privacy policy.

EFFECTIVE 2026-05-13 · 13 MIN READ

This Privacy Policy explains what personal information Virtual Me ("we", "us") collects when you use virtualme.cc (the "Service"), why we collect it, how we use it, and what rights you have. This policy is incorporated by reference into our Terms of Service. Virtual Me is operated by the legal entity identified in Section 1. We are a small, solo-operated SaaS, and we have written this policy to be honest about what we actually do.

1. Who we are (data controller)

Virtual Me is operated by 15794480 Canada Inc., a Canadian federally incorporated numbered corporation, which is the data controller for personal information processed through the Service.

Contact for all privacy matters, including data subject requests, deletion requests, and informal DPO inquiries: [email protected]

We do not currently have a formal Data Protection Officer (DPO) because we are not required to appoint one under GDPR Article 37. Privacy questions go directly to the operator at the address above.

2. What we collect

We collect only what we need to run and improve the Service.

(a) Account data. Your mobile phone number, the timestamp you signed up, and a hashed reference to the one-time codes we have sent you. We do not store the codes themselves after they are used.

(b) Content data. The notes, pages, links, files, and other material you put into your wiki ("Your Content"). This is stored encrypted (see Section 8).

(c) Usage data (server logs). Operational logs: HTTP request times, status codes, IP addresses (truncated where practical), error traces, the rates at which features are used, and high-level event counts. We use this data for security, debugging, capacity planning, and improving the Service — fixing bugs, finding slow paths, deciding what to build next. We do not use Your Content for service improvement, only the operational metadata about how the Service is being used. Retained for up to 90 days unless tied to an active investigation.

(d) Billing data. If you subscribe, Stripe collects your card details directly and gives us back a customer ID and your subscription state (tier, active/canceled). We never see your card number, the last four digits, or your billing country — those stay with Stripe.

(e) SMS metadata. Twilio routes SMS for us. Twilio sees the phone numbers, message contents, and delivery status of messages sent through our number. We see this too, in our application database, in order to operate the chat surface.

(f) Cookies. We use a session cookie (sb_session) to keep you logged in on the web. Cloudflare sets cf_clearance and similar cookies for bot mitigation when its protection is triggered. We do not use Google Analytics, Meta Pixel, or any third-party advertising or analytics SDK.

We do not collect special categories of data (race, religion, health, sexual orientation, biometric, etc.) on purpose. If you put such data into Your Content, you have effectively chosen to store it; we still treat it as your private content per Section 8.

3. How we use it

We use your information to:

create and authenticate your account (SMS one-time codes);
operate the wiki — store, index, and retrieve Your Content for you;
apply AI-agent operations to your wiki so you can keep, undo, or rewind them and control what's public;
send transactional and account messages over SMS and email;
bill you and process refunds;
keep the Service secure and debug problems;
improve the Service — including but not limited to fixing bugs, measuring performance, identifying friction points, prioritizing features, and producing aggregated statistics for our own planning. This use is restricted to operational/usage data (Section 2(c)); we do not read or train on Your Content;
comply with legal obligations (tax records, lawful requests).

4. Legal bases (GDPR)

If GDPR applies to you, we rely on:

Performance of a contract (Art. 6(1)(b)) — for almost all core processing: account creation, SMS authentication, storing your wiki, billing, sending you product SMS.
Legitimate interests (Art. 6(1)(f)) — for security logs, abuse prevention, debugging, fraud monitoring, and using operational/usage data to improve the Service. We have considered your privacy interests and believe our use is proportionate; you can object at any time (Section 10).
Legal obligation (Art. 6(1)(c)) — for tax records and responses to lawful requests.
Consent (Art. 6(1)(a)) — only where we ask for it explicitly (e.g., if we ever introduce optional features that need it). You can withdraw consent at any time without affecting prior processing.

5. Who we share data with

We do not sell or rent personal information. We share it with a short list of service providers ("sub-processors") strictly to run the Service:

provider	purpose	location
Hetzner Online GmbH	VPS hosting (primary server)	Hillsboro, Oregon, USA
Cloudflare, Inc.	CDN, DDoS protection, TLS termination	global
Stripe, Inc.	payment processing, subscription management	USA and globally
Twilio Inc.	SMS delivery and inbound routing	USA and globally
Mesa (third-party encrypted git storage)	per-user encrypted git repositories	USA
Backblaze, Inc.	off-site encrypted backups (restic-encrypted database + workcopies), when enabled	USA

We may also disclose information if compelled by valid legal process, or to protect the rights, property, or safety of Virtual Me, our users, or the public. Where we are legally allowed to, we will notify the affected user.

