Privacy Notice

Last Updated: February 15, 2026

1. Introduction

This Privacy Notice explains how Vist ("we", "our", or "us") collects, uses, and protects your personal data when you use our service at usevist.dev and app.usevist.dev (the "Service").

We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Data Controller

The data controller responsible for your personal data is:

David Heijl
Email: david@usevist.dev

For all data protection inquiries, please contact us at the above email address.

3. Personal Data We Collect

3.1 Information You Provide

When you use Vist, we collect the following information that you provide directly:

Account Information: Email address, name, and password (encrypted)
User-Generated Content: Notes, tasks, labels, folders, and other content you create within the Service
Communication Data: Any messages you send to us for support or feedback

3.2 Information Collected Automatically

Usage Analytics: Aggregated, anonymized usage statistics collected via TelemetryDeck and SimpleAnalytics
Technical Information: Browser type, device type, operating system, IP address (anonymized), and general location (country-level only)
Session Data: Authentication tokens and session identifiers necessary for the Service to function

3.3 Information We Do Not Collect

No Cookies: We do not use tracking cookies or similar technologies for marketing purposes
No Third-Party Advertising Data: We do not share your data with advertising networks
No Detailed Analytics: We use privacy-first analytics that do not track individual users

4. Legal Basis for Processing

We process your personal data based on the following legal grounds under GDPR:

Contract Performance (Article 6(1)(b) GDPR): Processing necessary to provide the Service you have requested
Legitimate Interest (Article 6(1)(f) GDPR): Improving our Service, preventing fraud, and ensuring security
Consent (Article 6(1)(a) GDPR): Where we have obtained your explicit consent for specific processing activities
Legal Obligation (Article 6(1)(c) GDPR): Compliance with applicable laws and regulations

5. How We Use Your Data

We may use your personal data for the following purposes:

Service Provision: To create and manage your account, store your notes and tasks, and provide core functionality
Service Improvement: To analyze usage patterns and improve features (using anonymized data only)
AI Features: To provide intelligent search, suggestions, and organization features using AI processing
Communication: To send essential service notifications and respond to your inquiries
Security: To detect and prevent fraud, abuse, and security incidents
Legal Compliance: To comply with applicable laws and respond to lawful requests

6. Data Sharing and Third-Party Processors

We share your personal data only with the following trusted service providers who process data on our behalf under strict data processing agreements:

6.1 Infrastructure and Hosting

Hetzner Online GmbH (Germany, EU)

Purpose: Server hosting and infrastructure
Data processed: All user data stored on our servers
Location: European Union (Germany)
Legal basis: Data Processing Agreement compliant with GDPR Article 28

6.2 Analytics Services

TelemetryDeck (Germany, EU)

Purpose: Privacy-focused usage analytics
Data processed: Anonymized usage statistics only (no personal identifiers)
Location: European Union (Germany)

SimpleAnalytics (Netherlands, EU)

Purpose: Privacy-focused web analytics
Data processed: Anonymized page views and traffic data
Location: European Union (Netherlands)

6.3 AI Processing

Mistral AI (France, EU)

Purpose: Semantic search and AI-powered features
Data processed: User-generated content (notes, tasks and agent memories) when using AI features
Location: European Union (France)
Legal basis: Your consent when using AI features

6.4 Payment Processing

Paddle.com Market Limited (UK/Ireland)

Purpose: Payment processing and subscription management (Merchant of Record)
Data processed: Billing information, transaction data, email address
Location: United Kingdom and Ireland
Legal basis: Contract performance; Paddle acts as the seller of record
Note: Your payment card details are never processed or stored by us; they are handled directly by Paddle

We do not share your personal data with:

Advertising networks or data brokers
Social media platforms
Any parties outside the EU/EEA without adequate safeguards
Any third parties for purposes other than those listed above

7. International Data Transfers

All your data is stored and processed within the European Union. We use EU-based service providers to ensure your data remains protected under GDPR.

In the limited case where data may be transferred outside the EU (e.g., Paddle for payment processing in the UK), we ensure appropriate safeguards are in place:

Standard Contractual Clauses approved by the European Commission
Adequacy decisions where applicable
Other legally recognized transfer mechanisms

8. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this Privacy Notice:

Account Data: Retained while your account is active and for 30 days after account deletion (to allow for account recovery)
User Content: Retained while your account is active; permanently deleted 30 days after account deletion
Analytics Data: Anonymized data retained indefinitely for statistical purposes
Billing Records: Retained by Paddle for legal and tax compliance (typically 7 years)
Communication Records: Retained for 2 years for customer support purposes

You may request earlier deletion of your data at any time by exercising your rights under Section 10.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

Encryption: Data in transit is encrypted using TLS 1.3; passwords are encrypted using industry-standard bcrypt hashing
Access Controls: Strict access controls limit who can access personal data
Secure Infrastructure: Servers hosted in secure, GDPR-compliant data centers
Regular Security Audits: Ongoing monitoring and security assessments
Data Minimization: We collect only the data necessary to provide the Service

However, no method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

10. Your Rights Under GDPR

As a data subject in the EU, you have the following rights:

10.1 Right of Access (Article 15)

You have the right to obtain confirmation of whether we process your personal data and to access that data.

10.2 Right to Rectification (Article 16)

You have the right to request correction of inaccurate personal data and to complete incomplete data.

10.3 Right to Erasure (Article 17)

You have the right to request deletion of your personal data under certain circumstances ("right to be forgotten").

10.4 Right to Restriction of Processing (Article 18)

You have the right to request restriction of processing under certain circumstances.

10.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format (JSON export) and to transmit that data to another controller.

10.6 Right to Object (Article 21)

You have the right to object to processing based on legitimate interests or for direct marketing purposes.

10.7 Right to Withdraw Consent (Article 7(3))

Where processing is based on consent, you have the right to withdraw that consent at any time.

10.8 Right to Lodge a Complaint (Article 77)

You have the right to lodge a complaint with a supervisory authority, particularly in the EU member state of your residence, place of work, or place of alleged infringement.

10.9 How to Exercise Your Rights

To exercise any of these rights, please contact us at david@usevist.dev. We will respond to your request within 30 days.

For data export, you can use the built-in export functionality within the Service to download all your data in Markdown and JSON format at any time.

11. Age Restrictions

The Service is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16. If you are under 16, please do not use the Service or provide any personal data.

If we become aware that we have collected personal data from a child under 16 without parental consent, we will take steps to delete that information as soon as possible.

Parents or guardians who believe their child has provided personal data to us should contact us at david@usevist.dev.

12. Automated Decision-Making

We use AI-powered features (semantic search, intelligent suggestions) that involve automated processing of your content. However:

No automated decisions are made that produce legal effects or similarly significantly affect you
AI processing is used solely to enhance the Service and provide helpful features
You can choose not to use AI features at any time
All AI processing occurs with your knowledge when you actively use these features

13. Changes to This Privacy Notice

We may update this Privacy Notice from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by:

Posting a notice within the Service
Sending an email notification to your registered email address
Updating the "Last Updated" date at the top of this notice

Your continued use of the Service after such changes constitutes your acceptance of the updated Privacy Notice.

14. Contact Information

For any questions, concerns, or requests regarding this Privacy Notice or our data practices, please contact:

David Heijl
Email: david@usevist.dev

15. Supervisory Authority

If you are in the European Union, you have the right to lodge a complaint with your local data protection supervisory authority. You can find your supervisory authority at the European Data Protection Board website.

Effective Date: This Privacy Notice is effective as of the date indicated at the top of this document.