Privacy Policy

1. Introduction

Vettly Inc. ("Vettly," "we," "us," or "our") operates the Vettly content moderation platform and API service (vettly.dev). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website, dashboard, API services, and related products (collectively, the "Services").

We are committed to protecting your privacy and ensuring the security of your data in compliance with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other applicable data protection laws. By using our Services, you agree to the collection and use of information in accordance with this Privacy Policy.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Full name and email address
• Company name and business information (optional)
• Authentication credentials (encrypted passwords via Clerk or OAuth tokens from GitHub)
• Payment information (processed securely through Stripe or Polar - we do not store full card numbers)
• Account preferences, notification settings, and timezone
• Profile picture (if uploaded)

2.2 API Usage Data

When you use our API Services, we collect and process:

• API keys and authentication tokens (encrypted)
• Content submitted for moderation (text, images, video URLs) - retained based on your subscription tier
• Moderation results and AI provider responses
• API request metadata (timestamps, endpoints accessed, response times, payload sizes)
• IP addresses, user agent strings, and request headers
• Policy configurations and custom rules
• Webhook endpoints and delivery logs
• Usage metrics, billing data, and rate limit information

2.3 Technical and Device Information

We automatically collect certain technical information when you access our Services:

• Device information (browser type, version, operating system, device model)
• Network information (IP address, ISP, connection type)
• Log data (access times, pages viewed, click paths, errors encountered)
• Cookies and similar tracking technologies (see our Cookie Policy)
• Performance metrics (page load times, API latency, error rates)
• Diagnostic data for troubleshooting and service improvement

2.4 Communications and Support

We collect information from your communications with us:

• Support tickets, inquiries, and correspondence
• Email communications and responses
• Feedback, survey responses, and testimonials
• Community forum posts, comments, and discussions
• Phone call recordings (with prior notice and consent)

2.5 Information from Third Parties

We may receive information about you from:

• OAuth providers (GitHub) when you choose to authenticate through them
• Payment processors (Stripe, Polar) regarding transaction status
• Analytics services (with anonymized or aggregated data)
• Public databases and data enrichment services for fraud prevention

3. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data under the following legal bases:

• Contract Performance: Processing necessary to provide the Services you requested (Article 6(1)(b) GDPR)
• Legitimate Interests: Processing for our legitimate business interests, such as fraud prevention, security, analytics, and service improvement (Article 6(1)(f) GDPR)
• Legal Obligation: Processing required to comply with applicable laws and regulations (Article 6(1)(c) GDPR)
• Consent: Processing based on your explicit consent for marketing communications or optional features (Article 6(1)(a) GDPR - you may withdraw consent at any time)

4. How We Use Your Information

4.1 Service Provision and Operations

• Provide, maintain, operate, and improve our content moderation Services
• Process API requests and generate moderation decisions using AI providers
• Authenticate users and maintain account security
• Process payments, manage subscriptions, and send billing invoices
• Send transactional notifications (account changes, security alerts, service updates)
• Provide customer support and respond to inquiries
• Deliver webhooks and event notifications

4.2 Analytics, Research, and Improvement

• Analyze usage patterns, trends, and service performance
• Develop new features, products, and functionality
• Improve AI model accuracy and moderation quality (with anonymized/aggregated data)
• Conduct research and quality assurance testing
• Generate aggregated statistics and reports (no personally identifiable information)
• A/B testing and optimization of user experience

4.3 Security, Fraud Prevention, and Legal Compliance

• Detect, investigate, and prevent fraud, abuse, and security threats
• Monitor for suspicious activity and policy violations
• Comply with legal obligations and respond to legal requests
• Enforce our Terms of Service and other policies
• Protect our rights, property, safety, and those of our users
• Maintain audit trails for compliance and dispute resolution

4.4 Marketing and Communications (With Consent)

• Send promotional emails about new features and updates (opt-in only)
• Provide personalized content and recommendations
• Conduct surveys and gather feedback
• Invite you to events, webinars, or beta programs

You can opt-out of marketing communications at any time using the unsubscribe link in emails or through your dashboard settings.

