Privacy Policy

Last updated: 15 May 2026

1. Introduction

This Privacy Policy explains how STRATAVUE LTD (”we”, “us”, “our”), a company registered in England and Wales (Company Number: 17219333), with its principal place of business at 5 Brayford Square, London, E1 0SG, United Kingdom, collects, uses, stores, and protects your personal data when you use Vigil (”the Platform”), accessible at getvigil.co.

Vigil is an AI-powered strategic execution and leadership visibility platform. We are committed to protecting your privacy and handling your data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Data Controller

STRATAVUE LTD is the data controller responsible for your personal data. If you have any questions about this Privacy Policy or our data practices, please contact us at:

3. Data We Collect

We collect the following categories of personal data:

3.1 Account Information

When you create an account or sign in via OAuth (including LinkedIn), we collect your name, email address, profile picture URL, and unique identifier provided by the authentication provider.

3.2 Content and Business Data

Data you enter into the Platform, including business commitments, tasks, initiatives, content calendar entries, post drafts, media uploads, strategy documents, and any other information you provide in the course of using Vigil’s features.

3.3 LinkedIn Integration Data

If you connect your LinkedIn account to Vigil, we collect and process the following LinkedIn data, depending on the permissions you grant during the OAuth authorization flow:

• Authentication and profile data: Your LinkedIn access token (stored encrypted), LinkedIn member identifier, profile name, profile URL, headline, and profile picture URL.

• Content publishing data: When you publish content through Vigil, we transmit your post text, images, and scheduling preferences to LinkedIn on your behalf.

• Personal profile engagement data: We periodically retrieve performance metrics for posts published through your personal LinkedIn profile, including impression counts, reaction counts and types (Like, Celebrate, Support, Love, Insightful, Funny), comment counts, share counts, and click-through data.

• Company page data: If you are an administrator of a LinkedIn Company Page and grant organization-level permissions, we may access your company page posts, page analytics (impressions, clicks, engagement rates, follower counts), and page metadata (name, logo, industry, size).

• Comment and interaction data: We may retrieve comments on your posts to display engagement context within the Platform.

Frequency of collection: After initial connection, Vigil automatically retrieves your LinkedIn engagement metrics on a periodic basis (approximately every 4 hours for recently published content, and daily for older content) to keep your analytics current. This automated collection continues for as long as your LinkedIn account remains connected. You may disconnect at any time to stop all automated data retrieval.

We access only the permissions you explicitly grant. We do not access your LinkedIn connections list, private messages, job applications, or any data beyond what is required for content publishing and performance analytics.

3.4 Payment and Billing Data

If you subscribe to a paid plan, payment processing is handled entirely by Stripe, Inc. We do not store your full credit card number, CVV, or card expiration date. We store only your Stripe customer identifier and subscription identifier to manage your billing relationship. All payment details (card brand, last four digits, billing address) are stored and processed by Stripe in accordance with Stripe’s Privacy Policy.

3.5 Beta Program Data

If you apply to join the Vigil beta program, we collect your name, email address, professional role, and organization name as part of the application process. This data is used solely to evaluate your application and communicate beta program updates.

3.6 Usage Data

We collect anonymized usage analytics including page views, feature usage patterns, and session duration to improve the Platform. This data is collected via privacy-respecting analytics and does not include personally identifiable information.

3.7 Technical Data

IP address, browser type and version, device type, operating system, and timezone setting, collected automatically when you access the Platform.

3.8 Security Audit Log Data

To protect the security and integrity of your workspace, we maintain an immutable audit log that records security-relevant events. This includes login and logout events, permission and role changes, invite creation and revocation, data export requests, and account deletion requests. Each audit entry records the user identity, timestamp, IP address, browser type, and device type associated with the event. Audit log entries cannot be modified or deleted by any user, including workspace owners, to ensure a tamper-proof security record.

4. Workspace Model and Data Ownership

Vigil operates on a workspace model where a single workspace owner controls all business data within their workspace. The workspace owner may invite other users (”delegates” or “viewers”) to access and operate within the workspace under defined permission levels.

All content and business data created within a workspace - including commitments, tasks, initiatives, and brand content - belongs to the workspace and is controlled by the workspace owner, regardless of which user created it. Delegates and viewers operate on behalf of the workspace owner and do not independently own the data they create within the workspace.

