Viridian Labs

Privacy Policy

Version: 1.1Effective: 2026-05-01Review cadence: quarterly

1. Overview

This Privacy Policy describes how Viridian Labs ("we", "us") collects, uses, shares, and protects information when you use viridianlabs.co and its products, including MedVault and CardLedger (the "Service"). By creating an account or using the Service you consent to the practices described here.

2. Information we collect

We collect only the information needed to deliver the Service:

  • Account data — name, email, phone (optional), hashed authentication credentials managed by Supabase Auth.
  • MedVault data — patient profiles, medications, refill requests, appointments, prescribers, session notes, and related care-coordination records that you explicitly create or import.
  • CardLedger data — credit-card nicknames and balances, subscriptions, bills, shared expenses, people you split with, payment handles, invoice history, and Plaid-connected account data (balances, transactions, liabilities, recurring charges) for accounts you explicitly link.
  • Operational data — login events (timestamp, IP, user-agent, method), audit logs of sensitive actions, rate-limit counters, and Sentry error reports. This data supports security and debugging and is never used for advertising.
  • Cookies — session and 2FA cookies (vl_2fa, Supabase auth cookies) necessary to keep you signed in. We do not use third-party advertising cookies.

We do not store full credit-card numbers. CardLedger stores only a card nickname and the last four digits you provide — no PAN, CVV, or expiration data.

3. How we use information

Your data is used strictly to operate the Service you signed up for:

  • Render your workspaces, records, and dashboards inside your authenticated session.
  • Send transactional emails and text messages (invoices, receipts, reminders, verification codes) tied to actions you or your household initiates.
  • Enable product features you configure — appointment reminders, low-stock alerts, renewal digests, shared-expense invoices, payment links.
  • Protect the Service and our users — rate limiting, fraud detection, incident investigation.
  • Comply with legal obligations.

We never use your data for advertising, profiling, or sale to third parties.

4. Consent and lawful basis

Consent is obtained at two distinct points:

  • Account creation. Signing up for Viridian Labs constitutes affirmative consent to the data practices described in this Privacy Policy and our Information Security Policy.
  • Integrations. Each third-party integration (Plaid Link, Stripe, passkey enrollment) presents its own consent flow before any action completes. You choose exactly which bank accounts, cards, or devices to authorize.

Under GDPR, our lawful basis for processing is the performance of a contract (delivering the Service you requested) and legitimate interests (security, service improvement). Consent can be revoked at any time (see §8).

5. Sharing and subprocessors

We do not sell, rent, or share customer data with third parties for their own purposes. We rely on the following subprocessors to deliver the Service, each bound by a data-processing agreement:

  • Supabase — database, authentication, storage (SOC 2 Type II).
  • Vercel — hosting and serverless compute (SOC 2 Type II, ISO 27001).
  • Resend — transactional email delivery.
  • Twilio — SMS delivery (SOC 2 Type II).
  • Anthropic — AI inference for pill identification and card scanning; images processed ephemerally and not retained for training (SOC 2 Type II).
  • Stripe — payment processing via Payment Links (PCI DSS Level 1). We never see your card data.
  • Plaid — banking-data connectivity (SOC 2 Type II, ISO 27001) for the CardLedger product.
  • Sentry — application error monitoring (SOC 2 Type II).
  • GitHub — source control and CI.

We may disclose information when legally required — court order, subpoena, lawful government request — and only the minimum responsive data.

6. SMS Communications

By providing your phone number and opting in via our signup form or your account settings, you consent to receive SMS text messages from Viridian Labs at the number you provided.

Message types. We send the following categories of SMS:

  • Account verification — one-time passcodes when you sign in or change a security setting.
  • MedVault notifications — prescription refill alerts, appointment reminders, and critical care-coordination messages, only when you have explicitly enabled SMS for these categories in your settings.
  • CardLedger notifications — bill due-date reminders and shared-expense activity, only when you have explicitly enabled SMS for these categories.
  • Fintra notifications — merchant payout confirmations, dispute alerts, and account status changes.

Frequency. Message frequency varies by your account activity. Verification messages are sent only when you initiate sign-in. Notification messages reflect events on your account (e.g., a bill became due, a prescription was refilled). We do not send marketing SMS.

Costs. Message and data rates may apply. We do not charge for SMS, but your mobile carrier may.

Opt-in. You opt in by entering your phone number during signup at viridianlabs.co/signup and explicitly checking a consent box, or by adding a phone number in your account settings. Per-feature SMS preferences (refill alerts, bill reminders) are toggled separately. Each phone number is verified with a one-time test SMS before activation.

Opt-out. You can opt out at any time by replying STOP, STOPALL, UNSUBSCRIBE, CANCEL, END, or QUIT to any Viridian Labs SMS. You will be unsubscribed from all SMS immediately and receive a confirmation message. For per-category control (refill alerts, bill reminders, invoice alerts, payment alerts), use /account/notifications to toggle each category independently. Login verification codes are always on — they are a security requirement, not a notification.