5. Data Sharing and Disclosure

5.1 Third-Party AI Providers

Content you submit for moderation is processed by third-party AI providers based on your policy configuration. We share only the necessary content with these providers:

• OpenAI: Text content for moderation analysis. See OpenAI Privacy Policy
• Google Perspective API: Text content for toxicity detection. See Perspective Privacy
• Hive AI: Images and videos for visual content moderation. See Hive Privacy Policy
• Microsoft Azure Content Safety: Multi-modal content analysis. See Microsoft Privacy

We have Data Processing Agreements (DPAs) with these providers. They are contractually prohibited from using your content for purposes other than providing moderation services.

5.2 Service Providers and Business Partners

We share data with trusted service providers who assist in operating our Services:

• Clerk: Authentication and user management services
• Stripe/Polar: Payment processing (they receive billing information)
• Cloudflare: CDN, security, and infrastructure services
• AWS/Cloudflare R2: Cloud storage for evidence and backups
• Resend: Transactional email delivery
• Sentry: Error tracking and monitoring (anonymized data)

These providers are contractually bound to protect your information, use it only for specified purposes, and comply with applicable data protection laws.

5.3 Legal Requirements and Protection

We may disclose your information when required by law or necessary to:

• Comply with valid legal processes (subpoenas, court orders, search warrants)
• Respond to government or regulatory requests
• Investigate and prevent illegal activity, fraud, or abuse
• Protect the safety, rights, or property of Vettly, our users, or the public
• Enforce our Terms of Service and detect violations

We will notify you of legal requests unless prohibited by law or court order.

5.4 Business Transfers

If Vettly is involved in a merger, acquisition, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will provide notice via email and/or prominent website notice at least 30 days before your information is transferred and becomes subject to a different privacy policy.

5.5 Aggregated and Anonymized Data

We may share aggregated or anonymized data that cannot reasonably be used to identify you (e.g., industry trends, usage statistics) with partners, researchers, or the public.

6. Data Retention and Deletion

6.1 Content Data Retention by Tier

Content submitted for moderation is retained according to your subscription plan:

• Free tier: 7 days
• Starter tier: 30 days
• Pro tier: 90 days
• Enterprise tier: Custom retention period (configurable)

After the retention period, content is automatically and permanently deleted from our systems using secure deletion methods. You can request earlier deletion through the dashboard or API.

6.2 Account and Metadata Retention

• Active accounts: Retained while your account is active
• After account deletion: Most data deleted within 30 days; some metadata retained for 90 days for fraud prevention and legal compliance
• API logs: Retained for 90 days for debugging and security
• Billing records: Retained for 7 years as required by tax and accounting laws
• Legal hold data: Retained as required for active litigation or legal obligations

6.3 Backup Retention

Backup copies may persist for up to 90 days after deletion. These are encrypted and not accessible for operational use.

7. Data Security

We implement comprehensive security measures to protect your information:

7.1 Technical Safeguards

• End-to-end encryption for data in transit (TLS 1.3)
• AES-256 encryption for data at rest
• Encrypted database backups with secure key management
• API keys are hashed and encrypted before storage
• Secure credential storage using industry best practices
• Regular security patches and updates

7.2 Access Controls

• Multi-factor authentication (MFA) for account access
• Role-based access control (RBAC) for team members
• Principle of least privilege for employee access
• Regular access reviews and revocations
• Audit logging of all administrative actions

7.3 Monitoring and Response

• 24/7 automated threat detection and monitoring
• Rate limiting and DDoS protection
• Intrusion detection systems (IDS)
• Regular security audits and penetration testing
• Incident response plan and security team
• Vulnerability disclosure program

7.4 Data Breach Notification

In the unlikely event of a data breach affecting personal information:

• We will notify affected users within 72 hours of discovering the breach
• Notification will include the nature of the breach, affected data, and remediation steps
• We will notify relevant supervisory authorities as required by law
• We will provide credit monitoring services if appropriate

While we implement strong security measures, no system is 100% secure. We cannot guarantee absolute security but will notify you of any material breaches as required by law.

