Vypo ("we", "us", "our") respects your privacy. This Privacy Policy explains what data we collect, how we use it, who we share it with, and the rights you have over your data.
Account data: full name, email address, hashed password, time zone, language preference.
Business data: business name, business type, services offered, brand voice descriptors, logo, brand colors.
Content data: generated and approved posts, captions, hashtags, AI-generated and user-uploaded images, scheduling history.
Usage data: features used, approve/reject feedback on posts, login timestamps, in-app interactions.
Payment data: processed entirely by Stripe. We store only your Stripe customer ID, subscription status, plan, and billing cycle — we never store full card numbers or banking credentials.
Device data: browser type, operating system, IP address, device identifiers used for security and abuse prevention.
Cookies: essential authentication-session cookies for login and security. With your consent, we also use Google Analytics cookies to understand how visitors use our site (aggregated, anonymous usage data only), and the Meta (Facebook) Pixel together with the server-side Meta Conversions API to measure the effectiveness of our advertising — see the Cookie Policy (Section 10) and the Meta entry under Third-Party Processors (Section 4).
OAuth tokens: when you connect Instagram or Facebook, we store the access tokens issued by Meta solely to publish on your behalf.
2. How We Use Your Data
To provide, operate, secure, and improve the Service.
To generate AI content tailored to your business profile and brand voice.
To process payments and manage your subscription via Stripe.
To send transactional emails (account verification, billing, security, and important Service updates).
To analyze usage patterns in aggregated, de-identified form.
To detect and prevent fraud, abuse, and security incidents.
To measure and optimize the performance of our own advertising campaigns on Meta (Facebook and Instagram) using the Meta Pixel and the Meta Conversions API.
To comply with legal obligations and respond to lawful requests.
We do not sell your personal data. We use the Meta (Facebook) Pixel and Conversions API to measure the performance of our own advertising (see Sections 4 and 10), but we do not sell your data or allow third parties to use it for their own independent advertising.
3. AI Data Usage
Important: Your approve/reject feedback trains your personal brand voice profile inside Vypo. It does not feed external AI models or other Vypo customers.
Your feedback (approve/reject/edit) and brand profile train your own personalized brand voice profile within Vypo.
We do not sell your data to train other companies' AI models.
We may use anonymized, aggregated data (with all personally identifying information removed) to improve our internal AI prompts, classifiers, and quality metrics.
You can manage this data at any time in Settings → Data & Privacy: download a copy of everything Vypo holds about you, or delete your account, which permanently removes your stored personalization data.
Content sent to OpenAI for generation is processed under OpenAI's privacy and data-use terms — see openai.com/privacy. OpenAI does not train its foundation models on data sent through the OpenAI API by default.
4. Third-Party Processors
We use the following sub-processors to operate the Service:
Google — Sign-in with Google (OAuth) and Google Analytics 4 (website analytics, consent-gated) — policies.google.com/privacy
Meta — Instagram and Facebook publishing, and advertising measurement via the Meta Pixel and Conversions API. For ad measurement we share a hashed (SHA-256) version of your email address plus technical data — IP address, browser user-agent, and Meta cookie identifiers (_fbp / _fbc) — so Meta can attribute and optimize our advertising campaigns — facebook.com/privacy
Sentry — error monitoring and diagnostics (collects error reports, stack traces, browser/OS type, and IP addresses to help us identify and fix software bugs) — sentry.io/privacy
Google Fonts — web font delivery (Google may log IP addresses when fonts are loaded) — policies.google.com/privacy
Each sub-processor is contractually bound to protect your data in accordance with applicable data protection laws.
5. Data Retention
Active account: data is retained for as long as your account is active.
Cancelled or deleted account: data is deleted from active systems within 30 days. Backups are purged within 90 days.
Payment and billing records: retained for up to 7 years to comply with tax and financial-record obligations.
AI training data: when retained, it is anonymized so it can no longer be linked to you, and may be kept indefinitely in that form.
