Privacy Policy

Last updated: 8 May 2026

vs-warehouse is operated by Virtus Solutions, based in Aotearoa New Zealand. This page explains what personal information we collect, why we collect it, who we share it with, and the rights you have under the NZ Privacy Act 2020. Plain English; honest detail.

What we collect

• Account details when you sign up: your name, email, and a hashed password (we never see your plaintext password).
• API request logs: each call you make is logged with timestamp, endpoint, status code, and a hash of your API key. We use this to enforce rate limits and to compute usage metrics in your dashboard.
• Payment metadata if you subscribe: your Stripe customer ID and subscription status. Card numbers and CVVs are handled exclusively by Stripe and never touch our servers.
• Email events via our transactional mail provider (Resend) for signup confirmation, password resets, subscription notifications, and other operational mail.
• One session cookie (vs_session) so you stay logged in across pages. We do not use third-party tracking cookies. Analytics, when added, will be cookieless or first-party only.

Why we collect it

Strictly to operate the service: authenticate you, enforce plan limits, send you operational email, bill correctly, and keep the platform secure. We do not sell, rent, or trade personal information.

Who we share it with

Only the third parties we depend on to run the service:

• Stripe — payments processing. Their privacy policy is at stripe.com/privacy.
• Resend — transactional email delivery. Privacy policy at resend.com/legal/privacy-policy.
• AWS (Amazon Web Services) — hosting (EC2, S3, RDS-style data store). Servers are in the ap-southeast-2 (Sydney) region.
• Cloudflare — DNS for our domain.

How long we keep it

• Account information: as long as your account is active, plus 30 days after deletion in case you change your mind.
• API request logs: 90 days, then deleted. Aggregated, anonymised counts may be retained longer for capacity planning.
• Backups: encrypted nightly snapshots are retained for 90 days, then automatically expired.

Your rights

Under the NZ Privacy Act 2020 you have the right to:

• Access the personal information we hold about you.
• Correct anything inaccurate.
• Delete your account and associated personal information at any time.
• Complain to the NZ Office of the Privacy Commissioner if you believe we've mishandled your information.

To exercise any of these rights, email phil@virtus-solutions.io from the address on your account. We aim to respond within 5 working days.

Security

All connections are encrypted with TLS. Passwords are stored as bcrypt hashes; API keys as SHA-256 hashes. The session cookie is HTTP-only and SameSite-Lax. We don't claim perfect security, but we follow industry-standard practices and are happy to discuss specifics on request.

Changes to this policy

If we change this policy in any material way, we'll email you and update the "Last updated" date above before the change takes effect. Minor wording changes won't trigger a notification.

Contact

Privacy questions, complaints, or requests: phil@virtus-solutions.io