Skip to content
Start free trial

Privacy Policy

Last updated: 1 June 2026

This policy explains how Vestly handles your personal information in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). "Vestly", "we", "us", and "our" refer to the operators of vestly.au.

What we collect

  • Account information: your email address and (optional) full name.
  • Portfolio data: property addresses, purchase prices, loan details, rents, expenses and documents that you choose to enter.
  • Usage data: anonymised page views and feature usage via Vercel Analytics and Meta Pixel so we can improve the product.
  • Payment information: if you subscribe to Vestly, credit card details are handled by Stripe - we never see or store your card number.

How we use it

  • To provide the Vestly service (calculations, dashboards, reports).
  • To email you service updates and (only if you opt in) occasional product news.
  • To understand how the product is used and make it better.
  • To process Vestly subscription payments via Stripe.

We do not sell your personal information. We do not share it with advertisers or data brokers. We do not use your portfolio data to train AI models.

Where your data lives

Vestly is built on Supabase, hosted in AWS Sydney (ap-southeast-2). Every database table enforces row-level security so your records are isolated from every other user at the database level. Documents are stored in private Supabase Storage buckets behind short-lived signed URLs. The app is hosted on Vercel (Sydney region).

Security

  • All traffic is encrypted in transit (HTTPS / TLS 1.3).
  • Data is encrypted at rest by Supabase.
  • Passwords are hashed with industry-standard algorithms - we never see your password.
  • Two-factor authentication is available via your email provider (Google, Apple).

Your rights

Under the Australian Privacy Act you have the right to:

  • Access the personal information we hold about you.
  • Correct inaccurate or incomplete information.
  • Request deletion of your account and all associated data.
  • Export your data in a portable format.
  • Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) if you believe we've mishandled your data.

To exercise any of these rights, email vestlyaus@gmail.com. We will respond within 30 days.

Self-serve data export. In line with Australian Privacy Principle 12.4, you can download a copy of every personal-data record we hold about you directly from Settings → Your data. The export is a single JSON file covering your profile, properties, expenses, document metadata, inspections, shortlist, capital improvements, AI history, notifications and email send history. Document file blobs are not included; email us if you also need the file contents.

Cookies and tracking

Vestly uses strictly-necessary cookies for authentication and session management. Anonymous analytics cookies are used to understand aggregate product usage. We use Meta Pixel on marketing pages for ad measurement; you can opt out via your browser settings.

Do Not Track. If your browser sends a Do Not Track (DNT) signal, Vestly skips the Meta Pixel page-view, conversion, and UTM-capture events for your session. You can enable DNT in Firefox or Brave under privacy settings. Note that the strictly-necessary auth cookies remain - without them you cannot stay signed in.

Third parties

We rely on these sub-processors to deliver the service:

  • Supabase - database, auth, storage (AWS Sydney).
  • Vercel - hosting, edge functions (Sydney region).
  • Stripe - payment processing for the per-property subscription. Stripe stores your card and handles billing; we never see or store your card number.
  • Resend - delivery of transactional and lifecycle emails (e.g. trial reminders, receipts, tax-time nudges). Receives your email address and the message content only.
  • Anthropic - AI Insights (your portfolio data is sent to Claude only when you ask it a question; no training on your data).
  • Meta - Pixel tracking on marketing pages only.

Children

Vestly is not intended for anyone under 18. If we learn that a minor has created an account, we will delete it.

Changes to this policy

We may update this policy from time to time. Material changes will be emailed to registered users at least 14 days before they take effect.

Contact

Privacy-related questions or complaints: vestlyaus@gmail.com.

See also our terms of service.