Privacy Policy

Last Updated: October 12, 2025

1. What Data We Collect and Why

1.1 Transaction Data (Pseudonymized)

When you connect your bank account via Plaid, we collect and store:

• Transaction dates, amounts, merchant names, categories
• Account balances and transaction history

Why we need this: To provide search, categorization, budgeting, and reporting features.

How it's protected: This data is pseudonymized — your personal identity (name, email, real property address) is stored separately and encrypted. Our system uses random UUIDs as identifiers. Even our engineers see only codes and numbers, not "John Smith at 123 Main Street."

1.2 Property Details (Anonymous UUIDs)

When you register properties, we collect:

• Property names/labels (e.g., "Property 1", "Rental House")
• Property metadata (purchase date, property type)

Why we need this: To organize your transactions and documents by property.

How it's protected: Real addresses are NOT stored in our database. We assign each property a random UUID (like "7f8c-4e91-b2a3"). This UUID links to your financial data, but cannot be traced back to a real address without your encryption key.

1.3 Document Metadata (Not the Documents Themselves)

When you upload receipts, invoices, or contracts via Telegram:

• Document category (e.g., "Maintenance Receipt", "Tax Document")
• Upload date and filename
• Google Drive file ID (pointer to YOUR Drive, not file content)

Why we need this: To help you search and retrieve documents later.

How it's protected: The actual document images/PDFs are stored in your Google Drive, not our servers. We only store a pointer (Google Drive file ID) that tells our system where to find the file in your Drive. We never download or store your document content.

1.4 Account Information

To create and manage your account:

• Email address (for login and notifications)
• Password (hashed and salted, never stored in plain text)
• Google account connection (OAuth token for Drive/Sheets access)
• Plaid access token (encrypted, for bank connection)

Why we need this: To authenticate you and connect to Google Drive and Plaid on your behalf.

How it's protected: Passwords are hashed using industry-standard bcrypt. API tokens are encrypted at rest. Your email address is stored separately from your financial data in our pseudonymization architecture.

2. How We Protect Your Data (Pseudonymization Architecture)

2.1 What is Pseudonymization?

In plain English: We split your personal identity (name, email, address) from your financial data (transactions, receipts) and store them in separate encrypted databases. The two are connected only through random codes (UUIDs) that cannot be reverse-engineered.

The result: If an engineer looks at our financial database, they see:

They cannot see "John Smith bought $127.50 at Home Depot for 123 Main Street." The link between your identity and this data is encrypted and inaccessible to anyone except the system itself when you log in.

2.2 Industry-Standard Encryption

• In transit: All data transmitted between your devices and our servers uses TLS 1.3 (HTTPS)
• At rest: Sensitive data stored in our database is encrypted using AES-256
• API tokens: Google and Plaid tokens are encrypted and never logged

2.3 Regular Security Audits

We commit to regular third-party security audits to verify:

• Pseudonymization architecture is working as designed
• No data leaks or unauthorized access
• Compliance with data protection best practices

Transparency: Audit summaries (with sensitive details redacted) will be published on our security page.

3. What We DON'T Do

3.1 We Never Sell Your Data

Period. We do not sell, rent, or trade your personal information or financial data to third parties. Ever. Our business model is simple: you pay for our product, we provide value. We don't make money from your data.

3.2 We Don't Store Your Bank Credentials

When you connect your bank account, you authenticate directly with Plaid (a trusted third-party used by Venmo, Robinhood, and thousands of apps). Your bank username and password are NEVER sent to Virsva. Plaid gives us a secure token that allows read-only access to your transactions.

3.3 We Don't Store Your Documents on Our Servers

Receipts, invoices, contracts — all stored in your Google Drive. We only store a reference (file ID) to where the document lives in your Drive. If you delete a file from your Drive, it's gone — we don't have a copy.

3.4 We Don't Use Your Data for AI Training

Your financial data and documents are NOT used to train AI models or improve general algorithms. AI analysis (document categorization, receipt parsing) happens in real-time for your use only and is never retained for model training.

4. Your Rights and Control

4.1 Export Your Data Anytime

Use our one-click export feature to download all your data in standard formats:

• CSV (transactions, metadata)
• Excel spreadsheets (formatted reports)
• PDF (printable records)
• Google Sheets (live, shareable)

All exports are saved to your Google Drive — you own the data.

4.2 Delete Your Account Anytime

Go to Settings → Delete Account. When you delete your account:

• Immediately: Your access is revoked, and your account is deactivated
• Within 30 days: All your data is permanently deleted from our servers (transactions, metadata, credentials)
• Your Google Drive: Unaffected — your documents remain in YOUR Drive

Note: We may retain anonymized aggregated data for analytics (e.g., "100 users exported data in October"), but nothing that can identify you.

4.3 Revoke Access Anytime

You can revoke Virsva's access to:

• Google Drive: Via Google Account settings → Security → Third-party apps
• Plaid (banking): Via Virsva dashboard or Plaid's website

Once revoked, we can no longer access your Drive or pull new transactions (existing data remains until you delete your account).

4.4 Self-Host Your Data (Future)

We're building an open-source, self-hosted version of Virsva. When ready, you'll be able to:

• Export your encrypted data
• Run Virsva on your own server
• Full control, zero reliance on our infrastructure

5. Third-Party Services

5.1 Plaid (Banking Integration)

• What they do: Securely connect your bank account and retrieve transactions
• Their privacy policy: plaid.com/legal
• Security: Bank-level encryption, used by 8,000+ financial apps

5.2 Google (Drive & Sheets)

• What they do: Store your documents and generated reports
• Their privacy policy: policies.google.com/privacy
• Access: Read/write to folders you authorize (via OAuth)

5.3 Telegram (Optional Bot Interface)

• What they do: Deliver messages between you and Virsva bot
• Their privacy policy: telegram.org/privacy
• Data retention: We do NOT store chat message history

6. Data Retention

6.1 Active Accounts

While your account is active, we retain:

• Transaction data: Until you delete your account
• Document metadata: Until you delete your account
• Logs: 90 days (for security and debugging)

6.2 Deleted Accounts

After you delete your account:

• Day 0-30: Data marked for deletion, but recoverable if you change your mind
• Day 30+: Permanent deletion (cannot be recovered)

7. Cookies and Tracking

7.1 Essential Cookies

We use session cookies to:

• Keep you logged in
• Remember your preferences (e.g., property selection)

7.2 No Advertising Trackers

We do NOT use:

• Google Analytics
• Facebook Pixel
• Third-party advertising cookies

We believe in privacy-first analytics — we only track basic usage metrics (page views, errors) without identifying individuals.

8. Changes to This Policy

If we make significant changes to this privacy policy, we will:

• Update the "Last Updated" date at the top
• Email you at your registered email address
• Display a notice on the dashboard

You can view the full history of this policy on our GitHub repository (coming soon).

9. Questions or Concerns?

We take privacy seriously. If you have questions about how we handle your data:

• Email: privacy@virsva.com
• Security page: virsva.com/security