Privacy Policy
Last updated: 30 April 2026
1. Who we are
Vask is operated by ADDFUEL LTD, a private limited company registered in England and Wales.
- Company number: 17048912
- Registered office: 3 Eider Close, Thornton-Cleveleys, England, FY5 2UT
- Contact email: [email protected]
- Data controller: ADDFUEL LTD ("we", "us", "Vask")
For the purposes of UK GDPR and the Data Protection Act 2018, we are the data controller for personal data we collect about you when you use vask.dev or our service. Where you use Vask to handle your end-users' data, you are the controller and we act as a processor on your behalf — see our Data Processing Agreement for that relationship.
2. What this policy covers
This policy explains what personal data we collect about Vask customers and prospective customers (you), why we collect it, who we share it with, and your rights under UK GDPR.
It does not cover the data your end-users send through Vask. That is governed by our DPA.
3. What we collect and why
| Category | Data | Why | Lawful basis |
|---|---|---|---|
| Account | Name, email, password (hashed), team name | Create and authenticate your Vask account | Contract |
| Billing | Card details (held by Stripe, not us), billing address, VAT/tax ID, invoice history | Take payment, issue invoices, comply with tax law | Contract / Legal obligation |
| Usage | App keys, app secrets, API request counts, broadcast counts, peak concurrent connections, dashboard logins | Operate the service, enforce plan limits, show usage in dashboard | Contract / Legitimate interest |
| Support | Emails to [email protected] or [email protected], support ticket content | Respond to support and security reports | Legitimate interest |
| Marketing | Email address (only if you sign up to a Vask mailing list or are an existing customer) | Send launch / product updates | Consent / Soft opt-in |
| Site analytics | Anonymous, aggregated visitor data via Fathom Analytics — no cookies, no personal identifiers | Understand which pages work | Legitimate interest |
We do not collect special-category data (health, biometrics, etc.) and we do not run ad-tracking, retargeting pixels, or third-party marketing cookies on vask.dev.
4. Cookies
vask.dev uses no advertising or tracking cookies. We use a small number of strictly-necessary cookies to keep you logged in and to remember your dashboard preferences. These are exempt from consent requirements under PECR.
Site analytics is provided by Fathom Analytics, which is privacy-focused and does not use cookies or fingerprinting (Fathom site ID: CLLMTFDR). No consent banner is required for Fathom.
5. How long we keep it
| Data | Retention |
|---|---|
| Account & authentication data | While your account is active, plus 30 days after closure |
| Billing & invoice records | 7 years (UK tax / Companies Act requirement) |
| Usage / analytics in dashboard | 12 months rolling |
| Support emails | 24 months from last contact |
| Marketing list | Until you unsubscribe |
| Server logs | 30 days |
6. Who we share it with (subprocessors)
We only share your personal data with vendors who help us run Vask. They are bound by data-processing terms and can only use your data to provide their service to us.
| Subprocessor | Purpose | Region |
|---|---|---|
| Cloudflare, Inc. | Hosting, edge network, Durable Objects, DNS | Global edge |
| Stripe Payments Europe Ltd | Card processing, subscription billing, customer portal | EU / Global |
| Resend (Resend.com Inc.) | Transactional email (credentials, billing, support) | US |
| Fathom Analytics | Privacy-friendly site analytics | EU/UK datacentre |
| incident.io Ltd | Status page, incident communications | UK |
A current list of subprocessors is maintained at vask.dev/legal/subprocessors. We will notify customers of material subprocessor changes via email and the dashboard at least 30 days before they take effect, unless an emergency security need requires faster change.
We will also disclose personal data where required by law, court order, or to protect the rights, property, or safety of Vask, our customers, or others.
7. International transfers
We are based in the UK. Some of our subprocessors are based outside the UK and EU (notably Cloudflare and Stripe in the US). Where we transfer data outside the UK we rely on:
- The UK adequacy regulations where one applies; or
- The UK International Data Transfer Agreement (IDTA), or the EU Standard Contractual Clauses with the UK addendum.
Copies are available on request to [email protected].
8. Your rights
Under UK GDPR you have the right to:
- Access the personal data we hold about you
- Correct inaccurate data
- Erase data ("right to be forgotten") where one of the legal grounds applies
- Restrict processing
- Object to processing based on legitimate interests
- Data portability for data you provided under contract or consent
- Withdraw consent at any time where processing is based on consent
- Lodge a complaint with the UK Information Commissioner's Office (ico.org.uk, 0303 123 1113)
Email [email protected] to exercise any of these rights. We will respond within one calendar month.
9. Security
We apply technical and organisational measures including TLS encryption in transit, encryption at rest for credentials, hashed passwords (bcrypt or stronger), least-privilege access controls, and Cloudflare network protection. We disclose security incidents affecting your personal data without undue delay and within 72 hours of becoming aware where required.
To report a vulnerability, email [email protected]. See /.well-known/security.txt.
10. Children
Vask is a developer tool and is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has registered, email [email protected] and we will delete the account.
11. Changes to this policy
We may update this policy from time to time. The "Last updated" date at the top reflects the most recent change. Material changes affecting how we use your personal data will be notified by email to active customers at least 30 days before they take effect.
12. Contact
- Privacy: [email protected]
- Security: [email protected]
- Postal: ADDFUEL LTD, 3 Eider Close, Thornton-Cleveleys, England, FY5 2UT
- ICO complaints: ico.org.uk
