Global Data Protection Policy

Introduction

VECTOR (referred to as "we," "us," or "our") is committed to protecting the privacy and personal data of our users and customers worldwide. We operate in compliance with major data protection laws, including the EU General Data Protection Regulation (GDPR) and UK GDPR, the California Consumer Privacy Act (CCPA), and other applicable data protection regulations.

This Policy explains what personal data we collect, how and why we process it, and the rights you have regarding your data. By using our digital services (including our websites, newsletter, and backend systems), you acknowledge that you have read and understood this Data Protection Policy.

Scope of this Policy

This Policy applies globally to all personal data processed by VECTOR in the context of our digital services – including our public websites, newsletter subscriptions, and any related online services or backend systems. It covers all users of our services, regardless of their country of residence, ensuring a consistent level of privacy protection. We may provide additional privacy notices for specific products, services, or regions as required by local laws, but unless specifically stated, those should be read together with this global Policy.

Personal Data We Collect and Use

In the last 12 months, we have collected the following categories of personal data (as defined under relevant laws) from users of our services:

• Identification and Contact Data: This includes your name and email address. We collect this information when you create an account, subscribe to our newsletter, or otherwise provide it to us. We use it to identify you, personalize your experience, and communicate with you (e.g., sending service updates or the newsletter).
• Technical Information: We collect data such as IP addresses and hardware or device fingerprints. An IP address identifies the internet connection used, and a hardware fingerprint is a unique device identifier derived from your device's attributes (used to recognize your device on our systems). This technical data is collected automatically when you interact with our website or services. It helps us with security (e.g., detecting suspicious logins), fraud prevention, and analytics to improve our services. These identifiers (like IP and device IDs) are considered personal data under laws like CCPA and GDPR.
• Payment and Transaction Data: If you make purchases or subscribe to paid services, we (or our payment processors) collect information needed to process the transaction. This may include your payment card details or payment account information, billing address, and transaction history. We use this data to process payments, provide the purchased services, and for related record-keeping (such as invoicing and complying with financial regulations). For security, we do not store full payment card numbers on our systems; payments are handled via accredited third-party payment providers.
• Usage Data (Logs and Analytics): When you use our website or backend systems, we may collect log data about your interactions. This can include timestamps of visits, pages or features used, browser type, and operating system. We use this information to administer and improve our services, fix performance issues, and understand user engagement. Where possible, we aggregate or anonymize this data so it no longer identifies you personally.

We do not knowingly collect any sensitive personal data such as government ID numbers, health information, or biometric data through our standard services. We also do not direct our services to children under the age of 13 (or applicable minimum age in your jurisdiction), and we do not knowingly collect data from such minors without parental consent. If you believe a child has provided us personal data, please contact us so we can delete it.

Purposes of Processing Personal Data

We process the personal data described above for the following purposes, and we ensure that each purpose has a valid legal basis under applicable law (such as GDPR):

• Providing and Improving Our Services: We use personal data to operate the website and backend systems, to create and manage user accounts, and to provide the features you request. For example, we use your name and email to register your account and to allow you to log in, and we use IP addresses/hardware fingerprints to deliver content to your device and maintain session security. We also analyze usage data to debug, improve performance, and develop new features. Legal basis: This is generally necessary for the performance of a contract with you (for users who have signed up) or is within our legitimate interests in running and improving a safe, efficient service.
• Communications and Newsletter: If you subscribe to our newsletter or have an account, we use your email (and possibly name) to send you the newsletter, updates about our services, or relevant promotional content. We only send you marketing emails if you have consented to receive them (for example, by signing up to our newsletter) or if otherwise permitted by law. You can opt out of marketing communications at any time by clicking the unsubscribe link in our emails or contacting us. Legal basis: Consent (for non-essential communications) or our legitimate interest in keeping our users informed about updates (where applicable).
• Payment Processing and Order Fulfillment: We use payment and contact data to process transactions when you make a purchase or subscription, and to deliver the paid features or services to you. This includes sending purchase confirmations, invoices, or receipts, and facilitating any renewals or refunds. Legal basis: Performance of a contract (fulfilling our agreement to provide the paid service) and compliance with legal obligations (financial and tax regulations may require us to retain transaction records).
• Security and Fraud Prevention: Personal identifiers like IP addresses and device fingerprints are used to protect our services and our users against fraud, abuse, and security risks. For example, we may use this data to detect multiple accounts, prevent unauthorized access, and monitor for malicious activities. We also keep logs to ensure network and information security. Legal basis: Legitimate interests – it is in our interest (and our users' interest) to keep our services secure and prevent misuse. In some cases, we may also have a legal obligation to implement certain security measures.
• Legal Compliance: In certain cases, we need to process or retain personal data to comply with laws and regulations. For instance, we may retain transaction data to satisfy accounting laws, or disclose information if required by court order or regulatory authorities. We will only do so when lawfully required. Legal basis: Compliance with a legal obligation.
• Other Purposes (with Notice): If we intend to process personal data for a purpose that is not incompatible with the above, we will provide notice to you (and collect consent if required). We will always ensure a valid lawful basis for any new processing purpose, and will not use your personal data in a manner that is unfair or misleading.