If we are ever part of a merger, acquisition, or asset sale, user data may transfer to the acquirer, subject to a privacy policy no less protective than this one.

6. International transfers

Our servers are in the United States. If you use the Service from the EU, UK, Canada, or elsewhere, your information will be transferred to and processed in the US and other jurisdictions where our sub-processors operate. For EU/UK transfers, we rely on Standard Contractual Clauses (SCCs) and/or the EU–US Data Privacy Framework where our sub-processors are certified, plus supplementary technical measures (per-user encryption at rest, TLS in transit).

7. AI and training — our commitment

This matters enough to spell out clearly:

We do not use Your Content to train any AI model, ours or anyone else's. Your notes are not fed into a training set. They are not used to fine-tune anyone's model. They are not shared with model providers except as the literal payload of an AI-agent operation that you (or an agent you connected) initiated.

When you connect a third-party AI agent (Claude, ChatGPT, etc.) and ask it to read or write your wiki, the content the agent reads or writes is sent to that provider. Those providers have their own policies about whether they use API content for training. As of 2026, the major providers (Anthropic and OpenAI) do not train on standard API traffic by default, but policies change — you should review the policies of any AI provider you connect.

We do use aggregated, non-content telemetry (e.g., "how many notes were created today across all users", response-time histograms, error rates) to operate and improve the Service. This telemetry never contains Your Content or anything that can identify an individual.

8. Security

Encryption at rest. Each user's git repository is encrypted with a per-user key. Per-user keys are wrapped under a master key held in escrow on the application server. We can decrypt your wiki to operate the Service on your behalf; we cannot read content without that key infrastructure being intact.
Encryption in transit. All traffic to virtualme.cc is over HTTPS, terminated by Cloudflare and tunneled to the origin via Cloudflare Tunnel.
Server hygiene. Single Hetzner VPS, hardened (SSH-key-only, firewalled, automatic security updates). Application database is SQLite on that VPS.
Off-site backups (when enabled). A daily backup writes the database and per-user workcopies, encrypted by restic with a passphrase the operator holds, to a Backblaze B2 bucket. Backblaze sees only opaque encrypted blobs.
No third-party trackers in the web client.
Operational access. Only the operator has shell access to the production server.

We have not completed a SOC 2, ISO 27001, or HIPAA audit. We are a solo-operated startup. If your threat model requires a formally audited provider, Virtual Me may not be the right fit yet.

No system is perfectly secure. If we discover a breach affecting your personal information, we will notify you and the relevant authorities as required by applicable law (GDPR Art. 33–34, PIPEDA breach-of-safeguards reporting, US state breach-notification laws, etc.).

9. Retention

Account and content data: retained while your account is active.
After deletion: we delete your wiki, account, and SMS history within 30 days of your deletion request, except for (i) billing records we are required to keep for tax purposes (typically 6–7 years in Canada), (ii) anonymized security logs, and (iii) anything we are legally required to preserve.
Operational logs: up to 90 days.
Backups: rolling backups may retain residual copies for up to 60 days after deletion (a daily backup snapshot taken just before the 30-day purge can sit in our 30-day backup keep-window), after which they cycle out.

You can export all of Your Content at any time as a .tar.gz via /api/export.

10. Your rights — GDPR / UK GDPR

If you are in the EU, EEA, or UK, you have the right to:

Access the personal information we hold about you.
Rectify information that is inaccurate or incomplete.
Erase ("right to be forgotten") your personal information, subject to limited legal-retention exceptions.
Restrict or object to certain processing, including processing we do under legitimate interests.
Portability — receive your data in a machine-readable format. Our /api/export endpoint satisfies this for Your Content.
Withdraw consent at any time where processing is based on consent.
Lodge a complaint with your local supervisory authority.

To exercise any of these rights, email [email protected] from the address or phone number on file (or with proof of account ownership). We will respond within 30 days, free of charge for the first request in any rolling 12-month period.

EU representative (Article 27)

We do not currently have an EU representative under GDPR Article 27. Article 27 has an exemption for occasional, low-risk processing by small organizations. Our EU processing is presently small in scale and low in risk: we do not target EU residents specifically, we do not process special categories of data on purpose, and our EU user base is small. We continue to review this position and will appoint an Article 27 representative if our EU footprint grows. In the meantime, EU and UK users can contact us directly at [email protected] for any GDPR matter, and we commit to responding on the same timelines as if we had a formal representative.