Help. Reply HELP or INFO to any Viridian Labs SMS to receive support contact information. For direct support, email hello@viridianlabs.co.

Phone-number data handling. Phone numbers are stored encrypted at rest in our database. We do not sell, rent, lease, or share phone numbers or SMS content with third parties for marketing or advertising. We share aggregated, de-identified delivery metadata with our SMS provider (Twilio) solely for service delivery, deliverability monitoring, and abuse prevention, under Twilio's data-processing agreement.

7. Banking-data integration (Plaid)

CardLedger uses Plaid to read banking and credit-card data so we can categorize transactions, detect bills, and surface credit-card perks. Plaid integration is opt-in: nothing is read until you connect a bank account via Plaid Link inside the CardLedger product.

Plaid products we use. We request only what is required for the features you see:

  • Transactions — to detect bills, categorize spending, and track savings.
  • Liabilities — to read credit-card balance, APR, and minimum-payment data.
  • RecurringTransactions (optional) — to detect subscription patterns automatically.

We do not request Plaid Auth, Identity, Investments, Income, or Assets — none of those map to a CardLedger feature.

What we store. Your Plaid access token, item identifier, institution identifier, and transaction-sync cursor — all encrypted at rest. We also store derived data (categorized transactions, bill amounts, card balances) to power the dashboard. We never store: bank credentials, full account numbers, full credit-card PANs, CVVs, expiration dates, SSNs, or government-ID numbers. Plaid handles all credential entry inside its own consent surface; we never see your bank password.

How to disconnect. You can unlink any institution from CardLedger at any time via CardLedger settings. On unlink we call Plaid's itemRemove API and delete the related Plaid items, accounts, and any derived data within 24 hours.

Webhook integrity. All Plaid webhook events are cryptographically verified per Plaid's documented specification (JWT verification + body hash check) before any data is written to our database.

8. Payment processing (Stripe)

Viridian Labs uses Stripe in two distinct ways:

  • Stripe Connect (Fintra). Fintra is our white-label merchant-payments platform. Merchants onboard through Stripe Connect Express, which collects all KYB, identity verification, and bank-account information directly inside Stripe's hosted onboarding flow. Viridian Labs never sees, stores, or transmits merchant SSNs, government IDs, or bank credentials. Buyer card data is collected only by Stripe's hosted Checkout and Elements surfaces — we are SAQ A under PCI DSS.
  • Stripe Payment Links (CardLedger). When a CardLedger user invoices another person (for a shared expense), we generate a Stripe Payment Link. The buyer enters card details into Stripe's hosted page; we never see card data.

What we store. Transaction metadata (amount, currency, status, Stripe IDs), Stripe Connect account identifiers, and payout records. We do not store card numbers, CVVs, or full bank account numbers.

Webhook integrity. All Stripe webhook events are verified usingstripe.webhooks.constructEvent with a per-environment signing secret before any mirror is written to our database.

For more on how Stripe handles your data, see Stripe's Privacy Policy.

9. Data security

Data is encrypted in transit (TLS 1.2+) and at rest (AES-256 via Supabase). Access is governed by our Information Security Policy, including Row-Level Security on every database table, MFA (email OTP or WebAuthn) before any session can view financial or health data, and an append-only audit log of sensitive actions.

10. Retention

Customer data is retained for the life of your account. On account deletion, personal data is removed within 30 days. Audit-log entries are retained with your user identifier redacted so forensic traceability is preserved without keeping identifiable data. Plaid access tokens are deleted within 24 hours of an account unlink.

11. Your rights

You may at any time:

  • Access — export your full data bundle from inside the product (Owner → Workspaces → Export for MedVault; top-nav Export for CardLedger).
  • Correct — edit any field directly in the product, or email us for help.
  • Delete — delete your account from Settings or by emailing privacy@viridianlabs.co. All personal data is removed within 30 days.
  • Revoke consent / unsubscribe — click the unsubscribe link in any Viridian Labs email, reply STOP to any Viridian Labs SMS, or toggle reminders off in your profile.
  • Portability — the export bundle is open JSON; import into other tools as needed.
  • Appeal — contact us if you disagree with how we handle a request; if unresolved, you may lodge a complaint with your local data-protection authority.

12. International transfers

Our subprocessors host data primarily in United States regions. If you access the Service from outside the U.S., your data is transferred to and processed in the U.S. under the contractual protections of each subprocessor's DPA.

13. Children

Viridian Labs is not directed to children under 13 (or 16 in the EU). We do not knowingly collect personal information from children. If you believe a child has provided us information, please contact us for removal.

14. Changes to this policy

We review this policy quarterly and version it on change. Material changes will be emailed to active users and reflected in the version and effective date at the top of this page.

15. Contact

Viridian Labs
Privacy: privacy@viridianlabs.co
Security: security@viridianlabs.co
General: hello@viridianlabs.co