This Privacy Policy explains how Avaricio Global Solutions LLC ("we", "us") handles personal data when you use the Vably platform ("Vably"). It applies to account holders, administrators, managers, agents using the desktop app, and clients whose details are added to a workspace.
1. Data we collect
Vably processes the following categories of data:
- Account data: name, email, password hash, role, organization, multi-factor authentication secrets, newsletter preference.
- Time & attendance: time session start/end, manual and auto time entries, timesheet status and approval history.
- Desktop monitoring data (agents only): periodic screenshots, active window title, keyboard and mouse activity counts (not keystrokes), idle state, device identifier, OS metadata. Captured only while a session is running.
- Business records: clients, contracts, billing rules, invoices, line items, leave requests.
- Operational logs: audit trail of security-relevant actions, refresh token hashes, provision tokens, IP addresses and user agents of authenticated requests.
2. How we use data
- To provide, maintain, and secure the Service.
- To authenticate users and enforce role and permission checks.
- To generate timesheets, invoices, payroll reports, and productivity dashboards.
- To detect abuse, fraud, and suspicious access patterns.
- To send transactional email (invitations, password resets, invoice delivery).
- To send product updates to users who opted in to the newsletter; opt-out is one click from any such email.
We do not sell personal data and we do not use workspace content to train machine-learning models.
3. Legal bases
Where GDPR or similar regimes apply, we process data under: (a) the contract between us and the Organization; (b) our legitimate interest in operating and securing the Service; (c) consent for optional features such as the newsletter and for desktop monitoring of agents; and (d) compliance with legal obligations.
4. Desktop monitoring
The Vably desktop app only activates capture while an agent has an active time session on a device they provisioned. Agents see a visible tray indicator whenever a session is running. Screenshots are stored in the Organization’s workspace and are visible only to users with the appropriate permission. Organizations are responsible for obtaining informed consent from each agent before provisioning them and for complying with local workplace-monitoring law.
5. Who can see your data
- Users inside your workspace, scoped by their assigned role and permissions.
- Our engineering team, only when strictly necessary for support, incident response, or legal compliance, and always under confidentiality obligations.
- Sub-processors we rely on to run the Service (see section 6).
Tenant isolation is enforced in the API layer: every request is scoped to the caller’s organization and cross-tenant reads and writes are rejected.
6. Sub-processors
We use the following categories of sub-processors: cloud infrastructure (DigitalOcean), payment processing (Stripe, for paid subscriptions), transactional email delivery, and error-monitoring. A current list is available on request. We require each sub-processor to meet security and confidentiality obligations at least as strict as those in this policy. Stripe receives only the billing information necessary to process your payment and is itself a data controller for that information under its own Privacy Policy.
7. Security
- Passwords are hashed with argon2id; we never store plaintext passwords.
- Short-lived JWT access tokens (15 min) and hashed refresh tokens.
- Optional multi-factor authentication (TOTP).
- TLS in transit and encrypted storage at rest.
- Audit logs for security-relevant actions.
- Regular backups with restricted access.
8. Data retention
Workspace data is retained for the life of the Organization and for thirty (30) days after termination, after which it is permanently deleted except where retention is required by law. Screenshots may be configured by administrators to expire sooner. Audit logs are kept for up to twenty-four (24) months.
9. Your rights
Depending on your jurisdiction, you may have the right to access, correct, export, or delete personal data about you, to object to or restrict processing, and to lodge a complaint with your local data-protection authority. Agents should direct requests to their employing Organization first; we will assist that Organization in responding. Account holders can contact us directly at vably@avaricioit.com.
10. International transfers
Vably is hosted in Singapore. If you or your agents are located elsewhere, your data will be transferred to and processed in Singapore. Where required, we rely on standard contractual clauses or equivalent safeguards.
11. Changes
We may update this policy. Material changes will be announced in the app and by email. The "Last updated" date above reflects the current version.
12. Contact
Privacy questions or requests can be sent to vably@avaricioit.com, or by post to:
Avaricio Global Solutions LLC1914 Thomes Ave, Ste 2 #3287
Cheyenne, WY 82001
United States