Privacy Policy

Effective date: May 17, 2026  ยท  Version 1.0  ยท  Questions: legal@vin-g.com

Vin-G ("we", "us", "our") operates a suite of business management tools available at vin-g.com and its subdomains. This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and your rights over it.

This policy covers all Vin-G products: Analytics, Appointment Scheduler, Auth, Email Campaigns, CRM, Document Store, Expense Tracker, Form Builder, HR Manager, Invoice Generator, E-commerce Store Builder, Website Generator, and Vritti. Each product may have a product-specific addendum with additional disclosures.

โš ๏ธ Lawyer review required: DPO appointment, Data Fiduciary registration under India DPDP Act, and governing law clause.

1. Who We Are

The data controller is Vin-G (legal entity details, registered address, and company registration number to be added upon business registration). For privacy enquiries, contact us at legal@vin-g.com.

2. What Data We Collect

2.1 Account and Identity Data

  • Email address, first name, last name
  • Password (stored as a bcrypt hash โ€” we never store plaintext passwords)
  • Google account ID (if you sign in with Google)
  • Account creation date and last updated date
  • Consent timestamp and version of privacy policy you agreed to

2.2 Usage and Technical Data

  • IP address (used to detect abuse; hashed for analytics storage)
  • Browser user agent and HTTP request metadata
  • Pages visited, features used, session duration
  • Error logs (stack traces may contain request context)

2.3 Content Data (varies by product)

  • Files and documents you upload (Document Store)
  • Invoice data, client names, amounts (Invoice Generator)
  • Expense records and receipt images (Expense Tracker)
  • Contact names, emails, phone numbers (CRM)
  • Form submissions collected via forms you create (Form Builder)
  • Employee profiles, time entries, leave records (HR Manager)
  • Appointment bookings and attendee details (Appointment Scheduler)
  • Email subscriber lists and campaign content (Email Campaigns)
  • Resume and job preference data (Vritti)
  • Website content and configuration (Website Generator)

2.4 Payment Data

Payments are processed by Stripe. We never receive or store your card number, CVV, or full card details. We receive only a payment token and transaction status from Stripe.

3. Why We Collect It (Lawful Basis)

PurposeData usedGDPR basisCCPA categoryIndia DPDP
Providing the service you signed up forAccount, content dataContract (Art. 6(1)(b))N/A (service provision)Consent / Legitimate use
Authentication and securityEmail, IP, user agentLegitimate interest (Art. 6(1)(f))N/A (security)Legitimate use
Sending transactional emails (OTP, receipts, reminders)Email addressContract (Art. 6(1)(b))N/A (service provision)Consent
Analytics to improve our serviceUsage data (anonymized)Legitimate interest (Art. 6(1)(f))N/A (internal analytics)Legitimate use
Legal compliance and dispute resolutionAccount, transaction dataLegal obligation (Art. 6(1)(c))N/A (legal)Legal obligation
Marketing communications (only with explicit consent)EmailConsent (Art. 6(1)(a))Opt-in requiredConsent

4. Google Analytics

We use Google Analytics 4 (GA4) to understand how visitors use our platform. GA4 uses cookies and collects anonymized usage data. We only load Google Analytics after you give cookie consent. You can withdraw consent at any time via the cookie banner at the bottom of any page. You may also opt out via Google's opt-out browser add-on.

5. How We Share Your Data

We do not sell your personal data. We share data only with:

  • Sub-processors who help us deliver the service (see our Sub-processors List). Each has a Data Processing Agreement (DPA) with us.
  • Law enforcement when required by applicable law, court order, or to protect our users.
  • Acquirers in the event of a merger or acquisition โ€” you will be notified before any transfer.

6. Data Retention

We retain data only as long as necessary. See our full Data Retention Schedule for period-by-period details. Financial and employment records are retained for a minimum of 7 years as required by applicable tax and employment law. When retention periods expire, data is either permanently deleted or anonymized so it can no longer identify you.

7. Your Rights

7.1 Under GDPR (EU/EEA residents)

  • Access (Art. 15): Request a copy of all personal data we hold about you
  • Rectification (Art. 16): Correct inaccurate data
  • Erasure (Art. 17): Request deletion of your data (subject to retention obligations)
  • Restriction (Art. 18): Ask us to pause processing while a dispute is resolved
  • Portability (Art. 20): Receive your data in a machine-readable format
  • Object (Art. 21): Object to processing based on legitimate interest
  • Lodge a complaint with your national supervisory authority

7.2 Under CCPA (California residents)

  • Right to know what personal information is collected, used, shared, or sold
  • Right to delete personal information (with exceptions)
  • Right to opt out of sale of personal information (we do not sell data)
  • Right to non-discrimination for exercising CCPA rights

7.3 Under India DPDP Act 2023

  • Right to access information about processing
  • Right to correction and erasure of personal data
  • Right to grievance redressal
  • Right to nominate a nominee for your data in case of death or incapacity

7.4 How to Exercise Your Rights

Email legal@vin-g.com with your request. You can also use the in-app data export and account deletion features available in your account settings. We will respond within 30 days (GDPR), 45 days (CCPA), or 30 days (DPDP) of receiving your request.

8. Data Security

We implement appropriate technical and organisational measures to protect your data, including:

  • HTTPS/TLS encryption for all data in transit
  • Passwords stored as bcrypt hashes (never plaintext)
  • Files stored in Cloudflare R2 with AES-256 encryption at rest
  • Role-based access controls limiting data access to authorised personnel
  • Regular security reviews

9. Data Breach Notification

In the event of a personal data breach, we will:

  • Notify the relevant supervisory authority within 72 hours (GDPR)
  • Notify affected California consumers within 45 days (CCPA)
  • Notify affected Indian data principals within 60 days (DPDP Act)
  • Notify affected users by email without undue delay when the breach is likely to result in a high risk to your rights and freedoms

10. International Data Transfers

Your data may be processed in countries outside your own. When transferring personal data from the EU/EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission. When transferring data from India, we comply with the cross-border transfer requirements of the DPDP Act 2023.

11. Cookies

We use essential cookies required for the service to function, and optional analytics cookies (Google Analytics) that require your consent. See our Cookie Policy for full details.

12. Children's Privacy

Our services are not directed to children under 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact legal@vin-g.com.

13. Changes to This Policy

We may update this policy periodically. We will notify you of material changes by email and by updating the effective date above. Continued use of our services after the effective date of changes constitutes acceptance of the updated policy.

14. Contact Us

For privacy questions, data subject requests, or to report a concern:
Email: legal@vin-g.com
Subject line: "Privacy Request โ€” [Your Name]"

โš ๏ธ Lawyer review required before publishing: Add registered business address, company registration number, and appoint a Data Protection Officer (DPO) if required by GDPR Article 37 or India DPDP regulations.