30 days after cancellation
• Backups: Deleted data may persist in backups for up to 90 days before permanent deletion
• Legal Requirements: We may retain certain data longer if required by law (e.g., tax records, audit logs)
• Audit Logs: Security and compliance logs may be retained for up to 2 years

After the retention period expires, we will permanently delete or anonymize your data. You can request early deletion by contacting support, subject to legal and operational requirements.

10. Children's Privacy

VYN is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18. Our Terms of Service require users to be at least 18 years old.

If you believe we have inadvertently collected information from a child under 18, please contact us immediately at privacy@vyn.com, and we will take steps to delete such information.

11. International Data Transfers

VYN is operated from the United States, and your data may be transferred to and processed in countries outside your country of residence. These countries may have different data protection laws than your jurisdiction.

For transfers from the EEA, UK, or Switzerland to other countries, we rely on:

• Standard Contractual Clauses (SCCs): EU-approved data transfer agreements
• Adequacy Decisions: Transfers to countries recognized by the EU as providing adequate protection
• Service Provider Certifications: Our providers (Supabase, Stripe) comply with GDPR requirements

By using VYN, you consent to the transfer of your information to countries outside your jurisdiction, subject to the protections described in this policy.

12. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

For GDPR-related inquiries, you may also contact your local data protection authority. A list of EU data protection authorities is available at https://edpb.europa.eu.