Privacy Policy

Valugo ("the App") is developed and operated by William Oakeley ("I", "me", "my"). I am committed to protecting your privacy and handling your data responsibly and transparently.

This Privacy Policy explains how your information is collected, used, and protected when you use the Valugo mobile application and website (valugo.app). If you do not agree with this policy, please do not use the App.

1. Who Is Responsible for Your Data

Until Valugo Ltd is officially incorporated, all data is controlled by me personally. This policy will be updated once incorporation is complete to reflect Valugo Ltd as the data controller.

2. Information I Collect

2.1 Information You Provide

• Email address (if you create an account)
• Name or nickname
• Weekly top-ups, budgets, and spending categories
• AI chat messages
• Feedback or support messages

2.2 Check-in & Wellbeing Data

With your explicit consent, the App collects the following during optional wellbeing check-ins:

• Mood label — a text descriptor of your current mood
• Energy level label — a text descriptor of your perceived energy level
• Stress label — a text descriptor of your perceived stress level
• Mood score — a numerical rating on a scale of 1–5
• Check-in note — an optional free-text note you choose to write

This data is linked to your account via an internal user identifier and is stored in our database without field-level encryption. All data is encrypted in transit using TLS. Access to raw check-in data is restricted to the App's backend systems and is never accessible to institutional partners in individual form.

These indicators are treated with the same care as health-related data under UK GDPR and are only ever included in anonymised, aggregated cohort-level analysis subject to our minimum threshold policy (see Section 7).

2.3 Information Collected Automatically

• Device type, OS version, app version
• Usage analytics
• Crash logs
• Website cookies (if visiting valugo.app)

2.4 Optional Data

• Push notification token
• Location (only if you choose to share it)

2.5 Bank Account Data (Optional – Future Feature)

A future version of the App will offer an optional Open Banking connection, allowing you to automatically sync transaction data from your bank. This feature will:

• Require explicit, separate consent before any connection is made
• Use regulated Open Banking providers operating under PSD2/FCA authorisation
• Only ever read transaction data — never write or initiate payments
• Require re-authorisation every 90 days as required by regulation

This section will be updated fully when the feature launches.

3. How Your Data Is Used

I use your information to:

• Provide budgeting tools, spending insights, and AI-powered guidance
• Improve app performance and fix bugs
• Communicate important updates about the service
• Generate anonymised, aggregated insights for institutional partners (see Section 7)

I do not sell your personal data. Anonymised aggregated data may be shared with institutional partners as described in Section 7.

4. Legal Basis (UK GDPR)

Your data is processed under the following legal bases:

• Contractual necessity — to provide the App and its features
• Explicit consent — for wellbeing check-in data (mood, energy, stress labels, mood score, and notes), which are treated as sensitive data
• Legitimate interests — improving app performance and security
• Consent — push notifications, optional features, and institutional data sharing

You may withdraw consent for any consent-based processing at any time without affecting the lawfulness of prior processing.

5. AI Data Handling

Valugo uses third-party AI providers, including Groq, to process messages and generate responses. Data sent to these providers is handled in accordance with their respective privacy policies, including the Groq Privacy Policy.

• Your messages may be transmitted to third-party AI providers for processing
• Based on provider policies, submitted data is not used to train publicly available AI models
• Valugo does not sell user conversations to advertisers

6. Data Sharing

I may share data with:

• AI processing providers (for in-app AI features)
• Analytics and crash reporting tools
• Cloud hosting providers
• Institutional partners — in anonymised, aggregated form only (see Section 7)

All third-party partners are required to follow UK GDPR-compliant practices. No personal data is shared with institutional partners under any circumstances.

7. Anonymised Aggregated Data & Institutional Partners

Valugo operates a university partnership programme. Participating institutions access a separate dashboard that displays anonymised, aggregated insights about student financial wellbeing. The following protections apply:

7.1 Architectural Separation

The App's database and the institutional insights database are entirely separate systems. An aggregator server processes data from the App database and writes only anonymised, aggregated metrics to a separate database used by the institutional dashboard. The institutional dashboard never has access to — and cannot query — your personal data or individual records.

7.2 Minimum Threshold

7.3 What Is Shared

Only the following aggregated, anonymised metrics may appear in institutional dashboards:

• Average weekly spending per cohort
• Spending category distributions across cohorts
• Average mood, energy, and stress scores across cohorts
• Financial stress indicators at cohort level
• Engagement and usage trends at cohort level

Individual user data, identifiable records, and any data below the 50-user threshold are never shared.

7.4 Your Consent

Participation in the anonymised data programme is subject to your explicit, informed consent during onboarding. You may withdraw this consent at any time from within the App settings. Withdrawal of consent does not affect your use of the App.

7.5 University as Institutional Partner

Where a university distributes or promotes the App to its students, Valugo and the university will have a Data Processing Agreement in place. Individual students must still provide their own consent — the university cannot consent on your behalf.

8. Data Retention

I keep your personal data only as long as necessary to provide the service or comply with legal obligations. You may request deletion at any time by contacting contact@valugo.app. Upon verified deletion request, personal data will be removed from active systems within 30 days. Anonymised aggregated data in institutional databases does not contain personal data and is retained separately.

9. Your Rights

Under UK GDPR, you have the right to:

• Access the personal data we hold about you
• Correct inaccurate or incomplete data
• Request deletion of your data ("right to be forgotten")
• Withdraw consent for any consent-based processing
• Request a portable copy of your data
• Object to processing based on legitimate interests
• Lodge a complaint with the ICO at ico.org.uk

To exercise any of these rights: contact@valugo.app

10. International Data Transfers

Some third-party service providers (including AI processing providers) may process data outside the UK. Where this occurs, appropriate safeguards are in place, including Standard Contractual Clauses or adequacy decisions recognised under UK law.

11. Children's Privacy

Valugo is intended for university students and is not directed at users under 16. If you believe a person under 16 has provided personal data, please contact us and we will take appropriate steps to remove it.

12. Changes to This Policy

I may update this policy as the service evolves — particularly upon incorporation of Valugo Ltd, launch of Open Banking features, or expansion of institutional partnerships. Material changes will be communicated via in-app notification. The "last updated" date at the top of this page will always reflect the most recent revision.

13. Contact

For any privacy questions, data requests, or concerns: