Privacy Policy
Last updated: 7 June 2026
Summary
- Valo Labs LTD is the controller for personal data collected through Valo unless this policy says otherwise.
- Valo Labs LTD is registered with the Information Commissioner's Office under registration reference ZC166399.
- Valo processes account, portfolio, transaction, broker, tax, AI chat, notification, subscription, device, and usage data to provide the Services.
- Sonny AI and AI-generated features may send your prompts, selected portfolio context, attachments, and tool results to AI and web-search providers.
- Broker API credentials are stored encrypted and used to validate and sync the broker accounts you choose to connect.
- Valo uses third-party providers for hosting, database, authentication, AI, payments, analytics, error monitoring, push notifications, broker sync, market data, logos, and public web data.
- You have UK data protection rights, including access, correction, deletion, objection, restriction, portability, and complaint rights.
1. Scope and controller
This Privacy Policy explains how Valo Labs LTD collects, uses, shares, stores, and protects personal data when you use Valo, including the website at meetvalo.app, the web application, mobile applications, Sonny AI, portfolio analytics, broker import, market data, alerts, tax tools, subscriptions, waitlist, support, and related services (together, the Services).
Valo is operated by Valo Labs LTD, a private limited company registered in England and Wales with company number 17199340 (CH No. 17199340). Our registered office is Candlemas Cottage, Ham, Marlborough, England, SN8 3RB.
Valo Labs LTD is registered with the Information Commissioner's Office (ICO) under registration reference ZC166399.
For the UK GDPR and the Data Protection Act 2018, Valo Labs LTD is the controller of the personal data described in this policy unless we explain that another organisation is acting as an independent controller. You can contact us about privacy at privacy@meetvalo.app.
2. Personal data we collect
We collect and generate different categories of personal data depending on how you use Valo:
- Account and identity data: email address, password authentication state, Supabase user ID, OAuth provider identifiers, Apple or Google sign-in details that the provider shares with us, verification and password-reset events, session data, and account status.
- Profile and preferences: display name, base currency, tax residency, tax-rate band, investing experience, onboarding state, appearance settings, portfolio preferences, notification preferences, and app settings.
- Portfolio and financial records: portfolio names, assets, tickers, quantities, values, currencies, account wrappers, cost basis, transactions, dates, fees, notes, watchlists, price targets, alerts, thesis fields, manually entered assets, CSV-import rows you submit, generated tax summaries, and export/report data.
- Broker and exchange data: broker name, account identifiers, account name/number, API credentials or tokens, account type, balances, holdings, positions, orders, fills, ledger entries, transfers, transaction history, fees, sync logs, sync errors, and preview decisions.
- Sonny AI and generated-content data: chat sessions, messages, prompts, selected model, selected tools, selected portfolio scope, attachments and extracted text/content that you submit, AI responses, follow-up prompts, votes, token counts, tool inputs and results, citations, generated thesis fields, and market summary data.
- Subscription and billing metadata: RevenueCat app user IDs, entitlement IDs, product IDs, store, transaction IDs, purchase, renewal, cancellation, expiry, and billing status metadata. We do not store full payment-card details.
- Device, usage, and diagnostic data: IP address, device and browser type, operating system, app version, routes and screens viewed, event data, performance data, cookies or local storage identifiers, push tokens, crash reports, logs, and security metadata.
- Waitlist, contact, and support data: email address, messages you send us, support requests, billing-support context, and any information you choose to include in correspondence.
3. Sources of personal data
We receive personal data from:
- you directly, when you create an account, enter portfolio data, upload or paste content, contact us, join the waitlist, set preferences, connect a broker, import CSV data, or use Sonny AI;
- your device and browser, through cookies, local storage, secure storage, logs, diagnostics, push-token registration, and app telemetry;
- authentication and platform providers, such as Supabase Auth, Google, Apple, Apple App Store, and Google Play;
- brokers and exchanges that you choose to connect, including Trading 212 and Kraken;
- subscription and payment infrastructure, including RevenueCat and app-store billing platforms;
- market-data, financial-data, logo, search, and public-source providers used to enrich the Services; and
- our systems, where we generate analytics, tax summaries, AI responses, notifications, reports, derived metrics, logs, and inferred app state from the information above.
