Privacy Policy

Last updated:

Vasly is an apartment-rating tool that helps renters and buyers compare places using a structured 0/1/3 scoring system. This policy explains what data we collect, why, and your rights.

1. Data we collect

• Account data: email address, first/last name, hashed password (we never store plaintext). If you enable two-factor authentication, we also store an encrypted authenticator-app secret and a small set of one-use backup codes (stored as hashes, never in plaintext).
• App data: apartments you log, ratings, settings, optional commute address, the photos you attach to each unit (subscribers, up to 10 per unit), and the floor-plan PDF you upload for a unit (subscribers, one per unit).
• Technical data: sign-in timestamps, browser/device label, and a one-way hash of your IP address (used to count unique visitors and prevent abuse - the original IP is never stored on our servers).
• Visitor analytics: we record the type and timestamp of each visit / demo entry / share-link view, plus the two-letter country code resolved from your IP at first visit. Your raw IP is sent to our GeoIP provider for the lookup and immediately discarded; only the country code persists on our side.
• Diagnostic / error data: when the app or our server hits an error, technical details about it - the error message and stack trace, the page or action involved, your browser/device label, and an approximate IP-derived location - are captured so we can find and fix bugs. Used only for reliability, never for advertising.
• Cookies / storage: we use only essential browser local storage to keep you signed in and cache your data offline. No advertising, marketing, or third-party tracking cookies.
• Security audit log: timestamped records of account, security, and billing events on your account (sign-in, password change, 2FA enrollment, subscription change, share-link creation, and similar). Used by us and visible to you so anything unusual is easy to spot.

2. How we use it

Solely to operate the service: authenticate you, sync your data across sessions, generate the analytics shown in the admin dashboard, send essential transactional emails (verification, sign-in codes, password reset), process subscription payments, and prevent abuse. We do not sell, rent, or share your data with third parties for marketing.

3. Third-party services

Vasly relies on a small number of third parties to operate. Each has its own privacy policy.

• OpenStreetMap (Nominatim) - address autocomplete and map tiles. Your typed search query is sent to their server.
• Resend (resend.com) - delivery of transactional emails (verification, sign-in codes, password resets, receipts). Your email address and the message content are sent to Resend for delivery.
• Stripe (stripe.com) - payment processing for paid subscriptions on the web. Card details are submitted directly to Stripe and are never stored on our servers; we only see the resulting subscription metadata (tier, period, status).
• Apple App Store / Google Play - payment processing for paid subscriptions on the iOS and Android apps. Subscription receipts pass through RevenueCat (revenuecat.com) for validation; only your purchase status reaches our servers.
• OpenAI (openai.com) - our sole AI sub-processor. We use OpenAI's image and text models (specifically gpt-image-2 for virtual staging, and gpt-4o-mini, including its vision capability, for the AI listing summary, AI scoring insights, and floor-plan analysis). OpenAI is called only when you actively trigger one of these features, and only the input that feature needs is sent: a room photo (virtual staging), a listing URL (listing import / summary), or a floor-plan image (floor-plan analysis). Nothing is sent to OpenAI in the background. Per OpenAI's API data-usage policy, inputs submitted through their API are not used to train OpenAI's models; OpenAI may retain those inputs for up to 30 days for abuse and misuse monitoring, after which they are deleted.
• ipinfo.io - country-level GeoIP lookup at first visit, so the admin dashboard can show approximate visitor geography. Your IP is sent for the lookup; we discard it immediately after and store only the resulting two-letter country code keyed by a one-way hash of the IP.
• Sentry (sentry.io) - error and crash tracking. When the app or our server encounters an error, diagnostic details (error message, stack trace, the page or action, browser/device, and an approximate IP-derived location) are sent to Sentry so we can fix it. Used only for reliability; never for advertising or profiling.

4. Company offering - additional data flows

This section applies if you use Vasly's optional agent or company plans, or if a real-estate agent invites you to view properties they have shared. It supplements the general policy above.

• Agent and client are separate accounts. An agent's property library and a client's account are distinct, each owned by its own account. They are linked only by an "engagement" the client accepts and can revoke at any time.
• What an agent sees about a client. Through an active engagement, the agent can see the client's 0/1/3 scores and comments on the properties the agent shared, plus the client's name. The agent does not see the client's other apartments, their separate personal board, or account data outside that engagement. The client chooses whether the agent sees all shared properties or a subset.
• What a client sees about an agent. The client sees the properties the agent shared, the agent's name and (if set) company branding, and comments the agent posts on those properties.
• What a company administrator sees. A company owner sees roster-level activity for their own agents - for example, the agent list and how many active client engagements each agent has. A company owner does not see a client's private personal data beyond the engagement-level activity described above.
• Revocation. When a client revokes an engagement, the agent immediately loses access to that client's scores and shared view. Comments already exchanged remain part of the engagement record unless deleted by their author.
• Invitations. If an agent invites you by email, we use that email only to create or link your account and send engagement-related messages (see the welcome emails below). You can decline or revoke at any time.