Legal Bases for Processing (GDPR/UK GDPR)

For individuals in the European Economic Area (EEA) and the UK, we must have a legal basis under the GDPR/UK GDPR for processing your personal data. As noted above, the main legal grounds we rely on are: Consent, Performance of Contract, Legal Obligation, and Legitimate Interests. Below is a brief explanation of these bases and how they apply:

• Consent: We will request your clear and affirmative consent before processing your data for optional purposes. For example, we ask for consent to send promotional emails or to collect certain analytics cookies. Where consent is given, you have the right to withdraw it at any time (see Your Rights below). We do not process your data based on consent if another legal basis applies, and we will make it as easy to withdraw consent as it is to give it.
• Performance of a Contract: When processing is necessary to provide you with services that you have requested or signed up for, we rely on this basis. This covers most of our core service operations – e.g., when you create an account or make a purchase, we must use your personal data to fulfill our obligations to you (provide access, deliver the service, etc.). Without this data, we cannot perform the contract.
• Legal Obligation: If we are subject to a legal or regulatory obligation that requires processing of personal data, we will process data on this basis. Examples include retaining transaction records for tax law, responding to government data requests where legally compelled, or complying with consumer protection laws. We only process the data necessary for compliance and only retain it for as long as required by law.
• Legitimate Interests: We process certain data as needed for legitimate interests of our business or of third parties, provided that those interests are not overridden by your fundamental rights and freedoms. We have carefully balanced our interests with your privacy. Processing under this basis includes uses such as securing our platform, preventing fraud, improving user experience, and (in some cases) limited marketing to existing customers. For example, collecting IP addresses to prevent abuse is within our legitimate interests. Important: If we rely on legitimate interests, you have the right to object to such processing (see Your Rights below), and we will honor such objections unless we have compelling legitimate grounds to continue or the processing is needed for legal claims.

(Note: We do not typically rely on the less common GDPR bases of "vital interests" or "public interest," which apply to rare situations like life-and-death emergencies or official public duties. If those ever become relevant, we will update this Policy accordingly.)

Disclosure of Personal Data to Third Parties

We do not sell your personal information to third parties and have not sold personal data in the past 12 months. However, we do share certain personal data with trusted third-party service providers and partners who help us operate our business ("data processors" or service providers). When we share data, we ensure it is handled in accordance with this Policy and applicable law (through contracts or Data Processing Addendums). The categories of recipients of personal data include:

