Legal

Privacy Notice

Last updated: 16 May 2026. This notice explains what personal data we collect, why we collect it, and your rights.

1. Who is the data controller?

The data controller for personal data processed through Vesta is Vesta. Where this notice refers to "we", "us", or "our", it refers to Vesta.

2. Personal data we collect

  • Account data: name, email address, password (hashed), and account preferences.
  • Profile and usage data: workouts viewed, progress, journal entries you create, and content preferences.
  • Support correspondence: messages you send us and our replies.
  • Technical data: IP address, device identifiers, browser type, and basic telemetry needed to keep the service running.
  • Marketing data: email address if you sign up to our waitlist or newsletter.

Payment and billing details (card numbers, billing address, tax identifiers) are collected and stored directly by our payment provider Paddle. We never see or store full card details.

3. Why we use your data and our legal basis

  • To provide the service (performance of contract) — creating your account, granting access to content, saving your progress.
  • To process payments and prevent fraud (performance of contract and legitimate interests) — via Paddle as our Merchant of Record.
  • To improve and secure Vesta (legitimate interests) — debugging, analytics on aggregated usage, security monitoring.
  • To provide customer support (performance of contract).
  • To send marketing emails (consent) — you can unsubscribe at any time using the link in any email.
  • To meet legal obligations (legal obligation) — tax records, responding to lawful requests.

4. Who we share data with

  • Paddle — our Merchant of Record, which processes payments, manages subscriptions and renewals, calculates and remits sales tax, issues invoices, and handles billing-related support on our behalf.
  • Service providers and subprocessors — hosting, database, email delivery, and analytics providers acting under contract.
  • Professional advisers — accountants and lawyers where strictly necessary.
  • Authorities — where required by law or to protect our legal rights.

We do not sell your personal data.

5. International transfers

Some of our service providers (including Paddle) may process your data outside your home country. Where this involves a transfer out of the UK or EEA, we rely on appropriate safeguards such as Standard Contractual Clauses or adequacy decisions.

6. How long we keep your data

We keep your account data for as long as your account is active, and for a reasonable period afterwards to handle support, disputes, and legal obligations (typically up to 7 years for tax and billing records held by Paddle on our behalf). Marketing data is kept until you unsubscribe. Inactive accounts may be deleted or anonymised when no longer needed.

7. Your rights

Subject to applicable law, you have the right to:

  • Access the personal data we hold about you;
  • Ask us to correct inaccurate data;
  • Ask us to delete data we no longer need to hold;
  • Restrict or object to certain processing;
  • Receive your data in a portable format;
  • Withdraw consent for marketing at any time;
  • Lodge a complaint with your local data protection authority.

To exercise any of these rights, contact us using the details below. We aim to respond within one month.

8. Security

We use appropriate technical and organisational measures — including encryption in transit, access controls, and least-privilege practices — to protect your personal data. No system is perfectly secure, so we cannot guarantee absolute security.

9. Cookies

We use a small number of essential cookies required to run the service (for example, to keep you logged in). We may also use analytics cookies to understand how Vesta is used in aggregate. You can manage cookies through your browser settings.

10. Contact

To exercise your rights or ask any questions about this notice, contact Vesta via the address shown on your Paddle invoice or order confirmation.