Privacy Policy
Last updated
This Privacy Notice explains how Verdly handles your personal information when you use our services.
Verdly is operated by Nyle Connolly, trading as Verdly (referred to as “we”, “us”, or “our”). We are the data controller for the personal information described in this notice.
This Privacy Notice applies when you:
- Visit our website at verdly.io, or any website of ours that links to this Privacy Notice
- Create an account or use the Verdly application at app.verdly.io
- Engage with us in other related ways, including support
Questions or complaints? If you have any questions about this notice, or wish to make a complaint about how we handle your personal information, please contact us at support@verdly.io. Our complaints process is described in section 12.
SUMMARY OF KEY POINTS
What is Verdly? Verdly is a privacy-first, manual net worth tracker. You enter your own financial information; we do not connect to your bank accounts, and we do not sell your data to anyone, ever.
What information do we process? Your account details (name, email, password), the financial information you choose to enter (net worth snapshots, asset values, milestones, notes), and technical information needed to run the service safely.
Do we process sensitive information? Yes. The financial information you enter is sensitive personal data and we treat it accordingly.
Do we sell your data? No. We do not sell, rent, or trade your personal information to anyone.
Do we use AI? Yes. Verdly offers optional AI features (AI Insights and Ask Verdly). They are off by default and you choose whether to turn them on. When you use them, a summary of your financial data is sent to Amazon Web Services (AWS), via its Amazon Bedrock service, and is processed within the EEA. See section 4.
Do we use cookies? We use a small number of cookies and similar technologies that are strictly necessary to keep you logged in and the service running. We also use limited, non-tracking analytics with an opt-out. See section 8.
What are your rights? You have the right to access, correct, delete, export, restrict, or object to processing of your personal information. You can also withdraw consent at any time and complain to the ICO. See sections 10 and 12.
How do you contact us? Email support@verdly.io or use the in-app settings at app.verdly.io/settings.
TABLE OF CONTENTS
- What information we collect
- How we use your information
- Legal bases for processing
- AI-powered features (Amazon Bedrock)
- Third parties we share information with
- International data transfers
- How long we keep your information
- Cookies and similar technologies
- How we keep your information safe
- Your rights
- Children
- Complaints procedure
- Updates to this notice
- How to contact us
- US state residents
- Other regions
1. WHAT INFORMATION WE COLLECT
Information you give us directly
When you create an account and use Verdly, you provide us with:
- Account information: your name, email address, and a hashed password.
- Account preferences: display settings, chart colour scheme, notification preferences, and contact preferences.
- Financial information you enter: net worth snapshots, asset categories and values (which you can record at whatever level of granularity you choose), milestone targets, snapshot dates, and any free-text notes you add for personal context. We treat this as sensitive personal data even though UK GDPR does not formally classify financial data as a special category.
- Subscription information (paid plans): subscription status and billing email. Payment card details are handled directly by our payment processor (see section 5) and are never stored on Verdly’s systems.
- Support correspondence: anything you send us when you contact support.
Information collected automatically
When you use Verdly, we automatically collect:
- Log and usage data: IP address, browser type and version, operating system, language preference, pages visited, actions taken, timestamps, and crash reports.
- Device data: device type, screen resolution, and basic device identifiers.
This information is used to keep the service running, diagnose problems, and improve the product. It is not used to build advertising profiles, and we do not share it with advertisers.
We do not collect information about you from third parties.
2. HOW WE USE YOUR INFORMATION
We use your information for the following purposes:
- To provide the service. Creating and managing your account, storing your financial snapshots, generating dashboards and projections, and delivering the core features of Verdly.
- To authenticate you. Signing you in, keeping you signed in securely, and protecting your account from unauthorised access.
- To process payments. If you subscribe to a paid plan, managing your subscription and billing.
- To communicate with you. Sending essential service emails (account verification, password resets, security notices, billing receipts). We do not currently send marketing emails.
- To provide AI insights. See section 4.
- To improve the product. Understanding how features are used so we can fix bugs, improve performance, and prioritise new features. We use anonymised or aggregated data for this purpose where possible.
- To prevent fraud and abuse. Detecting suspicious activity and protecting the service from misuse.
- To comply with legal obligations. Such as responding to lawful requests from regulators or law enforcement.
