Privacy Policy

1. Data Controller Information

The data controller responsible for your personal data is:

2. Information We Collect

We collect different types of data depending on which VertaaUX product surface you use. Below is a per-surface breakdown of the data we collect.

2.1 Web Application (vertaaux.ai)

• Account data: name, email address, and profile picture via OAuth providers (Google, GitHub)
• Audit data: URLs you submit for auditing and the resulting audit reports, scores, and recommendations
• Usage metrics: audit count, features used, subscription tier, and share link settings
• Technical data: IP address, browser type and version, device information, operating system, cookies, and session data

2.2 CLI (@vertaaux/cli)

• API key: stored locally on your machine at ~/.vertaaux/ and transmitted in HTTP headers for authentication
• Audit data: URLs you submit are sent to our API for processing
• Diagnostics: CLI version and operating system information for troubleshooting purposes

2.3 Browser Extension

• Page access: the extension is activated only on pages you explicitly choose to audit and accesses the DOM for analysis
• Preferences: extension settings stored in chrome.storage
• Not collected: the browser extension does not collect your browsing history, track your activity across websites, or run on pages you have not explicitly chosen to audit

2.4 VS Code Extension

• Workspace data: file scanning via the MCP protocol for providing in-editor audit feedback
• Configuration: extension settings you configure
• Not collected: the VS Code extension does not upload your source code to our servers

2.5 SDKs (JavaScript, Python)

• API key: transmitted in HTTP headers for authentication
• Request metadata: timestamps, SDK version, and runtime information
• Audit data: URLs you submit for auditing

2.6 GitHub Action

• Repository URL: used for context in CI/CD pipeline audits
• CI environment info: runner OS, GitHub Actions metadata
• API key: stored in GitHub Secrets and transmitted for authentication

2.7 MCP Server

• Tool call parameters: the parameters passed to MCP tools during invocation
• API key: used for authentication
• Not stored: conversation context from your AI assistant is not stored by VertaaUX

2.8 Mobile API

• Device ID: a unique device identifier for session management
• Authentication token: Apple Sign-In token and JWT session tokens
• Audit data: URLs you submit for auditing

2.9 REST API (v1)

• API key: transmitted in HTTP headers for authentication
• Request data: request IPs, audit URLs, and rate limit counters

3. Legal Basis for Processing

Under the General Data Protection Regulation (GDPR), we process your personal data based on the following legal grounds as defined in Article 6:

Where we rely on legitimate interest, we have conducted a balancing test to ensure that our interests do not override your fundamental rights and freedoms. You may request details of these assessments by contacting our Data Protection Officer.

4. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the VertaaUX service across all product surfaces
• Process your UX audits, generate reports, scores, and actionable recommendations
• Authenticate your identity and manage your account and subscription
• Process payments and manage billing through our payment processor, Stripe
• Send transactional communications such as audit completion notifications, account updates, and security alerts
• Respond to your support requests and provide customer service
• Improve our services, develop new features, and fix bugs based on aggregated usage data
• Prevent fraud, detect abuse, and ensure the security of our platform
• Comply with legal obligations, including tax reporting and law enforcement requests
• With your consent, send marketing communications about product updates and new features

5. AI and Automated Processing

VertaaUX uses artificial intelligence and large language models (LLMs) to enhance the quality and depth of UX audit reports. This section discloses our use of AI in compliance with GDPR Article 22 (automated individual decision-making, including profiling).

5.1 AI Providers

We use the following AI providers for audit enrichment:

• Mistral AI SAS (France, EU) — LLM-powered audit analysis and recommendation generation
• OpenAI Inc. (USA) — LLM-powered audit analysis and recommendation generation

5.2 What Data Is Processed by AI

When you submit a URL for auditing, we send the following data to our AI providers for processing:

• The URL and publicly accessible content of the page being audited (HTML structure, text content, accessibility attributes)
• Extracted audit signals such as contrast ratios, heading hierarchy, navigation patterns, and interactive element attributes

We do not send your personal account data (name, email, payment information) to AI providers.

5.3 Automated Decision-Making (GDPR Art. 22)

AI-generated audit recommendations are informational and advisory in nature. They do not produce legal effects or similarly significantly affect you. Specifically:

• AI is not used for profiling, credit scoring, or automated decision-making with legal effects
• Audit scores are generated through a combination of deterministic algorithms and AI analysis; they are advisory and do not restrict your access to services
• You may request human review of any AI-generated audit finding by contacting support@vertaaux.ai

5.4 AI Data Retention

Audit data sent to AI providers is processed in real time and is not retained by the AI providers beyond the processing session. Our agreements with Mistral AI and OpenAI prohibit them from using your data to train their models.

6. Data Storage and Security

We implement industry-standard technical and organizational measures to protect your personal data:

• Encryption in transit: all data is transmitted using TLS 1.3 encryption. All API endpoints enforce HTTPS.
• Encryption at rest: database storage uses AES-256 encryption. Backups are encrypted.
• Authentication: we use OAuth 2.0 for user authentication. We never store passwords.
• Access control: internal access to personal data is restricted to authorized personnel on a need-to-know basis and protected by multi-factor authentication.
• Monitoring: we use Sentry for error tracking and performance monitoring to detect and respond to security incidents.
• Backups: encrypted database backups are retained for 30 days and automatically deleted thereafter.

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. The specific retention periods are:

When data reaches the end of its retention period, it is securely deleted or anonymized. You may request earlier deletion of your data by exercising your rights described in Section 11.

8. Sub-processors and Third-Party Services

We use the following sub-processors to provide and operate our service. Each sub-processor is bound by a data processing agreement and processes data only in accordance with our instructions.

We maintain a live, up-to-date list of sub-processors at /subprocessors. We will notify you at least 30 days in advance of adding any new sub-processor, giving you the opportunity to object.

9. Cookies

9.1 Essential Cookies

We use strictly necessary cookies that are essential for the operation of our service. These cookies do not require consent under GDPR and the ePrivacy Directive. They include:

• Authentication and session management cookies
• Security and CSRF protection cookies
• Cookie consent preference storage

9.2 Optional Analytics Cookies

If you choose to enable analytics cookies, we use Google Analytics to understand aggregated usage patterns (for example, page visits and feature usage) so we can improve the product. These cookies are only set if you explicitly opt in. If you do not opt in, Google Analytics is not loaded and no analytics cookies are set.

You can also disable cookies in your browser settings, but some features may not work properly. For full details, see our Cookie Policy.

10. International Data Transfers

As a Finnish company, your data is subject to GDPR. Some of our sub-processors are located in the United States, which the European Commission has not deemed to provide an adequate level of data protection by default. We safeguard international data transfers through the following mechanisms:

• EU-US Data Privacy Framework (DPF): where our US-based sub-processors are certified under the EU-US Data Privacy Framework, transfers are made on the basis of the European Commission's adequacy decision of 10 July 2023.
• Standard Contractual Clauses (SCCs): all US-based sub-processors have executed the European Commission's Standard Contractual Clauses (2021/914) as a supplementary transfer mechanism.
• Transfer Impact Assessments (TIAs): we conduct Transfer Impact Assessments for each sub-processor to evaluate the legal framework in the recipient country and the effectiveness of the supplementary measures in place.
• EU data residency option: for Enterprise customers, we offer the option to ensure all data is processed and stored exclusively within the European Union. Contact enterprise@vertaaux.ai for details.

11. Your Rights Under GDPR

Under the General Data Protection Regulation, you have the following rights with respect to your personal data. You may exercise any of these rights by contacting us at privacy@vertaaux.ai or our Data Protection Officer at dpo@vertaaux.ai. We will respond to your request within 30 days.

• Right of access (Art. 15) — request a copy of the personal data we hold about you
• Right to rectification (Art. 16) — request correction of inaccurate or incomplete personal data
• Right to erasure (Art. 17) — request deletion of your personal data ("right to be forgotten")
• Right to data portability (Art. 20) — receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV)
• Right to restriction of processing (Art. 18) — request that we restrict the processing of your personal data under certain circumstances
• Right to object (Art. 21) — object to processing based on legitimate interest, including direct marketing
• Right to withdraw consent (Art. 7(3)) — withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing before withdrawal
• Right to lodge a complaint with a supervisory authority — you have the right to file a complaint with the Finnish Data Protection Ombudsman (Tietosuojavaltuutetun toimisto) or the supervisory authority of the EU member state where you reside. Contact details: PO Box 800, 00531 Helsinki, Finland — tietosuoja.fi

12. Your Rights Under CCPA

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with additional rights regarding your personal information:

• Right to know — you may request disclosure of the categories and specific pieces of personal information we have collected about you
• Right to delete — you may request deletion of personal information we have collected from you, subject to certain exceptions
• Right to opt out of sale — we do not sell your personal information. We have never sold personal information and have no plans to do so.
• Right to non-discrimination — we will not discriminate against you for exercising any of your CCPA rights

To exercise your CCPA rights, contact us at privacy@vertaaux.ai.

13. Data We Do Not Collect

Transparency is a core value. We want to be equally clear about what we do not do with your data:

• We do not store the content of audited websites beyond the duration of the audit processing session
• We do not retain screenshots beyond the audit processing session
• We do not sell, rent, or trade your personal information to third parties
• We do not use your data for advertising or ad-targeting purposes
• We do not track you across other websites (no cross-site tracking)
• Our browser extension does not collect your browsing history or monitor pages you have not explicitly chosen to audit
• Our VS Code extension does not upload your source code to our servers
• Our MCP server does not store conversation context from your AI assistant

14. Children's Privacy

Our service is not intended for and is not directed at children under the age of 13. In accordance with GDPR Article 8 and Finnish law, we do not knowingly collect personal data from children under 13 years of age.

If we become aware that we have collected personal data from a child under 13, we will take steps to delete that information as quickly as possible. If you believe that a child under 13 has provided us with personal data, please contact us immediately at privacy@vertaaux.ai.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes to this policy, we will:

• Provide at least 30 days' notice before the changes take effect
• Notify you by email (if you have an account) and by posting a prominent notice on our website
• Update the "Last updated" date at the top of this page

We encourage you to review this Privacy Policy periodically. Your continued use of the service after the effective date of a revised policy constitutes your acceptance of the changes.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, you may contact us through the following channels: