Privacy Policy
Last updated: May 18, 2026
This Privacy Policy describes how VayoMed, Inc., a Delaware corporation with offices at 251 Little Falls Drive, Wilmington, DE 19808 ("Vayo," "we," "our," or "us"), collects, uses, discloses, and protects information when you use the vayo.id digital business card service ("Service"), including the vayo.id mobile application and the vayo.id website at https://vayo.id.
By using the Service, you agree to the practices described in this Policy. If you do not agree, do not use the Service.
Plain-English summary (not a substitute for this Policy): We collect what we need to run the Service: the contact info on your card, the cards you save or scan, and basic device telemetry. When you scan a business card, the recognized text is sent to our cloud AI provider (Anthropic, with OpenAI as a fallback) for parsing. The image itself is not sent to the AI provider — but it is uploaded to our own storage hosted on Vercel (Vercel Blob) and saved with the contact so you can view the original card later. You can delete a scan image at any time. We do not sell your personal information.
1. Information We Collect
1.1 Information you provide
- Account information: name, email address, and authentication data (via Clerk). If you sign in with Apple, Google, or Microsoft, the OAuth provider shares with us the basic profile fields you've consented to.
- Card profile information: anything you put on your digital business card — display name, title, company, pronouns, phone numbers, email addresses, websites, addresses, calendar links, bios, social handles, and the headshot / logo / cover photo images you upload.
- Saved contacts: contact data you save manually or scan, plus any notes, tags, and note attachments you add.
- Scanned card images: when you scan a paper business card, the cropped image (the rectangle inside the on-screen frame) is uploaded to our blob storage on Vercel (Vercel Blob) and associated with the resulting contact so you can see the original card later. The image is stored under a path that includes your contact's identifier (e.g.,
contacts/{id}/scans/card.jpg). You can delete these images at any time from the contact's detail view; deletion removes the file from the storage bucket and the URL from your contact record.
1.2 Information collected automatically
- Device and usage data: device model, operating-system version, application version, IP address, language, time zone, crash logs, and performance metrics. Collected via PostHog (product analytics) and Sentry (error monitoring). We use this to debug problems and improve the Service.
- Camera, scan images, and OCR text: when you scan a card, we use your device's camera and on-device text recognition (Google ML Kit). The recognized text is sent to our cloud AI provider (Anthropic, with OpenAI as a fallback) for parsing — see Section 3. The cropped image is uploaded to our own blob storage hosted on Vercel (Vercel Blob, see Section 4) and saved with the resulting contact so you can view the original card later. The image is not sent to the AI provider — only the recognized text is. You can delete a scan image at any time from the contact's detail view.
- Cookies and similar technologies: the website uses cookies set by our authentication provider (Clerk) and minimal first-party cookies needed to keep you signed in. The mobile app uses native secure storage (Keychain / KeyStore) for the same purpose.
1.3 What we do not collect
We do not collect precise location, contacts from your device address book (unless you explicitly enable that integration in a future release), microphone audio, or biometric identifiers.
2. How We Use Your Information
We use the information we collect to:
- Provide, operate, and maintain the Service (create your card, save your contacts, deliver scan results);
- Authenticate you and protect against unauthorized access;
- Run the on-device + cloud parsing pipeline that converts scanned cards into structured contacts;
- Communicate with you about your account or material changes to the Service;
- Diagnose and fix bugs and improve performance and features;
- Detect, prevent, and address fraud, abuse, or violations of our Terms of Service;
- Comply with legal obligations.
We do not use your personal information for advertising. We do not sell your personal information.
3. AI / LLM Processing
To improve the accuracy of scanned cards, we send the text recognized from the card image (not the image itself) to a third-party large language model provider — currently Anthropic, PBC (Claude) and, as a fallback, OpenAI, OPCO LLC. The provider returns structured fields (name, title, email, etc.) that are merged into the draft contact you see on the confirm screen.
By contractual agreement, our LLM providers do not use this text to train their models. The text is processed transiently to return a response and is not retained for model improvement. See the providers' policies for details:
- Anthropic API data usage: https://www.anthropic.com/legal/aup
- OpenAI API data usage: https://openai.com/policies/api-data-usage-policies
4. How We Share Information
We share information only with the following categories of recipients:
- Sub-processors who help us operate the Service:
- Clerk Inc. — account authentication;
- Anthropic, PBC and OpenAI, OPCO LLC — cloud AI for card-text parsing;
- Vercel Inc. — application hosting and Blob storage for uploaded images;
- Neon Inc. — managed Postgres database hosting;
- PostHog Inc. — product analytics;
- Sentry / Functional Software, Inc. — error monitoring;
- Apple Inc. and Google LLC — mobile app distribution and push delivery infrastructure (no push messages are sent today, but the platforms are in scope for app delivery).
- Legal compliance and protection: we may disclose information if required by law, subpoena, or other legal process, or if necessary to protect the rights, property, or safety of Vayo, our users, or the public.
- Business transfers: if Vayo is involved in a merger, acquisition, financing, or sale of all or part of its assets, your information may be transferred as part of that transaction. We will notify you (in-app or by email) of any change in control.
We do not sell, rent, or trade your personal information to third parties for their own advertising or marketing.
5. International Transfers
Our infrastructure is operated primarily in the United States. If you access the Service from outside the U.S., your information will be transferred to and processed in the U.S. and in any other country where our sub-processors operate. By using the Service, you consent to this transfer. We rely on appropriate safeguards (e.g., standard contractual clauses) where required by applicable law.
6. Data Retention
- We retain your account information and content for as long as your account is active.
- When you delete content (a card, a contact, a scan image), it is removed from active systems immediately and from backups within a reasonable rolling window (generally up to 30 days).
- When you delete your account, we delete or anonymize your personal information within 30 days, except where retention is required by law (e.g., tax or audit obligations) or necessary to resolve disputes or enforce our agreements.
7. Security
We use commercially reasonable administrative, technical, and physical safeguards to protect your information, including:
- Encryption in transit (TLS 1.2+) and at rest where supported by our storage providers;
- Authenticated access to admin interfaces;
- Periodic dependency scanning and security review of our code;
- Principle-of-least-privilege access for personnel who can access production data.
No system can be guaranteed 100% secure. If you believe your account has been compromised, contact us immediately at the address in Section 12.
8. Your Choices and Rights
You can:
- Access and edit your card and contact data in-app at any time;
- Export your contacts via the export function in the web portal (planned for v2; available on request in the interim — see Section 12);
- Delete individual cards, contacts, notes, scan images, or your entire account in-app. For a step-by-step walkthrough — including an email path if you cannot sign in — see our Account deletion page;
- Opt out of analytics: PostHog can be disabled in a future Settings toggle; in the interim, contact us to request opt-out;
- Sign out of all devices via the Settings page.
Depending on your location, you may have additional rights under applicable law:
8.1 California (CCPA / CPRA)
If you are a California resident, you have the right to (a) know what personal information we collect and how we use it; (b) request a copy of your personal information; (c) request deletion; (d) correct inaccurate information; (e) opt out of any "sale" or "sharing" of personal information (we do not sell or share, as those terms are defined under the CCPA); and (f) not be discriminated against for exercising your rights. To exercise these rights, contact us at the address in Section 12.
8.2 European Economic Area / United Kingdom (GDPR / UK GDPR)
If you are in the EEA or the UK, our lawful bases for processing are (a) performance of a contract (to provide the Service you've requested), (b) our legitimate interests (to operate, secure, and improve the Service), and (c) your consent where required. You have the right to access, rectify, erase, restrict processing of, port, or object to processing of your personal data, and to lodge a complaint with your local supervisory authority.
9. Children's Privacy
The Service is not directed to children under 16 (or the equivalent minimum age in your jurisdiction). We do not knowingly collect personal information from children under that age. If we learn that we have collected personal information from a child without verifiable parental consent, we will delete it. If you believe a child has provided personal information to the Service, contact us at the address in Section 12.
10. Third-Party Links
The Service may link to third-party websites or services (for example, when you tap a website link on a scanned contact). We are not responsible for those services' privacy practices. Review their privacy policies before providing information to them.
11. Changes to This Policy
We may update this Privacy Policy from time to time. If we make a material change, we will notify you in-app, by email, or by updating the "Last updated" date at the top of this Policy with reasonable advance notice. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.
12. Contact
For questions about this Policy or to exercise any of your rights, contact us at:
VayoMed, Inc. Attn: Privacy 251 Little Falls Drive Wilmington, DE 19808, U.S.A. privacy@vayo.id