3. LEGAL BASES FOR PROCESSING
Under UK GDPR, we must rely on a lawful basis for each kind of processing we do. The bases we rely on are:
| Processing activity | Lawful basis |
|---|---|
| Creating and operating your account | Performance of a contract |
| Storing and displaying your financial information | Performance of a contract |
| Processing subscription payments | Performance of a contract |
| Sending essential service emails | Performance of a contract |
| Providing AI features (AI Insights and Ask Verdly) | Legitimate interests — offering optional features that help users understand their financial position; these features are off by default, and you choose whether to turn them on or use them |
| Product analytics (anonymised) | Legitimate interests — improving the service |
| Security, fraud prevention, and abuse detection | Legitimate interests — protecting the service and users |
| Responding to legal requests | Legal obligation |
Where we rely on legitimate interests, we have considered whether our interests are overridden by your rights and freedoms, and concluded that they are not in light of the safeguards we apply (including your ability to opt out and the contractual restrictions on our processors). You can object to this processing at any time — see section 10.
Where we rely on consent (for future marketing communications, should we introduce them), you can withdraw it at any time without affecting the lawfulness of processing before withdrawal.
4. AI-POWERED FEATURES (AMAZON BEDROCK)
Verdly offers two optional AI features: AI Insights (a written summary of your latest figures, shown on your dashboard) and Ask Verdly (a chat assistant that answers questions about your own data). Both are off by default — AI Insights is switched on in Settings > AI Insights, and Ask Verdly is used only when you choose to. Both are part of Verdly Pro.
What data is sent
When you use these features, we send a summary of your financial data to Amazon Web Services (AWS), via its Amazon Bedrock service, to generate the response. For AI Insights this is:
- A summary of your most recent net worth snapshots
- Your asset category breakdown (e.g. “cash: £X, investments: £Y”)
- Any milestone targets you have set
For Ask Verdly, we also send the questions you type and the financial summary needed to answer them.
We do not send your name, email address, or other directly identifying information. The data sent is associated with a non-identifying account reference only.
What you get
You receive observations, summaries, or commentary about your financial position — for example, “your savings rate has increased over the past three months” or “your portfolio allocation has shifted towards equities.” These are observations, not financial advice or recommendations. Verdly is not a regulated financial adviser and nothing in the AI insights should be relied on as financial advice.
Important details about Amazon Bedrock
AWS processes the data within the EEA, in Amazon’s EU regions (primarily eu-west-1, Ireland). Amazon Bedrock does not store your inputs or the generated output once your request has been processed, does not use them to train any models, and does not share them with any third party. See section 6 for details on where this data is processed.
How AI outputs are stored
We cache one AI insight per user at a time. When a new insight is generated, the previous one is overwritten. When you turn AI Insights off or delete your account, the cached output is deleted. Ask Verdly conversations are saved so you can return to them; you can delete any conversation at any time, and all of them are deleted when you delete your account.
Automated decision-making
AI insights do not make decisions about you that produce legal or similarly significant effects. They are descriptive observations about data you have already entered. UK GDPR Article 22A (automated decision-making) therefore does not apply. You retain the right to request human review of any insight, to contest any output you disagree with, and to opt out at any time.
How to opt out
You can disable AI Insights at any time in your settings at app.verdly.io/settings, under AI Insights. When you disable it, no further data is sent for insights and the cached output is deleted. You can stop using Ask Verdly at any time, and delete your conversations from the chat list.
5. THIRD PARTIES WE SHARE INFORMATION WITH
We share personal information only with the service providers we need to run Verdly. We have contracts in place with each of them that restrict how they may use your data.
| Provider | Purpose | Location |
|---|---|---|
| Amazon Web Services (Cognito) | Authentication and account management | eu-west-1 (Ireland) |
| Amazon Web Services (Simple Email Service) | Sending transactional emails (including Cognito one-time passwords) | eu-west-1 (Ireland) |
| DigitalOcean | Application and database hosting | LON1 (London, UK) |
| Cloudflare | DNS, firewall, CDN, and DDoS protection | Global edge network |
| Amazon Web Services (Amazon Bedrock) | AI features (AI Insights and Ask Verdly) | eu-west-1 (Ireland) and other EU regions |
| Grafana Cloud (Faro) | Product analytics, performance monitoring, and error tracking | Grafana Cloud |
| Stripe | Payment processing and Merchant of Record for paid subscriptions (billing, VAT, invoices, and refunds) | United States, with EU/UK data centres |
| RevenueCat | Subscription management | United States |
We may also share your information:
- In a business transfer. If Verdly is ever sold, merged with, or acquired by another company, your information may be transferred as part of that transaction. You will be notified in advance.
- For legal reasons. If we are required to do so by law, court order, or to defend our legal rights.
We do not sell, rent, or trade your personal information to any third party for any purpose.
6. INTERNATIONAL DATA TRANSFERS
Verdly is operated from the United Kingdom and we keep your data within the UK and EEA wherever practical.
- DigitalOcean (application and database hosting) processes data in LON1 (London, UK) — within the UK.
