Valio
Start free

Privacy Policy

Last updated: 18 April 2026

This Privacy Policy explains how Valio Ltd (“Valio”, “we”) collects and uses personal data in connection with the Valio platform and website. Valio is the controller of the personal data described here. We are registered with the UK Information Commissioner's Office.

1. What we collect

  • Account data — email address, name, company name, professional role, and authentication metadata.
  • Usage data — pages visited, features used, quota counters, IP address, device/browser metadata.
  • Content data — companies you track, saved searches, chat messages, and valuations you generate.
  • Billing data — tokenised payment details and subscription status (held by Stripe; Valio never stores raw card numbers).
  • Public company data — we ingest public UK company filings from Companies House. This is not your personal data; it is public-record information about the companies you research.

2. How we use it

  • To provide and operate the Service (legitimate interest / contract).
  • To authenticate your account and prevent abuse (legitimate interest).
  • To bill you and meet legal obligations (contract / legal obligation).
  • To debug, secure, and improve the Service (legitimate interest).
  • To send transactional emails (contract) and — only if you opt in — product news (consent). You can opt out at any time via a footer link in any marketing email.

3. AI and LLM providers

Chat and narrative-report features send your prompts and the relevant cached company financials to our LLM provider (Anthropic) for inference. Anthropic processes this data under its enterprise terms and does not use API content to train its models. We do not send any personally identifying information to the LLM beyond the content of your own chat messages.

4. Sharing

We share data with the minimum necessary subprocessors:

  • Supabase (database, authentication, storage) — EU-hosted
  • Railway (backend compute) — hosted in the region closest to users
  • Vercel (frontend hosting / edge) — global CDN
  • Upstash (Redis cache) — EU-hosted
  • Anthropic (LLM inference) — US-hosted, enterprise terms
  • Stripe (payments) — UK/EU under SCCs
  • Resend (transactional email)
  • Sentry (error monitoring), PostHog (product analytics)

Where data leaves the UK/EEA, transfers are covered by UK IDTA or the EU Standard Contractual Clauses as appropriate.

5. Retention

  • Account + content data: kept while your account is active, and for up to 30 days after deletion for operational backups.
  • Billing records: retained for 6 years to meet UK tax law.
  • Public company cache: retained indefinitely (non-personal).

6. Your rights

Under UK GDPR you have the right to access, correct, delete, restrict, port, and object to processing of your personal data, and to complain to the ICO (ico.org.uk). Exercise any of these rights by emailing privacy@valio.co.uk. We respond within one month.

7. Security

We enforce Postgres Row-Level Security so users can only read their own records; TLS for all traffic; encryption at rest for databases and storage; and access controls with least privilege for our team. No system is perfectly secure — please use a unique strong password and report anything suspicious to security@valio.co.uk.

8. Children

Valio is not directed at children under 18 and we do not knowingly collect their personal data.

9. Changes

We will update this Policy when our practices change. The “Last updated” date above reflects the most recent revision.

10. Contact

privacy@valio.co.uk for privacy-specific queries, or hello@valio.co.uk for anything else.