The workspace owner controls access permissions for all workspace members, including the ability to assign roles, set module-level permissions (edit, view, or hidden), and revoke access at any time. Workspace owners receive notifications when members request account deletion or when other security-relevant events occur within their workspace.

5. How We Use Your Data

We use your personal data for the following purposes:

• To provide, maintain, and improve the Vigil platform and its features

• To authenticate your identity and manage your account

• To publish content to LinkedIn on your behalf, only when you explicitly approve and trigger publication

• To retrieve and display engagement metrics for your LinkedIn posts and company pages, enabling you to track content performance

• To store and display your content drafts, media, and scheduling preferences

• To generate AI-powered insights, recommendations, and content suggestions using your business data

• To process subscription payments and manage your billing relationship

• To send transactional emails related to account activity, security events, content publishing status, and platform operations

• To maintain an immutable security audit trail of access and permission events within your workspace

• To detect and prevent abuse, fraud, and unauthorized access using automated security measures

• To comply with legal obligations under applicable UK law

6. Legal Basis for Processing

We process your personal data on the following legal bases under UK GDPR:

7. Data Sharing and Third Parties

We share your data with the following categories of third parties, only as necessary to provide the Platform:

• LinkedIn Corporation - When you connect your LinkedIn account, we transmit post content, images, and profile information to LinkedIn for publishing. We also receive engagement metrics and analytics data from LinkedIn to display within the Platform. If you grant company page access, we receive organization analytics and page data from LinkedIn. LinkedIn’s processing of this data is governed by LinkedIn’s Privacy Policy.

• Stripe, Inc. - When you subscribe to a paid plan, your payment information is transmitted directly to Stripe for processing. We receive only transaction confirmations and billing identifiers. Stripe’s processing is governed by Stripe’s Privacy Policy.

• Cloud infrastructure providers - We use cloud hosting and storage services to operate the Platform. Your data is stored on servers located in secure data centres.

• AI service providers - We use AI language model services to power Vigil’s AI Advisor and content creation features. Your business data may be processed by these services to generate insights and recommendations. We do not permit these providers to use your data for training their models.

• Email service providers - We use Resend (a transactional email service) to deliver account-related notifications, security alerts, and content publishing status updates. Only your email address and notification content are shared with this provider.

• Google reCAPTCHA - We use Google reCAPTCHA v3 on registration and application forms to protect against automated abuse. This service may collect your IP address, browser characteristics, and interaction patterns. Google’s processing is governed by Google’s Privacy Policy.

We do not sell your personal data to any third party. We do not share your data with advertisers or data brokers. We do not use LinkedIn member data for advertising, sales prospecting, recruiting, or any purpose unrelated to providing the Platform’s services to you.

8. LinkedIn Data: Collection, Use, and Retention

This section provides additional detail on how we handle data received from LinkedIn, in compliance with LinkedIn’s API Terms of Use and the Additional Terms for the LinkedIn Marketing API Program.

8.1 What We Collect from LinkedIn

• Personal profile: Member identifier (URN), name, headline, profile picture URL, vanity URL

• Post performance: Impression count, unique impression count, click count, reaction count (by type), comment count, share count

• Post content: Text content and media of posts you publish through Vigil

• Company page (if authorized): Organization name, logo, industry, employee count, page follower count, page post analytics

8.2 How We Use LinkedIn Data

LinkedIn data is used exclusively to provide you with content publishing and performance analytics features within Vigil. Specifically, we use it to:

• Publish posts to your personal LinkedIn profile or company page on your explicit instruction

• Display engagement metrics and trends for your published content

• Generate AI-powered content recommendations based on your historical performance

• Provide reporting on your content strategy effectiveness

We do not aggregate your LinkedIn data with data from other users’ accounts. We do not transfer your LinkedIn data to any third party. We do not use your LinkedIn data for any purpose other than providing the Platform’s services to you.

8.3 LinkedIn Data Retention

LinkedIn engagement metrics are retained for as long as your LinkedIn account remains connected to Vigil. When you disconnect your LinkedIn account, your access token is deleted immediately. Stored engagement metrics for your posts are retained for up to 90 days after disconnection to allow you to export your data, after which they are permanently deleted.

