Legal · Privacy
Privacy Policy
Last updated July 4, 2026
1. Who we are
Vestari is a private dealer archive operated by A&R Timepieces LLC, 400 Columbia Dr Suite 110, West Palm Beach, FL 33409. In this policy, “we,” “us,” and “Vestari” refer to A&R Timepieces LLC. “You” refers to the dealer or business using Vestari.
2. What we collect
We collect three narrow categories of data:
- Account data. Your email address, business name, and login sessions. No password — we use magic links.
- Archive data. Deal records you record or that flow from WhatsApp groups you connect — brand, reference, price, date, source, and free-text notes.
- Usage data. Anonymized logs sufficient to operate the service (IP for rate limiting, user-agent for browser support, timestamps for auditing).
3. How WhatsApp bridging works
You scan a QR code to link a phone number you already own. Our bridge runs a read-only WhatsApp session. Vestari can never send a message, react, join a group, or read a chat that is not on your explicit include-list. You choose exactly which groups feed the archive.
Personal chats, family groups, and any room not on your include-list are ignored before parsing. WhatsApp media that we do parse (deal photos) is stored encrypted and never re-shared.
4. How we protect your archive
- AES-256-GCM encryption at rest on every sensitive field (contact names, phone numbers, group identifiers, free-text notes).
- TLS 1.3 in transit, HSTS enforced.
- Per-account key isolation via HKDF-SHA256, so one dealer’s data cannot be read with another dealer’s key material.
- HMAC-SHA256 fingerprints for dedup. We never index sensitive fields in plaintext.
- US-hosted on AWS. SOC 2 posture in progress.
5. The anonymized comps pool
If you opt in, Vestari may include your deal facts — brand, reference, price, month — in an anonymized pool visible to other vetted dealers. We never share your name, business name, phone number, WhatsApp handle, group name, or photos. You can opt out at any time in Settings and prior contributions are purged from the pool within 24 hours.
6. What we never do
- We never send WhatsApp messages on your behalf.
- We never sell dealer data.
- We never share raw contact info, photos, or free-text notes with any other dealer or third party.
- We never train external AI models on your data. On-platform OCR runs against Anthropic Claude for photo parsing only; content is not retained by the model provider under a zero-data-retention agreement.
7. Your controls
You can export your full archive as CSV or JSON at any time. You can delete individual comps, disable WhatsApp bridging, or delete your entire account. Account deletion purges every record within 30 days.
8. Sub-processors we use
- Amazon Web Services (hosting, US-East)
- Turso (managed database)
- Resend (transactional email — magic links, daily digest)
- Anthropic (photo OCR, zero-retention)
- Stripe (payments, PCI-DSS Level 1)
9. Contact
Reach us at privacy@getvestari.com. Governing law is Florida.