Last updated: April 2026
Vest is a cashback rewards platform operated by Vest Technologies ("Vest", "we", "us"). This Privacy Policy explains how we collect, use, share, and protect personal information when you use the Vest platform — whether accessed at getvest.ai or through a third-party Operator that has embedded the Vest infrastructure under their own brand. References to "the platform" include both access paths.
We collect: (a) Registration data — your email address, display name (optional), and hashed password when you create an account. (b) Subscription & cashback data — the tools you subscribe to, the Vest tracking links you generate, cashback events credited to your account, your loyalty tier, and payout history. (c) Affiliate click data — when you click a Vest tracking link, we log a click record containing your user ID, the destination tool, a unique click ID, a timestamp, your IP address, and the referring URL. This data is essential for attributing cashback correctly. (d) Self-reported data — if you manually report a subscription, we collect the details you provide (tool name, subscription plan, start date, and any supporting information). (e) Device & usage data — browser type, device type, operating system, pages visited, and session duration, used to operate and improve the platform. (f) Push notification subscription — if you enable push notifications, we store your browser push endpoint token.
Vest's cashback programme operates through affiliate networks (such as PartnerStack, Impact, Rewardful, and others). When you click a Vest tracking link: (a) We embed a unique click ID in the URL that is transmitted to the affiliate network's servers. (b) The affiliate network may set a tracking cookie in your browser to maintain the attribution window. (c) If you subscribe to the tool, the affiliate network sends a postback (server-to-server notification) or API update to Vest containing your click ID, the subscription value, and the commission amount. We use this postback to credit your cashback. The affiliate network's own privacy policy governs how they handle your data. We do not control what the affiliate network stores about you, and we encourage you to review their policies. Vest does not share your full name or payment details with affiliate networks; only the anonymous click ID is transmitted.
When an affiliate network confirms a qualifying subscription, they transmit a postback payload to Vest containing: the click ID, a transaction or subscription identifier, the commission amount, the subscription plan, and the transaction status. We store this payload to: (a) credit your cashback; (b) resolve any disputes about whether a subscription was confirmed; and (c) audit payment accuracy. If a network reverses a previously confirmed commission (e.g., due to a refund or chargeback), we receive a reversal postback and may deduct the corresponding cashback from your wallet. In some cases we may receive data via scheduled API sync rather than real-time postback; the same principles apply.
We use your data to: (a) operate the cashback programme — match clicks to subscriptions, credit confirmed cashback, and process withdrawals; (b) calculate and update your loyalty tier; (c) detect and prevent fraud, including reviewing unusual click patterns or duplicate accounts; (d) send transactional communications — cashback confirmations, payout receipts, tier upgrade notifications, and security alerts (see Section 8); (e) comply with legal obligations, including financial recordkeeping; and (f) improve the platform through aggregated, anonymised analytics. We do not use your data for personalised advertising or sell it to third parties for marketing purposes.
If you access Vest through an Operator platform (a third party that has embedded Vest's cashback infrastructure under their own brand), the following applies: (a) Your account data, subscription activity, cashback balance, and payout history are accessible to the Operator for the purpose of operating their platform. (b) The Operator may configure which tools appear in their catalogue, adjust display branding, and set certain programme parameters within limits set by Vest. (c) The Operator is an independent data controller in respect of their own platform and may collect additional data about you under their own privacy policy. We are not responsible for the Operator's data practices beyond the scope of Vest's infrastructure. (d) We share only the minimum data necessary for the Operator to fulfil their obligations to you. We do not grant Operators access to your hashed password, payout processor details, or data belonging to users of other Operators.
We share data with the following categories of third parties: (a) Affiliate networks (PartnerStack, Impact, Rewardful, and others) — receive your click ID and provide postback data as described in Section 3–4. (b) Tremendous — our payout processor. When you request a withdrawal, we send Tremendous your email address and payout amount to fulfil the transaction. Tremendous's privacy policy governs their handling of your information. (c) Resend — our transactional email provider. We send your email address and message content to Resend to deliver account notifications. (d) Cloud infrastructure providers — our database, servers, and storage are hosted on secure cloud infrastructure. Access is restricted to authenticated application processes. (e) Fraud detection tools — we may use automated risk-scoring tools that process click and behavioural data to identify potentially fraudulent activity. All providers are required by contract to process your data only on our instructions and to implement appropriate security measures.
Vest uses the following: (a) Session cookies — set in httpOnly cookies to maintain your authenticated session. These are essential for the platform to function and cannot be disabled. (b) Affiliate tracking cookies — set by affiliate networks when you click a Vest link. These operate on the affiliate network's domain and are governed by their cookie policies. (c) Analytics — we use aggregated, anonymised usage data to understand how the platform is used. We do not use third-party advertising cookies or cross-site tracking. You may block non-essential cookies through your browser settings without affecting core platform functionality, but blocking affiliate cookies will prevent cashback attribution.
We send email and push notifications for the following transactional events: account creation (welcome), cashback confirmed, cashback pending, tier upgrade, withdrawal processed, and security events (password reset, suspicious login). These communications are necessary to operate the service. You may not opt out of transactional notifications while your account is active. You can revoke push notification access at any time from your Profile page or browser settings without affecting email delivery.
We retain your account and transaction data for as long as your account is active. If you request account deletion, we will remove or anonymise your personal information within 30 days, subject to the following exceptions: (a) transaction records (cashback events, payouts) are retained for up to 7 years to comply with financial recordkeeping obligations; (b) fraud-related data may be retained for longer where required by law or to prevent future abuse; and (c) affiliate postback logs are retained for 3 years to resolve any commission disputes. You may request deletion by emailing hello@getvest.ai.
Passwords are hashed using bcrypt with a per-user salt and are never stored in plaintext. Authentication tokens are stored in httpOnly, Secure cookies. All data in transit is encrypted using TLS 1.2 or higher. Database access is restricted to application services via network-level controls. We conduct periodic security reviews and promptly address vulnerabilities. In the event of a data breach affecting your personal information, we will notify you and relevant authorities as required by applicable law.
Depending on your location, you may have the following rights regarding your personal data: (a) Access — request a copy of the personal data we hold about you. (b) Correction — request correction of inaccurate data. (c) Deletion — request deletion of your data, subject to our retention obligations. (d) Portability — receive your data in a machine-readable format. (e) Objection — object to processing based on legitimate interests. (f) Restriction — request that we restrict processing while a dispute is resolved. For users in the European Economic Area, United Kingdom, or California, additional rights may apply under GDPR, UK GDPR, or the CCPA respectively. To exercise any right, email hello@getvest.ai. We will respond within 30 days. We may need to verify your identity before processing your request.
The Vest platform is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has registered, please contact hello@getvest.ai and we will promptly delete the account.
Vest is operated from the United States. If you are located outside the US, your data may be transferred to and processed in the US or other countries. We ensure appropriate safeguards are in place for such transfers, including standard contractual clauses where required by applicable law.
We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice within the platform. The updated Policy will take effect 14 days after posting unless you object, in which case you may close your account before the new Policy takes effect.
Privacy questions or requests? Email us at hello@getvest.ai.