8. International Data Transfers

Vettly operates globally, and your information may be transferred to and processed in countries other than your country of residence, including the United States. These countries may have different data protection laws.

8.1 Safeguards for International Transfers

When transferring data internationally, we use appropriate safeguards:

• Standard Contractual Clauses (SCCs): European Commission-approved SCCs for transfers from EEA/UK to third countries
• Data Processing Agreements: Contracts with third-party processors ensuring adequate protection
• Encryption: All data encrypted during transfer and at rest
• UK Extension to SCCs: For transfers from the UK post-Brexit
• Swiss-US Privacy Framework compliance: For transfers from Switzerland

8.2 Data Storage Locations

Your data may be stored in the following regions:

• Primary: United States (AWS US-East, Cloudflare global network)
• Backups: Multiple geographic regions for redundancy
• Enterprise customers: Custom data residency options available

9. Your Privacy Rights

9.1 Universal Rights (All Users)

You have the right to:

• Access: Request access to your personal data and download it
• Correction: Update inaccurate or incomplete personal data
• Deletion: Request deletion of your personal data ("right to be forgotten")
• Portability: Receive your data in a structured, machine-readable format
• Opt-out: Unsubscribe from marketing communications

9.2 GDPR Rights (EEA, UK, Switzerland Users)

Under GDPR, you have additional rights:

• Right to Object: Object to processing based on legitimate interests or for direct marketing
• Right to Restrict Processing: Restrict processing in certain circumstances (e.g., while we verify accuracy)
• Right to Withdraw Consent: Withdraw consent at any time for processing based on consent
• Right to Lodge a Complaint: File a complaint with your local supervisory authority
• Automated Decision-Making: Object to automated decisions with legal or significant effects (we currently do not engage in such processing)

9.3 CCPA/CPRA Rights (California Residents)

California residents have the right to:

• Know: Request disclosure of personal information we collect, use, disclose, and sell
• Delete: Request deletion of personal information we hold
• Opt-Out of Sale: We do not sell personal information
• Non-Discrimination: Not receive discriminatory treatment for exercising privacy rights
• Correct: Request correction of inaccurate personal information
• Limit Use of Sensitive Data: We do not use sensitive personal information beyond necessary service provision

Notice: We do not sell or share personal information for cross-context behavioral advertising.

9.4 How to Exercise Your Rights

To exercise your rights:

• Dashboard: Access, update, or delete data directly in your account settings
• Email: Contact privacy@vettly.dev with your request
• API: Use our Data Rights API endpoints (Enterprise tier)
• Authorized Agent: California residents may designate an authorized agent to make requests on their behalf

We will respond to requests within 30 days (or as required by applicable law). We may request verification of your identity before processing requests to protect your privacy.

10. Children's Privacy

Our Services are not directed to individuals under the age of 18, and we do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe your child has provided us with personal information without your consent, please contact us immediately at privacy@vettly.dev.

Upon learning that we have collected personal information from a child under 18, we will take steps to delete such information within 30 days. We comply with the Children's Online Privacy Protection Act (COPPA) and similar international laws.

11. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to provide and improve our Services. For detailed information about:

• Types of cookies we use (essential, analytics, functionality, authentication)
• Third-party cookies and tracking
• How to manage cookie preferences
• Browser settings for blocking cookies

Please see our separate Cookie Policy.

12. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other operational needs. When we make changes:

• We will update the "Last Updated" date at the top of this policy
• For material changes, we will notify you via email at least 30 days before they take effect
• We will provide prominent notice in the dashboard for significant updates
• You will have the opportunity to review changes before they take effect
• Continued use of Services after changes take effect constitutes acceptance

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

13. Contact Us and Data Protection Officer

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We will respond to all requests within 30 days (or sooner as required by applicable law). For urgent privacy matters, please mark your email as "URGENT: Privacy Request" for expedited handling.

13.1 Supervisory Authority (EU/EEA Users)

If you are in the EU/EEA and believe we have not addressed your privacy concerns adequately, you have the right to lodge a complaint with your local data protection authority. You can find contact information for EU data protection authorities at:

https://edpb.europa.eu/about-edpb/about-edpb/members_en