5. Your rights (GDPR, UK GDPR, CCPA, and similar)

• Access: "Export my data" in the Hello menu downloads a JSON file with everything we store about you.
• Deletion: "Delete my account" in Settings permanently removes your account and all related data within 30 days. Backups are also rotated within 90 days.
• Correction: edit your data in the app at any time.
• Portability: the JSON export is a standard machine-readable format you can take elsewhere.
• Objection / restriction: contact support to limit processing while you decide.
• Automated decision-making: we don't use any.

6. Data retention

Active accounts: data is kept while your account is active. Inactive accounts (no sign-in for 24 months): we may delete after a 30-day notice email. Login history is capped at the last 50 events per user. Security audit log entries are retained for the life of the account; very old entries may be rotated out beyond a reasonable size limit. Photos and floor plans persist for as long as the unit exists in your account; deleting a unit deletes its media. Sign-in sessions expire after 30 days. Backup zips, when generated by the admin, should be deleted promptly once no longer needed.

7. Security

Passwords are hashed with bcrypt. Sign-in to an existing account requires a one-time code sent to your email. You can additionally enable two-factor authentication in Settings using an authenticator app (Google Authenticator, Authy, 1Password, and similar), with one-use backup codes for recovery. Vasly enforces a single active device per non-admin account; signing in elsewhere revokes other sessions, and a password reset signs you out of every other session for your account. Every account, security, and billing action is recorded in a per-account audit log you can review. The API is rate-limited per user and per IP to prevent abuse, and every endpoint enforces ownership so another account cannot reach your data by guessing an ID. We recommend you sign out on shared devices and never paste your password into any link or email.

8. International transfers

Vasly is global. Your data is stored on the server hosting this installation, which may be in a different country to yours. By signing up you consent to this transfer; the operator commits to applying GDPR-equivalent safeguards regardless of jurisdiction.

9. Children

Vasly is not directed at, marketed to, or intended for children. Specifically, the app is not for anyone under 13 years old (the threshold under the US Children's Online Privacy Protection Act, "COPPA") or under 16 years old in jurisdictions where the EU GDPR applies a higher digital-consent threshold. We do not knowingly collect personal data from anyone in these categories. If you are a parent or guardian and believe your child has provided personal data to us, contact hello@vasly.app and we will delete the account and associated data within 30 days. The app store age rating for Vasly is 4+ on Apple's scale, which reflects content suitability only and does not imply it is designed for children's use.

10. Apple App Store and Google Play - additional disclosures

This section applies to users of the Vasly iOS and Android apps and supplements the general policy above.

10.1 App Tracking Transparency (Apple)

Vasly does not track users under Apple's App Tracking Transparency (ATT) framework. We do not link data collected from this app with data collected from other companies' apps, websites, or offline services for the purpose of advertising or sharing with data brokers. We do not show the ATT permission prompt on first launch because we do not engage in tracking as Apple defines it. If you see an ATT prompt in a future build, the policy on this page will be updated first and a notice posted in the in-app changelog.

10.2 Google Play data deletion

In line with Google Play's Data deletion requirements, you can request deletion of your account and all associated personal data in three ways:

• In the app: Settings → Account → "Delete my account" - this is the canonical, fastest path. Your account and all related data are permanently removed within 30 days; backups rotate within 90 days.
• Without signing in: visit vasly.app/help#delete and follow the verification process - useful if you've lost access to your account.
• By email: contact hello@vasly.app from the email on file. Allow up to 30 days for action.

Deletion is irreversible. Aggregate analytics that have already been computed and stored (e.g., "X visitors from Canada last week") cannot be unwound because they contain no personal identifiers.

10.3 Subscription billing and IAP

Subscription payments made through the iOS and Android apps are processed entirely by Apple's App Store or Google Play and tracked on our side via RevenueCat. We do not see your payment-method details; we only see your subscription status (tier, renewal date, source). Manage or cancel a subscription via iOS Settings → [your name] → Subscriptions, or via Google Play's Subscriptions page. Cancellations take effect at the end of the current billing period unless otherwise stated.

10.4 Mobile permissions

The Vasly app requests the following native permissions only when the corresponding feature is used. Each is opt-in:

• Camera - to take photos of apartments. Photos stay in your account on our server and are not shared with anyone, unless you choose to run an AI feature such as virtual staging, in which case the relevant photo is sent to our AI provider (OpenAI) to produce the result (see Section 3).
• Photo library - to upload existing photos. Same handling as above.
• Location (coarse) - if you opt in to the "find apartments near me" UX. Used in-session only; we do not log or persist your precise location.
• Push notifications - to alert you when a co-rater submits new ratings. You can disable in OS settings at any time.

Declining any of these does not block you from using the rest of the app.

11. Contact

Questions, deletion requests, or complaints: email hello@vasly.app. EU users may also lodge a complaint with their national data protection authority.

12. Changes

We'll update this page when material changes happen and announce it in the in-app changelog. Continued use after a change means you accept the updated policy.