Privacy Policy

Vello is a personal finance tracking service operated by NKC Labs, based in Denmark. NKC Labs is the data controller for all personal data processed through Vello.

For any privacy-related questions or requests, contact us at a.i.c.dabrowska@gmail.com.

We collect only what is necessary to provide the service:

• Account data: your email address, and optionally your name. Your password is hashed and managed by Supabase Auth — we never have access to it in plaintext.
• Profile preferences: your home currency and the list of currencies you transact in.
• Financial data you enter: transaction amounts, currencies, dates, descriptions, categories, tags, and recurring transaction templates. We store exactly what you type — nothing is inferred or pulled from external sources.
• Session data: an authentication cookie that keeps you logged in. See our Cookie Policy for details.

We do not collect payment card details. When paid plans are introduced, payments will be processed by Stripe and governed by their privacy policy.

We use your data to:

• Provide, operate, and improve the Vello service
• Authenticate your identity and maintain the security of your account
• Respond to your support requests
• Send you service-related emails (account changes, billing notifications)

We do not use your financial data for advertising, profiling, or any purpose beyond operating the service for you personally.

We process your personal data on the following legal bases under Article 6 of the GDPR:

• Contract performance (Art. 6(1)(b)): processing your account data and financial data is necessary to provide the Vello service you signed up for.
• Legitimate interests (Art. 6(1)(f)): maintaining security, preventing fraud, and improving the reliability of the service.
• Legal obligation (Art. 6(1)(c)): where we are required to retain or disclose data under applicable law.

We do not sell your data. We share it only with the following sub-processors who help us deliver the service:

• Supabase Inc. — database hosting and authentication. Your data is stored on AWS infrastructure in EU-West-1 (Ireland), within the European Economic Area. Supabase acts as a data processor under a Data Processing Agreement with NKC Labs.
• ExchangeRate-API— we send currency codes (e.g. “USD”, “EUR”) to fetch exchange rates. No personal data or financial amounts are shared with this service.
• Vercel Inc.— hosting for the Vello web application. Vercel processes request metadata (IP address, browser headers) as part of serving the application. Data is processed in accordance with Vercel's privacy policy.

When Stripe is integrated for paid plans, Stripe will become an additional sub-processor for payment-related data. We will update this policy at that time.

We retain your personal data for as long as your account is active. If you request account deletion, we will delete your personal data within 30 days of the request, except where we are required to retain it by law (e.g. for tax or accounting purposes).

Exchange rates stored alongside your transactions are retained as part of the transaction record to preserve historical accuracy.

As a data subject under the GDPR, you have the following rights:

• Right of access: request a copy of the personal data we hold about you.
• Right to rectification: request correction of inaccurate data.
• Right to erasure: request deletion of your personal data (“right to be forgotten”).
• Right to data portability: receive your data in a structured, machine-readable format.
• Right to object: object to processing based on legitimate interests.
• Right to restrict processing: request that we limit how we use your data.

To exercise any of these rights, contact us at a.i.c.dabrowska@gmail.com. We will respond within 30 days.

You also have the right to lodge a complaint with the Danish supervisory authority: Datatilsynet (datatilsynet.dk).

We implement appropriate technical and organisational measures to protect your personal data, including encrypted connections (TLS), row-level security on all database tables (users can only access their own data), and hashed password storage managed by Supabase Auth.

No system is perfectly secure. If you discover a security issue, please report it to us at a.i.c.dabrowska@gmail.com.

Vello is not intended for use by persons under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

We may update this Privacy Policy from time to time. We will notify you of material changes by email or via an in-app notice before the changes take effect. The effective date at the top of this page will always reflect the most recent version.