• Hosting and Infrastructure Providers: We host our websites and backend systems on cloud platforms such as Vercel and other cloud providers. These providers may process personal data (e.g. storing account information or serving our webpages to you) as part of providing us with cloud infrastructure. They act under our instructions and implement security measures to protect your data.
• Email Delivery Services: We use third-party email platforms (for example, SendGrid by Twilio) to send out transactional emails (such as verification emails or receipts) and newsletter communications. These services will have access to your email address (and name, if included in the email content) for the purpose of sending emails on our behalf. They are not permitted to use your email for any other purposes.
• Payment Processors: For handling payments and billing securely, we rely on accredited payment processing companies (such as Stripe, PayPal, or similar). When you enter payment information, it is transmitted directly to the payment processor; we receive confirmation of payment and limited details (e.g., last four digits of a card, payment token, transaction ID). Our payment processors are compliant with PCI-DSS and other applicable financial data security standards.
• Analytics and Usage Tracking Partners: To better understand how our services are used, we may utilize analytics services that collect usage data (which can include IP address or device identifiers). For example, we might use a web analytics tool to collect aggregated statistics on page views or feature usage. Where required, we will obtain consent for such analytics (e.g., via a cookie consent banner in EU jurisdictions). Data shared with analytics providers is typically pseudonymized or aggregated.
• Anti-Fraud and Security Partners: We may share information like IP addresses or device fingerprints with services that help us detect fraud or prevent security incidents. For instance, we could use a service that analyzes device data to flag suspicious activities (such as automated bots or repeat fraudulent transactions). These partners only use the data to provide their fraud detection service to us and are bound by confidentiality.
• Business Advisors and Legal: In certain cases, our professional advisors (lawyers, accountants, auditors) may need to access some personal data if it is necessary for advising us (for example, reviewing a contract you have with us or auditing our financial statements). These parties are also legally and contractually obligated to keep such information confidential.
• Legal or Regulatory Recipients: We may disclose personal data when required by law or necessary to protect our rights. For example, if we receive a legitimate legal order (such as a subpoena or court order) or a government demand under applicable law, we may be obligated to disclose certain data. We will carefully review such requests and only comply if legally required. We may also disclose information if necessary to enforce our terms of service or to protect against legal liability or security threats.

All third-party processors acting on our behalf only process your personal data for the specific purposes we have contracted them for, and in line with this Policy. We do not permit our service providers to use your data for their own marketing or other independent purposes. A list of our key subprocessors can be provided upon request.

International Data Transfers

Given the global nature of our operations and the use of cloud technologies, personal data may be transferred to or accessible by entities in other countries. For example, if you are located in the EU/UK, your personal data might be processed on servers located in the United States or other jurisdictions where our service providers (like Vercel or SendGrid) maintain facilities. We take steps to ensure that international data transfers comply with applicable data protection laws:

• Adequacy and Safeguards: Whenever we transfer personal data out of the EU/EEA or other regions with data export restrictions, we will ensure an adequate level of protection. In most cases, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as part of our contracts with service providers, which legally require them to protect EU personal data. We also evaluate supplementary measures (encryption, access controls) as needed.
• US and Other Jurisdictions: Our U.S.-based service providers adhere to high security standards. Some may also certify under frameworks like the EU-US Data Privacy Framework (if applicable) or similar schemes, to facilitate compliant data transfer. Regardless of location, we contractually bind all recipients to uphold privacy protections comparable to those under your local law.
• Your Rights Regarding Transfers: If you are a resident of the EU/UK, you have the right to request details about the transfer safeguards we implement (such as a copy of the relevant contractual clauses). Please contact us if you have questions related to cross-border data transfers.
• Data Localization: Unless otherwise required by law, we do not generally mandate that data be stored in a specific country. However, we maintain strong security and access control practices globally to ensure your data is safe wherever it is processed.

By using our services or submitting your information to us, you understand that your personal data may be transferred and stored in countries other than your own. Regardless of where processing occurs, we will protect your data to the standards outlined in this Policy.

