1. Who We Are
Vision & Virtue Partnership ("Vision & Virtue", "we", "our", or "us") is a financial strategy and consulting firm registered in Israel. We operate the website visionvirtuepartnership.com and the internal tools hosted at this domain.
Data controller contact: ramizilikovich@gmail.com
2. Data We Collect
We collect only the data necessary to provide our services:
- Contact form submissions: Your name, company name, email address, and message when you submit the "Get in Touch" form.
- Session data: A temporary session token is stored in your browser's sessionStorage when you access restricted areas of the site. This token expires when you close your browser tab and contains no personal information beyond an access indicator.
- LinkedIn OAuth tokens: If our internal Marketing AI tool is connected to a LinkedIn account, we store an encrypted OAuth access token. This token is used solely to publish content on behalf of Vision & Virtue's own LinkedIn page.
- Financial files (Finance AI): Client documents uploaded to the Finance AI tool are processed locally in your browser. Extracted text content is transmitted to Anthropic's Claude API for analysis. No uploaded files are stored on our servers.
- Visibility Portal data (server-stored): When you use the Visibility Portal with a customer access key, the following data is stored on our servers:
- General Ledger (GL) account data you upload or enter (account numbers, names, P&L mappings)
- Organisational structure entries (company names, divisions, departments, products, activities)
- Budget structure, budget lines, and period amounts
- Salary allocation data (employee names, department assignments, amounts)
- Revenue and COGS entries
- Cash Flow configuration (payment terms, working capital parameters, financing, Capex)
This data is associated with your unique customer access key and stored in an encrypted database on Render, Inc.'s infrastructure in the United States. It is accessible only by you (via your key) and by Vision & Virtue administrators.
We do not use tracking pixels, advertising cookies, or third-party analytics services (e.g. Google Analytics).
3. How We Use Your Data
- Contact inquiries: To respond to your message and discuss potential engagement. We do not add you to any mailing list without explicit consent.
- Session tokens: To maintain secure access to restricted tools during your browser session.
- LinkedIn tokens: Solely to publish marketing content to our company LinkedIn page through the Marketing AI workflow.
- Financial file content (Finance AI): Sent to Anthropic's Claude API to generate financial analysis, models, and presentations. Anthropic processes this data in accordance with their Privacy Policy.
- Visibility Portal data: Stored server-side solely to power the Visibility Portal's budget, cash flow, and financial planning features. This data is not shared with third parties (other than infrastructure hosting on Render, Inc.) and is not used for any purpose other than delivering the service to you.
4. Sub-Processors
We engage the following sub-processors to deliver the Service. Each is bound by a written Data Processing Agreement (DPA) that requires equivalent security and confidentiality standards:
- Anthropic, PBC (United States) — Provides the Claude Large Language Model API powering Finance AI, the Visibility CFO Agent, and Marketing AI. Text and structured customer context are sent over TLS-encrypted HTTPS to Anthropic's API. Under our commercial agreement and Anthropic's Privacy Policy, customer prompts and responses are not used to train models. When enabled on our tier, Zero Data Retention prevents Anthropic from logging prompt/response content. Data residency: United States.
- Render Services, Inc. (United States) — Hosts our backend application and SQLite database on encrypted persistent storage. Data in transit between users and Render is encrypted via TLS 1.2+. Render staff have access only as required for support under their DPA and SOC 2 controls. Data residency: United States.
- LinkedIn Corporation (United States) — Used only for the Marketing AI publishing flow. We authenticate via OAuth 2.0 and publish content to the V&V company page. LinkedIn's use of data is governed by LinkedIn's Privacy Policy.
No other sub-processors are engaged. We will provide 30 days' notice before adding any new sub-processor that handles Visibility Portal customer data.
4a. Security Measures (Visibility Portal)
For customer data stored in the Visibility Portal we apply the following controls:
- Encryption in transit: TLS 1.2+ on every API call between browser, our backend, and all sub-processors.
- Encryption at rest: AES-256-GCM column-level encryption on sensitive fields (employee names, salary amounts, budget descriptions, vendor names). The encryption key is held only as a Render environment variable; not in source code, version control, or backups.
- Customer key hashing: Customer access keys (VV-XXXXXX) are stored as scrypt hashes; the original key cannot be recovered from the database. Even a full database leak would not reveal active keys.
- Authentication rate limiting: Failed customer-key attempts are limited per IP and per key to defeat brute-force.
- AI scoping guards: Every CFO Agent call is bound to a single customer key. Cross-tenant context is rejected at the application layer, and agent responses are scanned for cross-customer leakage before being returned.
- Audit log: Every AI Agent prompt and response is hashed and logged with a timestamp and customer-key id, retained for 90 days, and available to the customer on request.
- Off-site encrypted backups: Daily backups are encrypted with a separate key and stored in a different region.
- Breach notification: We notify affected customers and the Israeli Privacy Protection Authority within 72 hours of confirming a personal data breach, per the Protection of Privacy Law 5741-1981.
5. Data Retention
- Contact form data: Retained in our email inbox until no longer needed for the business purpose of the inquiry, or until you request deletion.
- Session tokens: Stored only in your browser's sessionStorage. Automatically deleted when you close your browser tab. No session data is retained server-side.
- LinkedIn tokens: Retained until you disconnect LinkedIn via the Settings panel, or until the token expires (typically 60 days).
- Financial file content (Finance AI): Not stored. Text is transmitted to Anthropic and the response returned in real time.
- Visibility Portal data: Retained on our servers for as long as your customer access key is active, to enable continued use of the service. If you request deletion of your data or your access key is revoked, all associated data (GL accounts, org structure, budgets, salary data, cash flow data) is permanently deleted from our database via cascading deletion.
6. Your Rights
Under the Israeli Protection of Privacy Law 5741-1981 and, where applicable, the EU General Data Protection Regulation (GDPR), you have the right to:
- Access the personal data we hold about you
- Request correction of inaccurate data
- Request deletion of your personal data
- Object to processing of your data
- Lodge a complaint with the Israeli Privacy Protection Authority or your local supervisory authority
To exercise any of these rights, contact us at ramizilikovich@gmail.com. We will respond within 30 days.
7. Cookies
This website uses one type of cookie:
- Session cookie (strictly necessary): Set when accessing restricted internal tools. Contains an encrypted session identifier only. No personal data. Expires after 10 minutes.
No advertising, tracking, or analytics cookies are used. You may disable cookies in your browser settings, but this will prevent access to password-protected areas of the site.
8. Data Security
We implement appropriate technical and organisational measures to protect personal data, including:
- TLS encryption for all data in transit
- AES-256-GCM encryption for OAuth tokens stored at rest
- Server-side rate limiting and input validation
- HTTP security headers (Content-Security-Policy, HSTS, X-Frame-Options)
- Access controls requiring authenticated sessions for all internal tools
9. International Transfers
Data processed by Anthropic's Claude API is transmitted to servers operated by Anthropic, Inc. in the United States. By using our Finance AI or Marketing AI tools, you acknowledge this transfer. Anthropic maintains appropriate safeguards under their data processing agreements.
10. Changes to This Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page will reflect any changes. Continued use of the website after changes constitutes acceptance of the updated policy.
11. Contact
For any privacy-related questions, requests, or complaints: