Privacy

Privacy Policy

How Vitral describes personal data collection, use, sharing, regional privacy rights, Google OAuth handling, and security disclosure across the platform.

Includes
General, California, GDPR, Security
Scope
Personal data and platform use

1. Introduction and Scope

Vitral AI, Inc. (“Vitral”) is committed to protecting the privacy and security of personal information processed through the platform. This Privacy Policy explains how we collect, use, share, and protect personal information when you use Vitral, a modular AI workspace platform built from scratch for flexible, composable work with language models and AI-assisted tools. Vitral brings together conversations, documents, files, generated artifacts, live samples, and integrated tools in a persistent multi-panel environment. This policy applies to personal information processed in connection with that platform and its related services.

2. Information We Collect

Vitral may collect and process the following categories of information in connection with the platform:

  • Account Information: Information such as your name, email address, and profile or avatar image, where needed to create and manage your account.
  • Workspace and Service Content: Content you provide through the platform, including prompts, conversations, documents, files, generated artifacts, live samples, and other materials processed through Vitral.
  • Operational Usage Data: Limited operational data needed to provide, secure, maintain, and support the platform, such as account-level usage records, billing-related records, token consumption records, and support-related activity.
  • Authentication and Preference Data: Information needed to manage authentication, session handling, and user preferences, including language preference settings and related session state.
  • Information You Submit to Support or Administrative Flows: Information you choose to provide when contacting support, submitting security reports, managing billing, or resolving account issues.

Vitral does not currently describe its general privacy practices as relying on broad behavioral tracking, advertising cookies, geolocation tracking, search-history tracking, browser fingerprinting, device profiling, or user inferences for marketing or personalization purposes. At the same time, Vitral’s public site currently includes Google Tag Manager and related site-measurement technologies in addition to authentication, session, and preference-related technologies.

3. Use of Information and Legal Basis for Processing

We use the information we collect for the following purposes:

  • Service Provision: To provide, operate, and support the Vitral workspace platform and its related services.
  • Workspace and Model Operations: To process user requests, route tools and model calls, fulfill prompts, support conversations and documents, and operate platform capabilities such as VIL, catalog model access, files, artifacts, and live samples.
  • Account Management and Billing: To manage subscriptions, prepaid balance, token usage visibility, account administration, payments, and related support flows.
  • Security and Abuse Prevention: To detect, prevent, investigate, and respond to fraud, abuse, unauthorized access, security issues, or other activity that could harm the platform or its users.
  • Support and Communication: To respond to support requests, resolve account or billing issues, communicate about service-related matters, and, if Vitral later offers optional newsletters or marketing communications, to send those only in accordance with applicable law and the user choices made available at that time.
  • Legal Compliance: To comply with applicable law, enforce our terms and policies, and maintain required business or regulatory records.

Legal Basis for Processing: Our processing of your personal data is based on the following legal grounds:

  • Consent: When you have given clear consent for us to process your data for specific purposes, such as subscribing to newsletters or using certain features of the platform.
  • Contractual Necessity: When processing is necessary to perform a contract with you, including providing access to our platform and its features.
  • Legal Obligation: When processing is necessary to comply with legal obligations, such as maintaining records for regulatory compliance.
  • Legitimate Interests: When processing is necessary for our legitimate interests, such as improving our services or enhancing security, provided that these interests are not overridden by your rights.

4. User Rights and Choices

  • Data Portability: You have the right to request a copy of your personal data in a structured, commonly used, and machine-readable format. To exercise this right, please visit our Support Section and submit a request.
  • Communications Choices: If Vitral offers optional newsletters or promotional communications in the future, users will be able to manage those communications through the controls or unsubscribe mechanisms provided with them. As for cookies and similar technologies, Vitral currently describes its site-level usage as including authentication and session technologies, preference persistence, and Google Tag Manager or related site-measurement technologies.
  • GDPR Rights: If you are a resident of the European Union or European Economic Area, please refer to the GDPR Compliance and Your Rights section for detailed information about your rights under the GDPR.
  • CCPA Rights: If you are a resident of California, please refer to the California Privacy Rights section for detailed information about your rights under the CCPA.

5. Data Sharing, Disclosure, and Third-Party Integrations

We may share your information with third parties under the following circumstances:

  • Third-Party Service Providers: We share your data with third-party service providers who assist us in operating our platform, such as hosting services, payment processors, and customer support tools. These providers are required to protect your data in accordance with our privacy policy and applicable laws.
  • Third-Party Tools and Integrations: Vitral may use third-party model providers, infrastructure providers, and related integrations to fulfill user requests through the platform. Vitral does not develop foundational AI models and does not use customer content to train its own intelligence layer or any third-party foundational models. When third-party providers are involved in processing requests, those providers remain subject to their own applicable terms and privacy policies. We strongly encourage you to review the provider policies below:
  • Legal Obligations: We may disclose your data to law enforcement or other government entities as required by law, such as in response to a subpoena or other legal process.
  • Business Transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity. We will notify you of any such change in ownership or transfer of assets and your data, along with any choices you may have regarding your information.

Vitral is not responsible for the data handling practices of third-party providers. If you have any concerns regarding data usage, please consult the policies above or contact the respective provider directly.

Google OAuth Data Access and Usage

Vitral AI, Inc. ("Vitral") uses Google’s OAuth 2.0 for user authentication. When you log in using your Google account, we request access to specific information from your Google profile. Below, we outline how we access, use, store, and share the Google user data you provide:

1. Data Accessed

When you log in using Google OAuth, we request access to the following Google user data:

  • Profile Information: This includes your Google profile picture, name, and email address.
  • OpenID: We use the OpenID scope to verify your identity securely.

2. Use of Google User Data

We use the Google user data for the following purposes:

  • Authentication: To allow you to log in to our platform securely and access your account.
  • Account Setup and Display: To display basic profile information within the platform and support account management.
  • Account Management: To manage your account settings and preferences.

We do not use your Google user data for any other purposes without your explicit consent.

3. Data Storage

The Google user data we collect is securely stored in our system using industry-standard encryption protocols. We only store the data necessary to fulfill the purposes outlined above, and we retain this data as long as you maintain an account with Vitral or as required by law.

4. Data Sharing

We do not share your Google user data with any third parties, except as necessary to provide our services, comply with legal obligations, or with your explicit consent. We may share your data with trusted service providers who assist us in operating our platform, but they are contractually obligated to protect your data in compliance with our Privacy Policy and applicable laws.

5. Compliance with Google’s Limited Use Requirements

Vitral adheres to Google’s Limited Use requirements, ensuring that your Google user data is only used for the purposes described in this Privacy Policy. We do not use this data for advertising or other commercial purposes, nor do we sell or transfer your data to third parties for these purposes.

6. In-Product Privacy Notifications

We provide clear and accessible in-product privacy notifications regarding the use of Google user data. These notifications are prominently displayed within our app interface so that you can easily find this information.

7. Updates to Google OAuth Data Use

Our use of Google user data, as well as our related privacy practices, may be updated from time to time. Any changes will be reflected in this Privacy Policy and communicated to you through appropriate channels, such as in-app notifications or email. Continued use of our services after any changes constitutes your acceptance of the updated terms.

6. Data Security and Transfers

  • Data Security and Incident Response: We employ industry-standard security measures, including TLS encryption, to protect your personal information from unauthorized access, disclosure, or misuse. Your data is securely hosted on first-class data centers in the United States, and we employ several layers of security to protect your information. In the event of a data breach or security incident, we will notify you via email as soon as possible and take appropriate steps to mitigate the impact.
  • International Data Transfers: Most of the data processing occurs in data centers located in the United States. In cases where data is transferred to other locations, we will ensure that such transfers comply with applicable data protection regulations, including GDPR. We will use appropriate safeguards, such as standard contractual clauses, to protect your data during international transfers.

7. Children’s Privacy

While our services are not intended for children under the age of 13 (or 16 in certain jurisdictions), the privacy policy applies equally to all users. We encourage parents and guardians to monitor their children’s use of the platform and to contact us through our Support Section if they believe a child has provided personal information without parental consent. Any data collected from children is handled with special care and in compliance with relevant laws, specifically COPPA (Children’s Online Privacy Protection Act) for U.S. users.

8. Updates to the Privacy Policy

This Privacy Policy may be updated at any time. Changes will take effect immediately upon posting the updated policy on our platform. Continued use of our services after any changes constitutes your acceptance of the new terms.

9. Contact Information

For any questions or concerns regarding this Privacy Policy, or to contact our Data Protection Officer, please visit our Support Section and submit your inquiry. Our team will ensure your concerns are addressed promptly.

10. Dispute Resolution

Please refer to the Dispute Resolution section in our Terms of Use for details on how disputes related to privacy or other issues will be resolved.

California Privacy Rights

This section supplements the information contained in the general Privacy Policy of Vitral AI, Inc. and applies solely to residents of the state of California. We adopt this notice to comply with the California Consumer Privacy Act of 2018 (CCPA) and other California privacy laws. Any terms defined in the CCPA have the same meaning when used in this section.

1. Categories of Personal Information Collected

The following are the categories of personal information that we collect from California residents:

  • Identifiers: Such as name, email address, account identifiers, and similar account-related information.
  • Personal Information Categories: Such as billing-related information needed to support subscription, payment, or account administration flows. Payment processing may also involve third-party payment providers.
  • Commercial Information: Such as records of subscriptions, prepaid balance activity, purchases, or services obtained through the platform.
  • User Content and Service Records: Such as conversations, documents, uploaded files, generated artifacts, support submissions, and platform usage records associated with the services you use.

2. Sources of Personal Information

We collect personal information from the following sources:

  • Directly from You: When you provide it to us during account creation or use of our services.
  • Indirectly from Service Operation: Through authentication, session handling, platform operations, support flows, and account/billing administration.
  • From Third Parties: Where necessary to operate the services, such as identity, payment, hosting, infrastructure, or model-provider integrations.

3. Purposes for Collecting Personal Information

We collect and use your personal information for the following business or commercial purposes:

  • Providing and Managing Services: To provide, maintain, and improve our services.
  • Security: To maintain the safety, security, and integrity of our services.
  • Compliance: To comply with legal obligations, including those arising from the CCPA.
  • Support, Billing, and Account Administration: To manage subscriptions, prepaid balance, support requests, and related account operations.
  • Communications: To communicate about service-related matters and, if optional marketing or newsletter features are introduced later, to support those communications in accordance with applicable law.

4. Retention of Personal Information

We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. When we no longer need your personal information, we will securely delete or anonymize it in accordance with applicable laws and regulations.

5. Sharing of Personal Information

We may share your personal information with the following categories of third parties for business purposes:

  • Service Providers: Such as hosting services, payment processors, and customer support providers.
  • Business Partners: In the context of a merger, acquisition, or sale of assets.
  • Legal Authorities: Where required by law, such as in response to a subpoena or court order.

6. Your California Privacy Rights

As a California resident, you have the following rights under the CCPA:

  • Right to Know: You may request details about the personal information we collect, use, and disclose.
  • Right to Delete: You may request that we delete personal information that we have collected from you, subject to certain exceptions.
  • Right to Opt-Out of Sale: While we do not sell personal information, you have the right to opt-out if we ever change our practices.
  • Right to Non-Discrimination: You have the right not to receive discriminatory treatment for exercising your CCPA rights.

7. How to Exercise Your Rights

To exercise your CCPA rights, you may:

  • Submit a Request: Contact us through our California Privacy Request Form.
  • Verification: We may need to verify your identity before processing your request, which helps us protect your privacy and security.

8. Do Not Sell My Personal Information

As of now, Vitral AI, Inc. does not sell personal information as defined under the CCPA. If our practices change, we will provide you with a clear mechanism to opt-out of the sale of your personal information.

9. Financial Incentives

If we offer any financial incentives (e.g., discounts or rewards) in exchange for your personal information, we will provide details on these incentives, including the value of the information, how it is calculated, and how you can opt-in or withdraw from such incentives.

10. Children's Data Collection

We do not knowingly collect or sell personal information from consumers under the age of 16 without affirmative authorization. If you are a parent or guardian and believe we have collected information from your child, please contact us through our Support Section.

11. Updates to this California Privacy Policy

We may update this California Privacy Policy from time to time. Changes will take effect immediately upon posting the updated policy on our platform. Continued use of our services after any changes constitutes your acceptance of the new terms.

12. Contact Information

If you have any questions or concerns about this California Privacy Policy, please contact us through our Support Section.

GDPR Compliance and Your Rights

This section supplements the information contained in the general Privacy Policy of Vitral AI, Inc. and applies solely to residents of the European Union (EU) and European Economic Area (EEA). We adopt this notice to comply with the General Data Protection Regulation (GDPR) and other applicable data protection laws. Any terms defined in the GDPR have the same meaning when used in this section.

1. Legal Basis for Processing

Under the GDPR, we must have a legal basis to process your personal data. We process your personal data under the following legal bases:

  • Consent: Where you have provided explicit consent for specific purposes, such as subscribing to newsletters or using certain features of our platform.
  • Contractual Necessity: Where processing is necessary to perform a contract with you, including providing access to our platform and its services.
  • Legal Obligation: Where processing is required to comply with legal obligations, such as maintaining records for regulatory compliance.
  • Legitimate Interests: Where processing is necessary for our legitimate interests, such as improving our services, provided that these interests are not overridden by your data protection rights.

2. Your GDPR Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right to Access: You have the right to request access to the personal data we hold about you, including information on how your data is used and who it is shared with.
  • Right to Rectification: You have the right to request that we correct any inaccuracies in your personal data.
  • Right to Erasure (Right to be Forgotten): You have the right to request the deletion of your personal data under certain circumstances, such as when it is no longer necessary for the purposes for which it was collected.
  • Right to Restriction of Processing: You have the right to request that we restrict the processing of your personal data under certain conditions, such as when you contest the accuracy of the data.
  • Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to have that data transmitted to another data controller where technically feasible.
  • Right to Object: You have the right to object to the processing of your personal data where we are relying on legitimate interests as the legal basis.
  • Right to Withdraw Consent: Where we process your personal data based on your consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
  • Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority, particularly in the EU/EEA member state where you live, work, or where the alleged infringement of GDPR took place.

3. Data Transfers Outside the EEA

Vitral AI, Inc. operates globally, and your personal data may be transferred to and processed in countries outside of the European Economic Area (EEA), including the United States. When we transfer your personal data outside the EEA, we ensure that it is protected by implementing appropriate safeguards, including:

  • Standard Contractual Clauses (SCCs): We rely on Standard Contractual Clauses approved by the European Commission as a primary mechanism to ensure that your data is protected to the same standard required within the EEA. These clauses impose contractual obligations on the recipient of the data to ensure its protection.
  • Adequacy Decisions: Where applicable, we may transfer data to countries that the European Commission has deemed to provide an adequate level of data protection, meaning that no additional safeguards are required.

Vitral AI, Inc. is committed to maintaining the highest standards of data protection. We regularly monitor legal developments related to international data transfers and will update our practices and mechanisms as needed to ensure compliance with the latest regulations and guidance from data protection authorities.

4. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. The criteria used to determine our retention periods include:

  • The duration of your relationship with us: As long as you have an active account with us or continue to use our services.
  • Legal obligations: We may be required to retain your data for longer periods in order to comply with legal obligations.
  • Dispute resolution: We may retain your data as necessary to resolve disputes or enforce our agreements.

