Helping businesses spend smarter
← Back to Valyo

Privacy Policy

Version 2.1 · Last updated: 27 June 2026

This notice explains how MYSTARTUP LIMITED ("Valyo", "we", "our", "us") handles your personal data when you visit our website, create an account, or sign up for our newsletter. It is written to meet our obligations under the UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations (PECR).

Who we are

  • Data controller: MYSTARTUP LIMITED
  • Registered office: 124 City Road, London, EC1V 2NX, United Kingdom
  • ICO registration number: ZB895726 (Tier 1, expires 05 May 2027)
  • Contact: info@my-startup.co.uk

What data we collect

Depending on how you use Valyo, we may collect:

  • Account data: your name, email address and password (hashed).
  • Authentication identifiers: if you sign in with Google or Apple, we receive a unique user ID and your email from that provider so we can create or match your account.
  • Marketing preferences: whether you've opted in to receive marketing emails, plus the date, source and exact wording of that consent.
  • Saved deals & activity: the deals you bookmark in your dashboard.
  • Consent evidence: when you submit the newsletter form, your IP address and browser user-agent at the moment of opt-in, stored as proof of consent.
  • Support correspondence: any emails you send us.
  • Strictly necessary cookie: a single session cookie used by our authentication provider to keep you signed in.

We do not knowingly collect personal data from anyone under 13.

Why we use it, and our lawful basis

Under UK GDPR we must have a lawful basis for every processing activity. Ours are:

  • Creating and operating your account · Contract (Art. 6(1)(b)) — we need your account data to provide the service you signed up for.
  • Sending marketing emails (deals, partner news, product updates) · Consent (Art. 6(1)(a) and PECR reg. 22) — only if you ticked the marketing box at signup or on the newsletter form.
  • Site security, fraud prevention, and improving our service · Legitimate interests (Art. 6(1)(f)) — limited to what is necessary to keep Valyo safe and functional.
  • Meeting tax, accounting and other legal obligations · Legal obligation (Art. 6(1)(c)).

How long we keep it (retention)

  • Account data: for as long as your account is active, then deleted within 30 days of account closure.
  • Saved deals: until you remove them or delete your account.
  • Newsletter consent records: while you are subscribed, plus up to 6 years after you unsubscribe (UK limitation period) so we can evidence consent if challenged.
  • Support emails: 2 years from the last message.
  • Authentication and security logs: up to 12 months.

Who we share it with

We do not sell your personal data. We use a small number of trusted processors to run the service:

  • Backend & hosting: Lovable Cloud (database, authentication, file storage).
  • Social sign-in providers: Google and Apple, only if you choose to sign in with them.
  • Email delivery: our transactional and marketing email provider, used to send account emails and (with your consent) newsletters.
  • Legal or regulatory bodies: where we are required by law to disclose information.

Affiliate partner sites you click through to from Valyo are independent controllers; their own privacy notices apply once you leave our site.

International transfers

Some of our processors may store or process data outside the UK or European Economic Area, including in the United States. Where this happens we rely on UK GDPR safeguards: the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or an adequacy decision made by the UK government. You can ask us for a copy of the safeguards in place by emailing info@my-startup.co.uk.

Cookies

Valyo only sets strictly necessary cookies, which are exempt from the consent requirement under PECR reg. 6(4):

  • sb-…-auth-token — keeps you signed in to your member account. Removed when you sign out or clear your browser storage.

We do not currently use analytics, advertising or affiliate-tracking cookies. If that changes we will update this notice and introduce a cookie banner that lets you refuse non-essential cookies before any are set.

Marketing emails

If you tick the marketing consent box on the newsletter form or at signup, we'll email you Valyo deals, partner news and product updates. The lawful basis is your consent (UK GDPR Art. 6(1)(a) and PECR reg. 22).

When you opt in we record your email address, the date and time, the page you opted in from, the exact wording you agreed to, the version of that wording, and your IP address and browser user-agent, as proof that consent was freely given.

You can withdraw consent at any time by clicking the unsubscribe link in any marketing email, by toggling off the marketing preference in your dashboard, or by emailing info@my-startup.co.uk. Withdrawing consent is as easy as giving it and won't affect any other service you receive from us.

Automated decision-making

We do not use automated decision-making or profiling that produces legal or similarly significant effects on you.

Your rights

Under UK GDPR you have the right to:

  • access a copy of your personal data;
  • have inaccurate data corrected;
  • have your data erased ("right to be forgotten") — you can do this yourself from your member dashboard, or by emailing us;
  • restrict or object to certain processing, including direct marketing;
  • data portability where applicable;
  • withdraw consent at any time, without affecting the lawfulness of processing before withdrawal.

To exercise any of these rights, or if you have any concerns about how we handle your personal data, email info@my-startup.co.uk. We will respond within one month.

Data security

We use appropriate technical and organisational measures to protect your personal data, including encryption in transit (HTTPS/TLS), encryption at rest for our database, hashed passwords, role-based access controls, and row-level security policies that prevent users from accessing each other's data. No system can be guaranteed fully secure, but we work to reduce the risk and will notify you and the ICO of any qualifying personal data breach within 72 hours as required by law.

Changes to this policy

We may update this policy from time to time. The version number and last-updated date at the top of this page will change. For material changes that affect how we use your personal data, we'll notify you by email or with a prominent notice on the site before the change takes effect.

Contact

  • Email: info@my-startup.co.uk
  • Post: MYSTARTUP LIMITED, 124 City Road, London, EC1V 2NX