- AWS Cognito, AWS SES, and Amazon Bedrock (AI features) process data within the EEA, in Amazon’s EU regions (primarily eu-west-1, Ireland) — which the UK considers to provide adequate protection.
- Cloudflare, Grafana Cloud (Faro), Stripe, and RevenueCat may process data outside the UK and EEA depending on their infrastructure.
Where personal information is transferred outside the UK and EEA, we rely on appropriate safeguards, including:
- The UK International Data Transfer Addendum to the EU Standard Contractual Clauses
- The UK International Data Transfer Agreement (IDTA)
- Equivalent contractual protections offered by the relevant service provider
You can request more information about these safeguards by emailing support@verdly.io.
7. HOW LONG WE KEEP YOUR INFORMATION
We keep your information only for as long as we need it.
| Data category | Retention period |
|---|---|
| Account information (name, email, password hash) | Until you delete your account |
| Financial snapshots, notes, and milestones | Until you delete them, or until you delete your account |
| Cached AI insight output | Overwritten when a new insight is generated; deleted when you turn AI Insights off or delete your account |
| Ask Verdly conversation history | Until you delete the conversation, or until you delete your account |
| Subscription and billing records | 7 years after the end of the subscription, as required by UK accounting law |
| Support correspondence | Retained in our support inbox; we will introduce a formal retention period as the service grows |
| Server logs (DigitalOcean) | 90 days |
| Product analytics and error logs (Grafana Faro) | 14 days |
| Database backups (DigitalOcean) | 7 days |
| Cookies and local storage | See section 8 |
When you delete your account, we delete or anonymise your personal information within 30 days from our live systems, and within a further 7 days from database backups. Limited information may be retained where we are legally required to do so (for example, tax records) or to defend legal claims.
8. COOKIES AND SIMILAR TECHNOLOGIES
Verdly uses a small number of cookies and similar storage technologies. We aim to keep this to the minimum needed to run the service.
Strictly necessary
These are essential for the service to work. They are not optional and do not require consent under PECR.
- Authentication cookies / session tokens (AWS Cognito): keep you signed in and verify your session.
- Security cookies (Cloudflare): help us protect the service from attacks and abuse.
Functional
These remember your preferences. They are set only when you actively use the relevant feature.
- Preference storage (browser local storage): remembers your theme, chart colour scheme, and similar settings.
Analytics (opt-out)
We use Grafana Faro to understand how Verdly is used so we can improve it, monitor performance, and detect errors. Grafana Faro captures session data, performance metrics, and error reports. It does not track you across other websites and we do not use the data for advertising or profiling.
Under the Data (Use and Access) Act 2025, this kind of statistical and product-improvement analytics may be used without prior consent, provided you are informed and given a clear opt-out.
You can opt out of analytics at any time in settings at app.verdly.io/settings.
We do not use advertising cookies, cross-site tracking, or device fingerprinting.
Do Not Track
We do not engage in cross-site tracking of any kind. We do not currently respond to DNT browser signals as a formal technical standard, but our underlying data practices align with the principle behind them.
9. HOW WE KEEP YOUR INFORMATION SAFE
We take the security of your financial information seriously. Our measures include:
- All data transmitted between your device and Verdly is encrypted in transit using TLS.
- Data stored in our managed database is encrypted at rest by our hosting provider (DigitalOcean).
- Passwords are stored as one-way hashes and managed by AWS Cognito; we never see your plaintext password.
- Authentication is handled by AWS Cognito with industry-standard protections, including one-time passwords for sensitive actions.
- Access to all production systems is protected by multi-factor authentication.
- We follow secure development practices, restrict and log production access, and review our security posture regularly.
No system is perfectly secure. While we take reasonable steps to protect your information, we cannot guarantee absolute security. If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and notify you without undue delay where required.
10. YOUR RIGHTS
Under UK GDPR (and equivalent laws in the EEA), you have the following rights:
- The right to be informed — to know how we use your personal information. This Privacy Notice satisfies that right.
- The right of access — to request a copy of the personal information we hold about you.
- The right to rectification — to correct inaccurate or incomplete information.
- The right to erasure (“right to be forgotten”) — to request that we delete your personal information.
- The right to restrict processing — to ask us to limit how we use your information.
- The right to data portability — to receive your data in a structured, commonly used, machine-readable format, or have it transmitted to another controller.
- The right to object — to object to processing based on legitimate interests (including AI insights and product analytics), and the absolute right to object to direct marketing at any time.
- The right not to be subject to solely automated decision-making that produces legal or similarly significant effects. (As described in section 4, our AI features do not make such decisions.)
You also have the right to withdraw consent at any time, where we rely on consent to process your information.
How to exercise your rights
Most rights can be exercised directly in your account at app.verdly.io/settings, where you can:
- View and export your data
- Update or correct your information
- Manage your preferences
- Toggle AI insights on or off
- Toggle analytics on or off
- Delete your account
You can also email us at support@verdly.io to make any request.
We will respond to your request within one calendar month. We may extend this by up to two further months for complex requests, in which case we will tell you within the first month. We may need to verify your identity before acting on a request, which can pause the time limit until you provide the information needed.
There is no charge for exercising your rights, unless your request is manifestly unfounded or excessive.
11. CHILDREN
Verdly is not intended for use by anyone under 18. We do not knowingly collect personal information from children under 18 or the equivalent age of majority in your jurisdiction.
If you become aware that a child has provided us with personal information, please contact us at support@verdly.io and we will delete it promptly.
12. COMPLAINTS PROCEDURE
We want to know if something has gone wrong.
How to complain to us
If you have a complaint about how we have handled your personal information, please email us at support@verdly.io with the subject line “Data Protection Complaint.” Please include:
- A description of what happened
- When it happened
- The outcome you are hoping for
What happens next
- We will acknowledge your complaint within 5 working days of receipt.
- We will investigate and provide a substantive response within one calendar month. For complex complaints we may need up to three months in total; if so, we will tell you within the first month.
- Our response will explain what we found, what we have done about it, and what (if anything) we will do differently going forward.
If you are not satisfied
If you are not satisfied with our response, you have the right to complain to the UK’s data protection regulator:
Information Commissioner’s Office (ICO) Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF Helpline: 0303 123 1113 Website: https://ico.org.uk/make-a-complaint/
You do not need to contact us first before going to the ICO, but we hope you will give us the chance to put things right.
If you are in the EEA, you may also contact your national data protection authority. If you are in Switzerland, you may contact the Federal Data Protection and Information Commissioner.
13. UPDATES TO THIS NOTICE
We may update this Privacy Notice from time to time. The “Last updated” date at the top reflects when we last revised it.
If we make material changes, we will notify you by email and/or by prominently posting a notice in the application before the changes take effect. We will not reduce your rights under this Privacy Notice without your explicit consent.
14. HOW TO CONTACT US
Data controller: Nyle Connolly, trading as Verdly Email: support@verdly.io Settings and data requests: app.verdly.io/settings
Verdly is not currently required to register with the Information Commissioner’s Office under the Data Protection (Charges and Information) Regulations 2018. We will register if and when our processing activities meet the threshold that requires it.
15. US STATE RESIDENTS
If you are a resident of California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia, US state privacy laws may give you specific rights similar to those under UK GDPR.
Categories of personal information we collect
| Category | Examples | Collected? |
|---|---|---|
| A. Identifiers | Name, email address, IP address | Yes |
| B. California Customer Records statute information | Name, contact information, financial information | Yes |
| C. Protected classification characteristics | Gender, age, race, etc. | No |
| D. Commercial information | Subscription and transaction information | Yes (paid users only) |
| E. Biometric information | Fingerprints, voiceprints | No |
| F. Internet or network activity | Browsing history across other sites | No |
| G. Geolocation data | Precise device location | No |
| H. Audio/electronic/sensory information | Recordings | No |
| I. Professional or employment-related information | Job title, work history | No |
| J. Education information | Student records | No |
| K. Inferences drawn from collected information | Profiles, characteristics | No |
| L. Sensitive personal information | Account login credentials, financial information | Yes |
We have not sold personal information to any third party in the preceding 12 months. We have not shared personal information for cross-context behavioural advertising. We do not process sensitive personal information to infer characteristics about you.
Your rights
Depending on your state of residence, you may have the right to:
- Know what personal information we hold about you
- Access your personal information
- Correct inaccuracies
- Request deletion
- Obtain a copy of your information
- Opt out of the sale or sharing of personal information (we do not do either)
- Not be discriminated against for exercising your rights
- Limit the use of sensitive personal information
- Appeal a decision to decline your request
To exercise these rights, contact us at support@verdly.io or use the controls at app.verdly.io/settings. We will verify your identity before responding. You may use an authorised agent with written permission.
Appeals
If we decline to act on your request, you may appeal by emailing support@verdly.io with “Appeal” in the subject line. We will respond within 60 days. If your appeal is denied, you may contact your state attorney general.
16. OTHER REGIONS
Verdly is targeted primarily at users in the United Kingdom and elsewhere in Europe, but we may have users in other regions. If you reside in a country with specific data protection laws not covered above, you may still have rights under your local law. Please contact us at support@verdly.io to discuss.