5. Security Measures

We implement appropriate technical and organizational measures to protect your personal data from unauthorized access, disclosure, alteration, or destruction. These measures include:

  • Encryption: We use TLS (Transport Layer Security) to encrypt data in transit.
  • Access Controls: We restrict access to personal data to employees and service providers who need to know the information to process it on our behalf.
  • Data Hosting: Your data is securely hosted in First Class data centers in the United States, which comply with industry-leading security standards.

6. Automated Decision-Making and Profiling

Vitral does not currently describe its general platform operations as involving automated decision-making or profiling about users in the sense of making legal or similarly significant decisions about them. Platform automation may still be used to fulfill user requests, route tools or model calls, operate security measures, or support service functionality, but this policy does not characterize those service operations as user profiling or automated decision-making with legal or similarly significant effects.

7. Contact Information

If you have any questions or concerns about this GDPR Addendum or wish to exercise your GDPR rights, please contact our Data Protection Officer through our Support Section.

8. Updates to this GDPR Addendum

We may update this GDPR Addendum from time to time. Any changes will be effective immediately upon posting the updated addendum on our platform. Continued use of our services after any changes constitutes your acceptance of the new terms.

Responsible Disclosure Policy

At Vitral AI, Inc., the security and privacy of our users' data are of utmost importance. We are committed to maintaining a safe and secure environment for our platform, and we value the contributions of the security community in identifying and responsibly disclosing potential vulnerabilities. This Responsible Disclosure Policy outlines our approach to handling security issues and provides guidelines for reporting vulnerabilities.

1. Scope

This policy applies to any vulnerabilities or security issues discovered within our AI-based workflow organization platform, including but not limited to:

  • Web applications
  • Mobile applications
  • APIs
  • Backend systems and infrastructure
  • Cloud services and data storage

2. Reporting Vulnerabilities

If you believe you have discovered a vulnerability or security issue in our platform, we encourage you to report it to us as soon as possible. Please follow these steps when submitting a report:

  • Contact Information: Submit your report through our Support Section, where you can select the appropriate category for security-related issues.
  • Description: Provide a detailed description of the vulnerability, including the potential impact and any steps needed to reproduce the issue.
  • Supporting Evidence: Include any supporting evidence, such as screenshots, proof-of-concept code, or network traces, that can help us understand and address the vulnerability.
  • Your Contact Information: Provide your contact details so we can follow up with you if necessary.

3. Responsible Disclosure Guidelines

When reporting a vulnerability, please adhere to the following guidelines to ensure responsible disclosure:

  • No Exploitation: Do not exploit the vulnerability beyond what is necessary to demonstrate the issue. Avoid accessing, modifying, or deleting data without authorization.
  • No Public Disclosure: Do not publicly disclose the vulnerability or share it with others until we have had the opportunity to address it. This helps prevent malicious actors from exploiting the vulnerability before a fix is implemented.
  • Good Faith Cooperation: Work with us in good faith to verify the issue and implement a fix. Provide us with a reasonable amount of time to address the vulnerability before making any disclosures.
  • Legal Compliance: Ensure that your actions comply with all applicable laws. Unauthorized access to systems, data, or accounts without permission may be illegal.

4. Acknowledgments

We appreciate the efforts of security researchers and ethical hackers who help us enhance the security of our platform. Where appropriate, and with your consent, we will publicly acknowledge your contribution. If you prefer to remain anonymous, we will respect your privacy.

5. Our Commitment

In return for your responsible disclosure, we commit to:

  • Acknowledging Receipt: We will acknowledge receipt of your report within a reasonable time frame.
  • Investigating Promptly: We will investigate all valid reports and take appropriate steps to address any confirmed vulnerabilities.
  • Maintaining Communication: We will keep you informed of our progress in addressing the reported issue and notify you when it has been resolved.

6. Legal Considerations

Vitral AI, Inc. does not authorize or permit any activity that violates applicable laws. By submitting a vulnerability report, you agree that your research was conducted in accordance with all applicable laws and that you have made a good-faith effort to avoid privacy violations, data destruction, and service disruptions.

7. Contact Information

For any questions or concerns regarding this Responsible Disclosure Policy, please contact our security team through our Support Section.