PRIVACY POLICY
DATA CONTROLLER
The data controller responsible for your personal data is:
Maciej Buczowski
Operating as: Vaelox
Contact: hello@vaelox.app
Website: vaelox.app
Jurisdiction: Poland, European Union
As the data controller, the Operator determines the purposes and means of processing your personal data and is responsible for ensuring that processing complies with the General Data Protection Regulation (GDPR) and applicable Polish data protection law.
DATA WE COLLECT & WHY
| DATA TYPE | WHAT IT IS | WHY WE COLLECT IT | LEGAL BASIS | STORED WHERE |
|---|---|---|---|---|
| Portfolio Data | Asset symbols, quantities, purchase prices, purchase dates you enter manually | Core app function — displaying your portfolio value and analytics | Contract performance | On your device only (AsyncStorage). Never transmitted to our servers unless push notifications are enabled — see Section 3. |
| Push Token UPDATED | An anonymised device identifier issued by Expo's push notification service | Required to deliver daily P&L notifications to your device | Consent (you grant notification permission) | Supabase database (Frankfurt, EU). See Section 3 for full details. |
| Portfolio Snapshot UPDATED | A copy of your holdings (symbols, quantities, average prices, asset type) at the time you first enable notifications | Required to calculate your daily portfolio P&L for the notification | Consent (you grant notification permission) | Supabase database (Frankfurt, EU). See Section 3 for full details. |
| Device ID (Ad ID) | Google Advertising ID (GAID) assigned by Android | Serving advertisements in the free tier via Google AdMob | Legitimate interest / Consent | Google AdMob (Google LLC). See Section 5. |
| Error Logs & Diagnostics | Anonymous crash reports and performance data | Identifying and fixing technical issues | Legitimate interest | Expo / EAS analytics infrastructure. No personal data included. |
| Purchase History | Record of in-app purchases (Pro subscription, skins) | Verifying entitlements and preventing fraud | Contract performance | Google Play Billing (Google LLC). The Operator does not store payment card data. |
We do not collect your name, email address, postal address, phone number, IP address, location data, health data, biometric data, or any other personal data beyond what is listed above.
PUSH NOTIFICATIONS & SUPABASE NEW IN v1.1
As of version 1.0.4 (April 2026), Vaelox offers an optional daily portfolio P&L notification. This feature requires transmitting limited data outside your device. This section fully discloses what is sent, where it is stored, and how it is used.
What triggers data transmission: When you open Vaelox for the first time after installing version 1.0.4 or later, the app requests permission to send push notifications. If you grant permission, the following data is transmitted to our Supabase database:
- Your Expo push token — a unique anonymised identifier for your device, generated by Expo's push notification service. It does not contain your name, email, or any other personally identifiable information.
- A snapshot of your portfolio — the list of assets you currently hold, including ticker symbols, quantities, average purchase prices, asset type (stock/crypto/ETF), and CoinGecko ID where applicable. This is the minimum data required to calculate your portfolio's daily P&L.
- Your device platform — "android" — used to format the notification correctly.
If you deny notification permission: No data is transmitted. Your portfolio data remains entirely on your device.
Where the data is stored: All notification data is stored in a Supabase PostgreSQL database hosted in Frankfurt, Germany (EU). Supabase is GDPR-compliant and processes data within the European Economic Area. The Supabase Data Processing Agreement is available at supabase.com/privacy.
How the data is used: Once per day at approximately 21:15 UTC (4:15pm US Eastern Time), a scheduled server function retrieves your push token and portfolio snapshot, fetches current market prices from third-party APIs (Finnhub for stocks, CoinGecko for crypto), calculates your portfolio's daily gain or loss, and sends a push notification to your device. The notification shows your portfolio's percentage change and total value for the day. This calculation is performed entirely server-side and the result is immediately discarded — no historical record of your daily P&L calculations is retained.
Portfolio snapshot updates: If you add or remove holdings after enabling notifications, the snapshot in our database may become outdated. The app attempts to update the snapshot when holdings change. You can also delete all your notification data by disabling notifications in your device settings and contacting hello@vaelox.app to request deletion of your data from our database.
Retention: Push tokens and portfolio snapshots are retained for as long as your device has notifications enabled. Data is automatically purged if your push token becomes invalid (typically when you uninstall the app). You may request manual deletion at any time by contacting hello@vaelox.app.
Plain language summary: If you allow notifications, we store your push token and a list of your holdings on our EU server to send you one notification per day. We do not share this data with third parties. We do not use it for advertising. You can opt out at any time by disabling notifications in your device settings.
THIRD-PARTY DATA PROVIDERS
Vaelox fetches market prices and financial data from the following third-party API providers. These providers receive only the asset identifiers (ticker symbols or CoinGecko IDs) needed to return price data — they do not receive any personal data about you:
- Finnhub (finnhub.io) — stock and ETF quotes, company profiles. Privacy policy: finnhub.io/privacy-policy
- CoinGecko (coingecko.com) — cryptocurrency prices and market data. Privacy policy: coingecko.com/en/privacy
- Kraken (kraken.com) — historical cryptocurrency OHLCV data. Privacy policy: kraken.com/legal/privacy
- Yahoo Finance — historical stock price data via public endpoints.
