Privacy Policy

The Service is operated by Vestora Inc., a corporation registered in Canada. For privacy questions or to exercise your rights, contact junaid@vestora.xyz. Where required, our EU/UK representative can be reached at the same address.

The Service is provided to business customers. Two distinct relationships apply:

• Customer CRM data (the contacts, notes, messages and files a customer puts into their workspace): the customer is the data controller and Vestora is a data processor acting on the customer’s instructions. The customer’s own privacy notice governs how they use it; see our Data Processing Addendum.
• Account & operational data (the login accounts, billing, and technical logs we need to run the Service): Vestora is the controller, and this policy applies.

• Account data — name, work email, role, and a securely hashed password.
• Customer CRM content — whatever a customer enters or imports (contacts, interactions, documents). Processed on the customer’s behalf.
• Connected-service data — when a customer connects a mailbox or calendar, the messages/events within the scope they authorise. OAuth tokens are stored encrypted.
• Technical data — IP address, timestamps, and minimal request logs used for security, uptime and abuse-prevention.
• We do not use third-party advertising trackers, and we do not sell personal data.

• To provide, secure and maintain the Service.
• To run the AI features (summaries, drafting, tagging) — these run on the customer’s own AI-provider key, or a built-in offline fallback, on the customer’s instruction.
• To authenticate users and protect against unauthorised access and abuse.
• To communicate about the Service (operational notices, support).

• Performance of a contract — to deliver the Service to our customer.
• Legitimate interests — securing the platform, preventing abuse, and basic service operation, balanced against your rights.
• Consent — where you connect an optional integration, or opt in to a feature such as the credential Vault.
• Legal obligation — where we must retain or disclose data by law.

We use a small number of vetted sub-processors to run the Service:

• Hosting — Hetzner Online GmbH (data centres in the EU/Germany).
• AI providers — only the provider whose key a customer supplies (e.g. Anthropic, OpenAI, Google), used at the customer’s instruction.
• Email/calendar providers — Google / Microsoft, only via the OAuth scope a customer authorises.

We share personal data only with these sub-processors, where required by law, or to protect rights and safety. We never sell it.

Data is hosted in the EU. Where data is transferred outside the EU/UK (for example a customer’s chosen AI provider), we rely on appropriate safeguards such as the EU Standard Contractual Clauses.

• Each customer runs on an isolated stack with its own database — never shared with another customer.
• Sensitive secrets (OAuth tokens, the AI key, Vault entries) are encrypted at rest with AES-256-GCM.
• Access is over HTTPS, behind authentication; the servers are firewalled with key-only administrative access.
• No system is perfectly secure; we maintain reasonable, regularly-reviewed measures and a breach-response process.

We keep account and operational data for as long as the customer relationship is active, then delete or anonymise it within a reasonable period unless a longer term is required by law. Customer CRM content is retained and deleted per the customer’s instructions (see the DPA).

Subject to applicable law, you may request to:

• access the personal data we hold about you;
• correct inaccurate data, or have it erased;
• restrict or object to certain processing;
• receive your data in a portable format.

If you are a customer’s contact or end-user, please contact that customer (the controller) first; we will assist them. To exercise rights against Vestora as controller, email junaid@vestora.xyz. You may also complain to your local data-protection authority.

The Service uses a single, strictly-necessary session cookie to keep you signed in. We do not use advertising or cross-site tracking cookies, so no cookie-consent banner is required for non-essential cookies.

The Service is a business tool and is not directed to children. We do not knowingly collect data from anyone under 16.

We will post any changes here and update the date above; material changes will be notified to customers. Questions: junaid@vestora.xyz.