Legal holds: data subject to a legal hold or required for litigation will be retained for the duration required.
6. Your Rights
Regardless of where you live, you have the right to:
Access the personal data we hold about you — visit the Settings page.
Delete your account at any time — Settings → Delete Account (self-serve).
Manage your data & personalization — Settings → Data & Privacy (download your data or delete your account).
Object to or restrict certain processing — contact us.
GDPR (EU/UK residents): you also have the rights to rectification, erasure, restriction of processing, data portability, and to object to processing. You may lodge a complaint with your local supervisory authority.
CCPA / CPRA (California residents): you have the rights to know, delete, correct, and opt out of the "sale" or "sharing" of personal information, and to non-discrimination for exercising these rights. We do not sell or share personal information as those terms are defined under CCPA/CPRA.
To exercise any right, contact support@vypo.io. We will respond within 30 days.
7. Data Security
TLS / HTTPS encryption for all data in transit.
AES-256 encryption for data at rest (provided by Supabase).
Row-Level Security (RLS) on all database tables — users can only access their own data.
API keys and secrets are stored server-side only and never exposed to the browser.
Bcrypt-hashed passwords (handled by Supabase Auth) — we never see or store plaintext passwords.
Periodic security review of our infrastructure and dependencies.
We rely on SOC 2-compliant infrastructure providers (Supabase, Stripe, Vercel) for the underlying platform.
No system is 100% secure. You are responsible for keeping your password and devices secure.
8. International Data Transfers
Your data may be processed and stored on servers located in the United States, the European Union, and other jurisdictions where our sub-processors operate.
Where required by law, we rely on Standard Contractual Clauses (or equivalent safeguards) for international transfers of personal data out of the EU/EEA, UK, and Switzerland.
By using the Service, you consent to such international processing.
9. Children's Privacy
The Service is not directed to, and not intended for, individuals under 18 years of age. We do not knowingly collect personal data from minors. If you believe a minor has provided personal data, contact support@vypo.io and we will delete it.
10. Cookie Policy
Essential cookies — always active. Required for authentication, login sessions, and security. You cannot opt out of these without losing access to the Service.
Analytics cookies (Google Analytics 4) — activated only with your consent. We use Google Analytics to understand aggregate usage patterns (e.g. which features are most used, page-level performance). Google Analytics collects anonymized data including pages visited, session duration, browser type, and general geographic region. No personally identifiable information is sent to Google Analytics. You can withdraw consent at any time by clearing your browser's local storage or cookies.
Advertising measurement (Meta Pixel) — activated only with your consent. We use the Meta (Facebook) Pixel, which sets the _fbp cookie and reads the _fbc identifier from Facebook ad clicks, together with the server-side Meta Conversions API. These let Meta measure and optimize the performance of our advertising. For this we share a hashed (SHA-256) version of your email plus technical data (IP address, browser user-agent, and the Meta cookie identifiers) with Meta. We do not use these for cross-site retargeting beyond measuring our own campaigns. You can withdraw consent at any time by rejecting cookies or clearing your browser's cookies and local storage.
You may disable all cookies in your browser settings, but essential cookies are required for the Service to function.
When you first visit our site, we display a cookie consent banner. Clicking Accept activates analytics cookies. Clicking Reject limits us to essential cookies only. Your preference is stored in your browser's local storage.
11. Changes to This Policy
We may update this Privacy Policy from time to time.
Material changes will be communicated via email and/or in-product notice.
The "Last updated" date at the top of this page indicates when the latest version took effect.
Your continued use of the Service after the effective date constitutes acceptance of the revised Policy.
12. Data Breach Notification
In the event of a confirmed data breach affecting your personal data, we will notify affected users within 72 hours of discovery via email.
We will notify relevant data-protection authorities as required by applicable law.
The notification will describe the nature of the breach, data categories affected, expected consequences, and the remediation measures taken.
13. Contact / Data Protection Officer
For any privacy-related question, request, or complaint: