1. Effective date
This privacy policy is effective as of January 2026 and was last updated on January 2026. Any material change will be announced on the vp26 homepage at least thirty days before it takes effect, and sent to every active account.
2. Who we are
vp26 (pn-site-v2-vp26.pages.dev) is the data controller for the service. Registered office: vp26 Labs Ltd, Remote operations; contact by email only.. Jurisdiction: United Kingdom. For privacy matters contact help@pn-site-v2-vp26.pages.dev; for formal data-protection requests, the data-protection officer is reachable at the same address.
3. Data we collect
We keep the footprint small: the content you enter into vp26 (notes, entries, settings) stays on your device; a minimal crash signal captured locally by iOS when the app unexpectedly quits; optional support correspondence if you contact us. We do not collect browsing history, contacts, advertising identifiers, or any remote telemetry.
4. How we use it
Data on your device is used only to render the app's features for you — organise your entries, compute the utilities described in the app, persist your settings across launches. If you write to us about a support issue your message is used only to answer you. We do not sell, use, or disclose user data to third parties for any purpose beyond answering your support request.
5. Data handling commitment
We do not sell, use, or disclose user data to third parties for any purpose. vp26 is a client-only iOS utility: the data you create stays on your device, is not uploaded, and is not mirrored to any server we operate. We do not run analytics, do not embed third-party trackers, and do not build a profile about you. There is no cloud backend to leak from because we do not have one.
6. Third-party processors
vp26 relies on a short list of sub-processors: Stripe (payments), Cloudflare (edge delivery), Apple (app distribution and receipts), Amazon Web Services (encrypted storage). Each has a published privacy policy you may consult. We confirm these third parties provide the same or equal protection for user data as outlined in this policy.
7. Retention schedule
We retain data only as required for the stated purpose, or by law: account email is retained for 24 months after last login and then anonymised; payment records for 7 years per tax law; diagnostic signals for 7 days rolling; support correspondence for 12 months after closure; server access logs are truncated (IP removed) after 7 days. Earlier deletion on request to help@pn-site-v2-vp26.pages.dev.
8. International data transfers
Some sub-processors are incorporated in the United States. For transfers of personal data from the EEA, UK, or Switzerland to the US, vp26 relies on Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by encryption at rest, encryption in transit, and key management under our sole control.
9. Your GDPR rights
Under the General Data Protection Regulation (GDPR) and the UK GDPR you have the right to access the data we hold about you, to request rectification, to request erasure (right to be forgotten), to portability (export in a common format), to objection, and to restriction of processing. Write to help@pn-site-v2-vp26.pages.dev with "Data request" in the subject; we respond within thirty days.
10. California privacy rights
If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) grant you the right to know what personal information we hold, the right to delete it, the right to correct inaccuracies, the right to opt-out of sale (we do not sell personal information — nothing to opt out of, but the right remains), and the right to non-discrimination for exercising any of these. Write to help@pn-site-v2-vp26.pages.dev with "California privacy request" in the subject.
11. Security and breach notification
Traffic is encrypted in transit (TLS 1.3 for the site; WireGuard and IKEv2 for VPN tunnels). At rest we apply AES-256 with keys in a hardware security module. Production access is limited to a small operations team; every administrative action is logged; hardware-key authentication is mandatory. In the event of a personal-data breach, we will notify affected users within 72 hours of discovery, and notify the relevant supervisory authority where required.
12. Contact and complaints
For general privacy questions write to help@pn-site-v2-vp26.pages.dev. To request deletion of your account and data write to the same address with "Delete my data" in the subject — we respond within two business days. You have the right to lodge a complaint with your supervisory authority; in the UK this is the ICO, in the EU each country's data-protection authority, in California the California Privacy Protection Agency (CPPA).