8.4 Withdrawing LinkedIn Access

You may disconnect your LinkedIn account at any time through the Brand Studio settings within the Platform. Upon disconnection:

• All automated data retrieval from LinkedIn stops immediately

• Your encrypted access token is permanently deleted

• Scheduled posts that have not yet been published will not be sent

• Previously retrieved engagement metrics remain accessible for 90 days, then are deleted

• You may also revoke access directly from your LinkedIn account settings at any time

8.5 Company Page Data

If you are an administrator of a LinkedIn Company Page and choose to connect it to Vigil, we access company page data solely to provide you with page management and analytics features. Company page data is accessible only within the workspace of the user who connected the page. We do not share company page analytics with any third party or combine it with data from other organizations.

9. Data Retention and Deletion

We retain your personal data for as long as your account is active or as needed to provide you with the Platform’s services.

Account deletion: You may request deletion of your account at any time through the self-service option available in the Data & Security section of the Platform. Upon requesting deletion, a 30-day grace period begins during which you may cancel the deletion request and retain your account. After the grace period expires, your personal data will be permanently deleted or anonymized, except where we are required to retain it for legal or regulatory purposes.

Workspace owner deletion: If you are the workspace owner, deleting your account will permanently delete the entire workspace and all associated data, including data created by delegates and viewers. You must remove all active workspace members before initiating workspace deletion.

Delegate and viewer deletion: If you are a delegate or viewer, deleting your account will remove your user record and access credentials from the workspace. All content and business data you created within the workspace will be preserved, as it belongs to the workspace owner.

LinkedIn data deletion: LinkedIn access tokens are deleted immediately upon disconnection. Engagement metrics are retained for 90 days post-disconnection, then permanently deleted. You may request immediate deletion of all LinkedIn-related data by contacting privacy@getvigil.co.

Payment data: Stripe customer and subscription identifiers are retained for as long as your subscription is active and for up to 7 years after cancellation for tax and legal compliance purposes.

Security audit log retention: Audit log entries are retained for the lifetime of the workspace to maintain a complete security record. Audit log entries are permanently deleted when the workspace is deleted by the workspace owner.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of all data in transit using TLS/SSL

• Encryption of sensitive credentials (including LinkedIn access tokens) at rest

• Role-based access controls with granular, module-level permissions

• Immutable security audit logging of all access and permission events

• Session-based authentication with secure, HTTP-only cookies

• PCI DSS-compliant payment processing via Stripe (we never handle raw card data)

• Regular security assessments and monitoring

LinkedIn access tokens are stored in encrypted form and are never exposed to client-side code. No Vigil employee accesses customer workspace data without explicit consent from the workspace owner, except as required to resolve a technical support request initiated by the customer.

11. International Data Transfers

Your data may be transferred to and processed in countries outside the United Kingdom, including the United States (where LinkedIn and Stripe are headquartered). Where such transfers occur, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner’s Office (ICO), or transfers to countries with an adequacy decision.

12. Your Rights

Under UK GDPR, you have the following rights regarding your personal data:

• Right of access - You can request a copy of the personal data we hold about you. You can exercise this right instantly using the “Download My Data” feature in the Data & Security section of the Platform, which provides a complete export of your data in structured JSON format.

• Right to rectification - You can request correction of inaccurate or incomplete data.

• Right to erasure - You can request deletion of your personal data. You can exercise this right directly through the self-service account deletion feature in the Data & Security section of the Platform. A 30-day grace period applies, during which you may cancel the request.

• Right to restrict processing - You can request that we limit how we use your data.

• Right to data portability - You can request your data in a structured, machine-readable format. The “Download My Data” feature provides your complete data export in JSON format, fulfilling this right.

• Right to object - You can object to processing based on legitimate interests, including the processing of your data for security audit logging.

• Right to withdraw consent - Where processing is based on consent (e.g., LinkedIn integration), you can withdraw consent at any time by disconnecting your LinkedIn account in Vigil’s Brand Studio settings. This will immediately stop all automated data collection from LinkedIn.

Many of these rights can be exercised directly through the Platform’s Data & Security section without needing to contact us. For any rights that cannot be exercised through self-service, or if you have questions, contact us at privacy@getvigil.co. We will respond within one month as required by UK GDPR. You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) at ico.org.uk.

13. Cookies and Similar Technologies

Vigil uses essential cookies required for the Platform to function, including session authentication cookies. We also use privacy-respecting analytics cookies to understand how the Platform is used. We do not use advertising cookies or tracking cookies from third parties.

14. Children’s Privacy

Vigil is designed for business professionals and is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will notify you of any material changes by posting the updated policy on this page and updating the “Last updated” date. We encourage you to review this policy periodically.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact:

© 2026 STRATAVUE LTD. All rights reserved.