4. How we use personal data
We use personal data for the purposes below. The lawful bases available under UK data protection law may include contract, legitimate interests, consent, and legal obligation, depending on the specific processing.
- Provide and operate Valo: create accounts, authenticate users, maintain sessions, store portfolio data, show dashboards, calculate metrics, run tax tools, generate reports, import transactions, sync brokers, deliver subscriptions, and provide customer support. Lawful basis: contract and legitimate interests.
- Run Sonny AI and generated features: answer prompts, build portfolio context, run selected tools, process attachments, generate summaries and theses, create citations, and store chat history. Lawful basis: contract, legitimate interests, and consent where you choose to provide optional content.
- Manage payments and entitlements: process subscription state, trials, renewals, cancellations, refunds, purchase restoration, plan access, and billing support. Lawful basis: contract, legal obligation, and legitimate interests.
- Send service communications: send verification, password reset, account, security, subscription, product, support, notification, tax reminder, broker-sync, and alert messages. Lawful basis: contract, legitimate interests, consent, and legal obligation where applicable.
- Improve and secure the Services: debug errors, monitor reliability, measure usage, prevent abuse, apply rate limits, protect accounts, investigate suspicious activity, improve features, and test performance. Lawful basis: legitimate interests and legal obligation.
- Marketing and waitlist: maintain the waitlist, send product updates where permitted, manage preferences, and respond to enquiries. Lawful basis: consent and legitimate interests, depending on the interaction.
- Legal and business administration: comply with law, enforce agreements, respond to lawful requests, defend claims, maintain accounting records, and manage corporate transactions. Lawful basis: legal obligation and legitimate interests.
Where we rely on legitimate interests, we balance our interests against your rights and freedoms. Where we rely on consent, you may withdraw consent at any time, but this does not affect processing that happened before withdrawal.
5. AI, Sonny, and generated content
When you use Sonny AI or AI-generated features, Valo may send your prompt, chat history, selected portfolio scope, portfolio context, profile context, selected tools, attachment content, and tool results to OpenRouter and the model or search providers routed through OpenRouter. Current AI routes include Anthropic models and OpenAI-model routes, and may include web-search providers where live search is enabled.
We do not intentionally send broker API keys, passwords, authentication tokens, or raw payment credentials to AI providers. You should avoid putting secrets, passwords, API keys, payment card details, or other unnecessary sensitive information into prompts or attachments.
AI outputs, citations, summaries, and generated thesis content may be stored in your account, used to display chat history, and used to operate, secure, and improve the Services. We may retain limited metadata such as token counts, selected model, selected tools, and user feedback.
6. Broker connections and financial records
If you connect a broker or exchange, Valo uses the credentials or API keys you provide to validate the account and fetch the data needed for the broker-sync features you choose to use. Connected-provider credentials are stored encrypted using application-level encryption and used for read-only sync where the provider supports it.
Broker sync can import balances, holdings, account identifiers, transactions, fills, ledgers, fees, currencies, transfer activity, account type, sync status, and error metadata. We use this data to build your portfolio, detect duplicates, create sync previews, support tax calculations, and troubleshoot sync issues.
You can disconnect a broker connection or stop sync in the product where those controls are available. Disconnecting a broker stops future sync, but data already imported into Valo may remain in your portfolio until you delete it or request deletion.
7. Service providers and data sharing
We use third-party providers to operate Valo. Some act as processors for Valo, some act as independent controllers for their own services, and some provide public data APIs that receive only symbol or market queries plus ordinary technical metadata.
We may add, replace, or remove providers as the Services evolve. Where a provider change materially affects how your personal data is used, we will update this policy or provide another appropriate notice.
9. Communications and notifications
We may send you service emails and in-app messages about account security, verification, password reset, broker sync, billing, subscriptions, product changes, support, tax reminders, and important service updates.
If you enable push notifications, we store your Expo push token and platform so we can send notifications through Expo and the relevant Apple or Google push infrastructure. You can disable push notifications in Valo where controls are available or in your device settings.
We may send waitlist or marketing updates where permitted. You can opt out of marketing emails by using the unsubscribe option where provided or by contacting hello@meetvalo.app.
10. Other disclosures
We may disclose personal data:
- to service providers and sub-processors described in this policy;
- to brokers, exchanges, AI providers, app stores, market-data providers, and other integrations where this is needed to provide a feature you choose to use;
- to professional advisers, insurers, auditors, banks, accountants, legal advisers, and other business operations providers;
- to regulators, courts, law-enforcement bodies, public authorities, tax authorities, or other third parties where required or permitted by law;
- to investigate, prevent, or respond to security incidents, abuse, fraud, legal claims, or breaches of our terms; and
- in connection with a merger, acquisition, financing, reorganisation, sale of assets, insolvency, or similar corporate transaction, subject to appropriate protections.
We do not sell your personal data for money. We also do not use your broker credentials or payment details for advertising.
11. International transfers
Valo is operated from the United Kingdom, but our providers may process personal data in the UK, EEA, United States, Canada, and other countries. Data protection laws in those countries may differ from UK law.
Where UK data protection law requires safeguards for restricted transfers, we rely on appropriate mechanisms such as UK adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to EU Standard Contractual Clauses, provider contractual commitments, transfer risk assessments, or another lawful transfer mechanism.
You can read general UK regulator guidance on international transfers from the Information Commissioner's Office.
12. Retention
We keep personal data for as long as reasonably necessary for the purposes described in this policy, including to provide the Services, keep records, comply with legal obligations, resolve disputes, enforce agreements, maintain security, and protect legitimate business interests.
- account, profile, portfolio, transaction, tax, watchlist, chat, and broker data is generally retained while your account is active or until you delete it or request deletion;
- broker credentials are retained while the broker connection remains connected and are deleted or disabled when the connection is removed, subject to backups and legal-retention needs;
- push tokens are retained while push is enabled for your device or until you sign out, disable push, or the token is removed;
- waitlist emails are retained until the waitlist purpose ends, you unsubscribe, or you request deletion;
- diagnostic logs, analytics, and security records are usually kept for shorter operational periods unless needed for security, legal, or abuse-prevention reasons; and
- billing, subscription, tax, accounting, and legal records may be retained for longer periods, including up to six years where needed for UK limitation, accounting, tax, or legal purposes.
Backups and archived copies may take additional time to expire, but we restrict access to them and do not use them for ordinary product activity.
13. Security
We use technical and organisational measures designed to protect personal data, including Supabase row-level security, access controls, encrypted broker credentials, secure session handling, rate limits, validation, logging, and operational monitoring.
No method of transmission or electronic storage is completely secure. You are responsible for using strong passwords, protecting your devices, keeping broker API keys private, reviewing connected apps, and telling us promptly if you suspect unauthorised access.
14. Your rights
Under the UK GDPR and the Data Protection Act 2018, you may have rights to access, correct, erase, restrict, object to processing, obtain a portable copy of your data, and withdraw consent where processing is based on consent. These rights are not absolute and may depend on the context.
You can exercise rights by contacting privacy@meetvalo.app. We may need to verify your identity before responding. We aim to respond within the timeframe required by UK data protection law.
You also have the right to complain to the UK Information Commissioner's Office. The ICO's website is ico.org.uk.
15. Children
Valo is not intended for anyone under 18. We do not knowingly collect personal data from children. If you believe a child has provided personal data to Valo, contact us and we will take appropriate steps.
16. Changes to this policy
We may update this Privacy Policy from time to time. If we make a material change, we will take reasonable steps to notify you, such as posting the updated policy, updating the last-updated date, sending an email, or showing an in-product notice.
The updated policy applies from the date it is posted unless we state otherwise.
17. Contact
Questions, privacy requests, complaints, and data protection enquiries should be sent to privacy@meetvalo.app.
Please include enough information for us to identify your account and understand the request. Do not send passwords, broker API secrets, or full payment-card details by email.