Last updated · June 5, 2026
Privacy Policy
VYNE is built by American Circuits Inc. (Charlotte, NC, USA). This page tells you exactly what we collect, why, who we share it with, how long we keep it, and how to take it back.
Who we are (data controller)
American Circuits Inc., DBA VYNE, 9100 Crump Rd, Charlotte, NC 28273, USA. For EU data subjects, we currently operate without an EU representative; complaints can be filed directly with the Information Commissioner's Office (UK) or your national supervisory authority. Contact for all privacy matters: privacy@vyne.app.
What we collect — full inventory
Every Postgres table in VYNE that holds personal data is listed below, with the lawful basis under GDPR Art. 6 and how long we retain it after you stop using us. Schema source of truth:
apps/web/prisma/schema.prisma.| Table | Personal data fields | Purpose | Lawful basis (Art. 6) | Retention |
|---|---|---|---|---|
| users | email, name, companyName, passwordHash, mfaSecret (encrypted) | Account + authentication + tenant scoping | Contract — necessary to provide the Service | Account lifetime; 30-day grace, then hard delete |
| subscriptions | stripeCustomerId, stripeSubscriptionId, plan, status | Billing — mirror of Stripe for in-app rendering | Contract + legal obligation (tax records) | Subscription lifetime + 7 yrs (US tax retention) |
| password_reset_tokens | userId, sha256(token), expiresAt, usedAt | Password-reset flow (one-time) | Contract | 1 hour from issue, hard-deleted thereafter |
| contacts / accounts / customers / sales_customers | Names, emails, phone numbers, addresses you import | CRM functionality (the data is yours — you control it) | Contract — you choose what to upload | Workspace lifetime; deleted with workspace |
| deals / sales_opportunities / sales_quotes / sales_orders / invoices / orders | Customer names, totals, line items, your notes | Sales pipeline + ERP | Contract | Workspace lifetime |
| expenses / employees / leave_requests / journal_entries | Reimbursee names, salary, leave balances, posting entries | HR + Finance modules | Contract + legal obligation (employment records) | Workspace lifetime + 7 yrs after deletion (US payroll retention) |
| embeddings | Vector representations of your messages, docs, files | Search + AI retrieval (RAG) | Contract | Workspace lifetime; deleted with workspace |
| push_subscriptions | Browser push endpoint URL + p256dh / auth keys | Web push notifications you opted into | Consent — revocable from Settings | Until you unsubscribe or 90d of inactivity |
| audit_events | actorId, actorName, action, ip, userAgent | Security audit trail (SOC2 / breach forensics) | Legitimate interest (security) | 2 years; anonymised after 90 days post-deletion |
| consents | userId, category, granted, ip, userAgent, source | Proof of cookie/marketing consent (Art. 7) | Legal obligation (consent record) | 5 years after consent withdrawn (audit evidence) |
| account_deletions | userId, orgId, email, requestedAt, scheduledFor | Grace-period queue for the 30d undo window | Legitimate interest (deletion auditability) | Deletion record kept indefinitely for audit |
What we DO NOT collect
Browsing history outside VYNE. Location data. Biometric data. Health data. Children's data (the Service is not intended for users under 16, see Terms §1). Third-party cookies for advertising. Cross-site tracking pixels. We do not buy, sell, or rent personal data.
Subprocessors
We use the following processors to deliver VYNE. Each is bound by a Data Processing Agreement that mirrors the obligations we owe you.
We publish changes to this list at least 30 days before a new subprocessor goes live (subscribe via privacy@vyne.app).
| Subprocessor | Purpose | Region | DPA / Cert |
|---|---|---|---|
| Vercel Inc. (USA) | Web hosting + Edge functions + Blob storage | iad1 (US-East, Virginia) | DPA |
| Neon Tech (USA) | PostgreSQL primary database | us-east-2 (Ohio) | DPA |
| Stripe Inc. (USA) | Payment processing + billing | Global | DPA |
| Resend (USA) | Transactional email (signup, password reset, invoices) | us-east-1 | DPA |
| Sentry (USA) | Error monitoring (PII redacted via beforeSend) | us-east-1 | DPA |
| Anthropic (USA) | Claude API — AI features (prompts not used for training per zero-retention SLA on enterprise tier) | us-east-1 | DPA |
| Upstash (USA) | Redis — rate limiting + ephemeral session storage | us-east-1 | DPA |
International transfers
VYNE is hosted in the United States. Where personal data of EU/UK data subjects is processed, transfers rely on the European Commission's Standard Contractual Clauses (Module 2: controller → processor; Module 3: processor → sub-processor). The relevant clauses are embedded in our Data Processing Agreement. For UK data subjects we additionally rely on the UK International Data Transfer Addendum.
Your rights (GDPR Art. 15–22 + CCPA)
You have the following rights, exercisable at any time + free of charge once per 12-month period:
- Access — request a copy of your data via
POST /api/gdpr/exportin-app or by email. - Rectification — correct any field directly in Settings, or email privacy@vyne.app.
- Erasure ("right to be forgotten") — Settings → Danger Zone → Delete account schedules a hard delete in 30 days (you can cancel during the grace period). Backed by
POST /api/account/delete. - Portability — your data is exportable as JSON via
POST /api/gdpr/export; the file is standard JSON, suitable for import into any compatible tool. - Restriction / Objection — pause processing of specific categories (e.g. AI features) via Settings → AI preferences.
- Withdraw consent — cookie banner → Manage preferences (link in footer), or revoke push notifications from Settings.
- Lodge a complaint — with your supervisory authority (ICO, CNIL, etc.) or in California, the CPPA.
Security
See /security for the full posture (encryption at rest + in transit, backup cadence, RPO/RTO, vuln reporting). Short version: AES-256 at rest, TLS 1.3 in transit, per-tenant orgId scoping enforced at every API route, MFA available, daily backups + weekly restore verification.
Children
VYNE is not intended for users under 16. We do not knowingly collect personal data from children. If you believe a child has provided us data, email privacy@vyne.app and we will delete it within 14 days.
Breach notification
If a personal-data breach is reasonably likely to result in risk to your rights and freedoms, we will notify you within 72 hours of becoming aware. Our supervisory-authority notification timeline is the same 72 hours per GDPR Art. 33. Status updates are posted at /status.
Changes to this policy
Material changes are announced by email at least 14 days before taking effect, with a versioned diff archived at
docs/legal/changelog.md. Continued use after the effective date is acceptance.Contact
privacy@vyne.app for all privacy + DSAR matters. security@vyne.app for vulnerability reports.