11. Your rights — PIPEDA (Canada)

We are a Canadian organization and PIPEDA governs how we handle personal information in the course of commercial activities. We commit to the 10 fair information principles in Schedule 1 of PIPEDA:

Accountability — the operator of Virtual Me is accountable for personal information under our control. Contact: [email protected].
Identifying purposes — we identify the purposes of collection in this policy.
Consent — we collect, use, and disclose your information with your knowledge and consent (except where PIPEDA permits otherwise).
Limiting collection — we collect only what we need.
Limiting use, disclosure, and retention — see Sections 3, 5, and 9.
Accuracy — you can correct your data; contact us or edit it directly in the app.
Safeguards — see Section 8.
Openness — this policy is publicly available.
Individual access — /api/export self-serves a copy of Your Content (the wiki, as a tarball of markdown). For the rest (phone, signup timestamp, Stripe customer ID, subscription state, SMS history) email us and we'll send it within 30 days.
Challenging compliance — you can raise a concern with us at [email protected]. If unresolved, you may complain to the Office of the Privacy Commissioner of Canada at priv.gc.ca.

12. Your rights — California (CCPA / CPRA)

If you are a California resident, you have the right to:

Know what personal information we collect about you and how we use it (this policy is our disclosure).
Access / portability — request a copy of the personal information we hold about you. /api/export self-serves the wiki; for the rest (phone, signup timestamp, Stripe customer ID, subscription state, SMS history) email us and we'll send it within 45 days.
Delete the personal information we hold about you, subject to legal-retention exceptions.
Correct inaccurate personal information.
Opt out of "sale" or "sharing" — we do not sell or share personal information as those terms are defined under CCPA/CPRA. There is therefore nothing for you to opt out of, but we still honor any request not to.
Limit use of sensitive personal information — we do not use sensitive personal information for purposes that trigger this right.
Non-discrimination — we will not deny you service, charge you different prices, or give you worse service for exercising any of these rights.
Authorized agent — you can designate an authorized agent to make a request on your behalf. We may ask for proof of the agent's authority and your identity.

To exercise any of these rights, email [email protected]. We will verify you (typically by replying from the email or phone number associated with your account) and respond within 45 days.

Threshold note. We do not currently meet the CCPA's applicability thresholds (annual gross revenue over USD $26,625,000 in 2026; processing of 100,000+ California consumers or households; or 50%+ of revenue from selling/sharing personal information). We provide these rights as a courtesy and as a matter of practice.

13. Other US state privacy laws

If you reside in Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, or another US state with a comprehensive privacy law, you have rights similar to those listed in Section 12 (access, deletion, correction, portability, opt-out of certain processing). The same contact path applies: [email protected].

14. SMS-specific privacy notes

By using the Service over SMS, you agree that your mobile number, message contents, and delivery metadata are processed by us and by Twilio (our SMS carrier) for the purpose of operating the messaging features. See our Terms of Service, Section 4, for full SMS terms, including HELP/STOP behavior, frequency, and the "msg & data rates may apply" notice. We do not share your mobile number with third parties for marketing. We do not send marketing SMS unrelated to the Service.

15. Children

The Service is not directed at children under 18 and we do not knowingly collect their personal information. If you believe we have, email [email protected] and we will delete it.

16. Cookies and similar technologies

cookie	set by	purpose	duration
`sb_session`	Virtual Me	keep you logged in	up to 30 days
`cf_clearance` and related	Cloudflare	bot mitigation / security challenge	up to 30 days

We do not use advertising, marketing, or third-party analytics cookies.

17. Data processing agreement (DPA)

If you use the Service strictly as an individual consumer, you do not need a DPA — the GDPR controller-to-controller terms in this policy are the relevant agreement. If you are a business user who needs a separate Data Processing Agreement under GDPR Art. 28, email us at [email protected] and we will provide one based on the EU Commission's standard contractual clauses.

18. Changes to this policy

We may update this Privacy Policy. For material changes, we will give you at least 30 days' notice by email or in-product banner before the change takes effect. Minor changes (clarifications, typo fixes, sub-processor updates that do not materially weaken your protections) take effect when posted. The "Effective" date at the top will always reflect the latest version.

19. Contact

All privacy inquiries, data subject requests, deletion requests, complaints, and DPO-style questions go to [email protected]. The legal entity behind Virtual Me is identified in Section 1.