- Alternative.me — Crypto Fear & Greed Index. Privacy policy: alternative.me/privacy
The Operator operates a proxy API at api.vaelox.app hosted on Cloudflare Workers to route some stock price requests. This proxy does not log personal data, IP addresses, or request metadata beyond what Cloudflare retains for security purposes.
ADVERTISING (FREE TIER)
The free tier of Vaelox displays advertisements served by Google AdMob (Google LLC). Google AdMob may collect and use your Google Advertising ID (GAID) to serve personalised advertisements. You can opt out of personalised advertising at any time via Android Settings → Google → Ads → Opt out of Ads Personalisation.
Vaelox Pro subscribers have an ad-free experience. No advertising SDK is active for Pro users.
The Operator does not share your portfolio data, push tokens, or any other data collected by Vaelox with Google AdMob. AdMob operates independently using only the GAID and standard device signals.
DATA SHARING & THIRD PARTIES
The Operator does not sell, rent, or trade your personal data to any third party under any circumstances.
The Operator shares limited data with the following categories of third party only to the extent necessary to operate the Service:
- Supabase Inc. — push notification infrastructure (push tokens and portfolio snapshots). EU hosting, GDPR-compliant. Only users who grant notification permission are affected.
- Google LLC — advertising (GAID, free tier only) and payment processing (Google Play Billing, paid features). Subject to Google's Privacy Policy.
- Expo (Expo Technology Inc.) — push notification delivery infrastructure and anonymous crash reporting. Expo processes push tokens to deliver notifications to Android devices.
- Cloudflare Inc. — API proxy hosting (api.vaelox.app) and website hosting (vaelox.app). Cloudflare may retain standard web server logs including IP addresses for security purposes, governed by Cloudflare's Privacy Policy.
The Operator does not share data with advertising networks (other than Google AdMob as described above), data brokers, analytics companies, social media platforms, or any other commercial third parties.
DATA SECURITY
All data transmitted between the App and our infrastructure (Supabase, api.vaelox.app) is encrypted in transit using HTTPS/TLS. Portfolio snapshots and push tokens stored in Supabase are encrypted at rest. The Operator uses Supabase Row Level Security and API key authentication to restrict access to notification data.
Portfolio data stored locally on your device (AsyncStorage) is subject to Android's application sandbox security model — it is not accessible to other applications on your device.
Despite these measures, no transmission or storage method is 100% secure. The Operator cannot guarantee absolute security of data transmitted over the internet or stored on third-party infrastructure.
YOUR GDPR RIGHTS
As a data subject under GDPR, you have the following rights regarding your personal data:
- Right of access — you may request a copy of all personal data we hold about you.
- Right to rectification — you may request correction of inaccurate personal data.
- Right to erasure — you may request deletion of your personal data. For notification data, you can also delete it yourself by disabling notifications and uninstalling the app.
- Right to restrict processing — you may request that we limit how we process your data.
- Right to data portability — you may request your personal data in a structured, machine-readable format.
- Right to withdraw consent — where processing is based on consent (push notifications), you may withdraw consent at any time by disabling notifications in Android Settings. Withdrawal does not affect the lawfulness of processing before withdrawal.
- Right to object — you may object to processing based on legitimate interests.
- Right to lodge a complaint — you may lodge a complaint with the Polish supervisory authority (UODO — Urząd Ochrony Danych Osobowych) at uodo.gov.pl, or with the supervisory authority in your country of residence.
To exercise any of these rights, contact hello@vaelox.app. We will respond within 30 days. We may need to verify your identity before processing your request.
DATA RETENTION
- Local portfolio data — retained on your device until you delete it or uninstall the app. Not subject to our retention policy as it never leaves your device (unless notifications are enabled).
- Push tokens and portfolio snapshots — retained until your push token becomes invalid (typically on app uninstall) or until you request deletion. Automatically purged within 90 days of token invalidation.
- Purchase records — retained by Google Play in accordance with Google's retention policy. The Operator retains no independent copy of payment data.
- Crash and diagnostic logs — retained for up to 90 days by Expo analytics infrastructure.
CHILDREN'S PRIVACY
Vaelox is not directed at children under 13 years of age. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided us with personal data, please contact hello@vaelox.app and we will delete it promptly.
CHANGES TO THIS POLICY
The Operator may update this Privacy Policy from time to time. Material changes — particularly those that affect how your data is collected, used, or shared — will be communicated via an updated effective date at the top of this page and, where appropriate, an in-app notification.
Continued use of the Service after changes are published constitutes acceptance of the revised Policy. If you do not agree with any changes, you should uninstall the App and cease using the Service.