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or to satisfy legal or business requirements. Retention periods vary depending on the type of data and the purpose of processing:

• Account Information: We keep your account registration data (like name, email) for as long as your account is active. If you choose to delete your account or it remains inactive for an extended period, we will delete or anonymize this data, unless we need to retain it for legal reasons.
• Newsletter Subscription: We retain your email on our mailing list until you unsubscribe or withdraw consent. Upon opt-out, we will stop sending you newsletters and promptly remove or suppress your contact from our active mailing lists.
• Transaction Records: We may retain payment and transaction data for a longer period as required by law (for example, financial records must be kept for a minimum number of years under tax laws). Typically, this is 5-7 years, or as mandated by local regulations. Such data will be restricted in use to compliance and audit purposes only.
• Logs and Analytics: Server logs and analytics data are generally retained for a short period (e.g., 6-12 months) for the purpose of security monitoring and trend analysis, then either deleted or anonymized. Aggregated data that no longer identifies individuals may be kept longer for historical service performance analysis.
• Legal Holds: If we are involved in litigation or receive a legal request, we may need to preserve certain data until the matter is resolved. In such cases, deletion may be postponed for the relevant data until it is legally safe to delete it.

When we no longer have a legitimate need to retain your personal information, we will securely delete it or anonymize it. If deletion is not immediately possible (for example, because the data is stored in backup archives), we will isolate it from any further processing until deletion is feasible.

Data Security

We take data security seriously and have implemented a range of technical and organizational measures to protect your personal data against unauthorized access, loss, or alteration. These include encryption of data in transit (e.g., TLS for our website), access controls restricting who within our organization and our processors can access personal data, regular security audits, and employee training on data protection. We also pseudonymize or encrypt sensitive information where appropriate, and we monitor our systems for possible vulnerabilities and attacks.

While we follow industry best practices to safeguard data, please note that no system can be guaranteed 100% secure. We encourage you to use unique and strong passwords for your account and to notify us immediately if you suspect any unauthorized access to your account or personal data. In the event of a data breach that poses a significant risk to your rights and freedoms, we will notify the affected individuals and relevant authorities as required by law (for example, under GDPR we would notify the supervisory authority and you within the mandated time frame).

Your Rights as a Data Subject/Consumer

We respect your rights to control your personal information. Depending on your location and the applicable law, you may have some or all of the following rights regarding your personal data:

• Right to Access: You have the right to request confirmation of whether we are processing your personal data, and if so, to obtain a copy of the personal data we hold about you. This is sometimes called the "right to know" under CCPA – California residents can request a report outlining the specific pieces and categories of personal information we have collected about them in the past 12 months, along with details about the sources, purposes, and third parties with whom we share it.
• Right to Rectification/Correction: You have the right to have inaccurate personal data corrected and to have incomplete data completed. If any of your information we hold is incorrect or has changed (for example, you've changed your email address), please inform us so we can update it. California residents have a similar right to request correction of inaccurate information.
• Right to Deletion: You have the right to request that we delete your personal data. For EU/UK individuals, this is the GDPR "right to erasure" (or "right to be forgotten"); for California consumers, the CCPA right to delete personal information applies (subject to certain exceptions). Upon a verified deletion request, we will erase your personal data from our records, and direct our service providers to do the same, unless retention is required by law or exempted (for example, we might not delete information needed for an ongoing transaction or necessary to comply with a legal obligation).
• Right to Restrict Processing: If you believe your data is inaccurate or is being processed unlawfully, or if you have objected to our processing (see below), you can request that we restrict processing of your data. This means we will store your data but temporarily refrain from using it for the stated purpose until the issue is resolved.
• Right to Object: You have the right to object to our processing of your personal data when we process it under a legitimate interest basis or for direct marketing. For example, you can object to us using your data for marketing; if you do, we will stop using your data for that purpose. In other cases, we will cease processing unless we have compelling legitimate grounds to continue (or if the processing is needed for legal claims).
• Right to Data Portability: For data you provided to us and that we process by automated means on the basis of consent or contract, you have the right to request a copy in a portable format (e.g., a common machine-readable format) so you can reuse it or transfer it to another provider. Where technically feasible, you can also request that we directly transfer the data to another company at your direction.
• Right to Withdraw Consent: If we are processing your personal data based on your consent, you have the right to withdraw that consent at any time. Once you withdraw consent, we will stop the specific processing that was based on consent. For example, you can unsubscribe from our newsletter to withdraw consent for marketing emails, and we will stop sending them. Withdrawal of consent will not affect the lawfulness of any processing done before you withdrew consent.
• Right to Not Be Subject to Automated Decisions: We do not currently make any decisions about you that are solely based on automated processes (without human involvement) and that produce legal or similarly significant effects. If that changes, you would have the right not to be subject to such decisions without your explicit consent or other legal justification. You would also have the right to request human review of any automated decision.
• California "Do Not Sell or Share" Rights: As noted, we do not sell personal information. If in the future we ever considered "selling" your personal data (as defined by CCPA/CPRA) or sharing it for cross-context behavioral advertising, we would provide a "Do Not Sell or Share My Personal Information" link on our website and honor opt-out preferences (including Global Privacy Control signals). Since we do not sell or share data, this opt-out is not applicable other than as a formal right.
• Right to Non-Discrimination: We will never discriminate or retaliate against you for exercising any of your privacy rights. This means, for instance, we will not deny you goods or services, charge you a different price, or provide a different level of quality because you exercised your rights under CCPA or GDPR. Your access to our services will remain the same regardless of whether you choose to exercise privacy rights.

These rights are subject to certain legal limitations. For example, we might not be able to delete your data if we are legally required to keep it, or we may refuse a request if it is manifestly unfounded or excessive. We will inform you if any such limitations apply in the course of fulfilling your request.

Exercising Your Rights

To exercise any of your rights described above, please contact us using the contact details in the Contact Us section below. For clarity:

• How to Make a Request: You can send us an email or a written request specifying which right you wish to exercise. Please provide enough information to identify you (we may ask you to verify your identity to ensure we do not disclose data to the wrong person). If you have an account, you may need to write from the email associated with that account or provide other identifying information. California residents can also designate an authorized agent to make requests on their behalf; we will require the agent to provide proof of authorization and also verify your identity directly with us.
• Response Timeframe: We will respond to your request as soon as possible and, in any case, within the timeframe required by law. Under GDPR/UK law, this is typically within 1 month. Under CCPA, we aim to confirm receipt within 10 days and respond within 45 days (with an extension of an additional 45 days if reasonably necessary). You will be informed if an extension is needed.
• Verification: For certain requests (like access or deletion under CCPA), we are required to verify your identity to a "reasonable degree of certainty" (or a higher degree for sensitive requests) before responding. This may involve asking you to provide information that we can match with data we already have (such as details of your last transaction or your user profile information). We will only use this verification data for confirming identity and security purposes.
• Format of Response: If you requested access to your data, we will provide it in a secure format. For portability requests, we will provide the data in a commonly used machine-readable format (like CSV or JSON). If we deny your request (fully or partially), we will explain the reasons, except where we are legally prevented from doing so.
• No Fee (Generally): You will not have to pay a fee to exercise your rights. However, if a request is excessive or repetitive, the law permits us to either charge a reasonable fee or refuse the request. We will of course inform you of any such decision and reasons for it.

If you have any questions about your rights or how to exercise them, feel free to reach out to us. We are here to help and committed to honoring your rights to the fullest extent required by law.

Contact Us (Data Protection Inquiries)

If you have any questions, concerns, or requests regarding this Data Protection Policy or your personal data, please contact us at:

We are happy to assist with any inquiries about our privacy practices. If you contact us by mail, please label your communication "Data Protection Inquiry" so it can be directed appropriately.

For users in the EU/EEA or UK: VECTOR is the data controller responsible for your personal data. You also have the right to lodge a complaint with a supervisory authority (such as your national Data Protection Authority, or the UK Information Commissioner's Office) if you believe our processing of your personal data violates the law. We kindly ask that you first give us the opportunity to address your concerns by contacting us directly, and we will do our best to resolve any issues.

Updates to This Policy

We may update this Data Protection Policy from time to time in response to changing legal, technical, or business developments. When we update the Policy, we will post the new version on our website and update the "Last Updated" date at the top. If changes are material, we may also notify you by email or through a notice on our site, prior to the changes taking effect. We encourage you to review this Policy periodically to stay informed about how we are protecting your information.

By continuing to use our services after any updates become effective, you acknowledge the revised Policy. We will not reduce your rights under this Policy without your explicit consent.