Privacy Policy
⚠️ TEMPLATE — NOT LEGAL ADVICE. Review with qualified counsel and complete all
[PLACEHOLDERS]before publishing. Drafted GDPR-first for an EU member state.
Effective date: [EFFECTIVE DATE] Controller for this Policy: [COMPANY LEGAL NAME], [REGISTERED ADDRESS] ("we", "us"). Contact / privacy enquiries: [PRIVACY EMAIL] · Data Protection Officer (if appointed): [DPO NAME / CONTACT].
This Policy explains how we process personal data when you use the Vinea service (the "Service"). It covers two distinct roles, which is important under the GDPR:
- We are the controller for data about our customers and their account users (e.g. who signs up and uses Vinea).
- The customer is the controller, and we are the processor, for the prospect/importer contact data that flows through the Service (discovered, scored, and contacted on the customer's behalf). For that processing, our Data Processing Agreement governs, and the customer's own privacy notice applies to the people they contact.
1. Data we process as controller (about account users)
| Category | Examples | Purpose | Lawful basis (GDPR Art. 6) |
|---|---|---|---|
| Account & identity | name, work email, organisation | create and manage your account | contract (6(1)(b)) |
| Usage & device | log data, IP, actions in the app | operate, secure, and improve the Service | legitimate interests (6(1)(f)) |
| Billing | plan, payment status | take payment, accounting | contract / legal obligation (6(1)(b),(c)) |
| Support | messages you send us | respond to you | legitimate interests (6(1)(f)) |
2. Data we process as processor (prospect/importer data)
On the customer's instructions, the Service collects business-contact information about prospective importers from public and third-party sources (e.g. company websites via automated search and scraping), stores it, scores it for fit using AI, and sends and tracks outreach. This may include names, roles, business email addresses, and company details. The customer determines the purposes and means of this processing and is responsible for the lawful basis (typically legitimate interests for B2B prospecting) and for honouring data-subject rights and objections/opt-outs.
3. Sub-processors
We use the following sub-processors to provide the Service. [Keep current and notify customers of changes per the DPA.]
| Sub-processor | Function | Location / transfer mechanism |
|---|---|---|
| Vercel Inc. | Hosting & compute | [US/EU — SCCs as applicable] |
| Anthropic (via Vercel AI Gateway) | AI model inference (extraction, scoring, drafting) | [US — SCCs; zero-retention via Gateway where configured] |
| Firecrawl | Web search & scraping of public sources | [verify location / SCCs] |
| Resend | Outbound email delivery | [verify location / SCCs] |
We do not use prospect data or Customer Data to train AI models, and we configure AI processing for zero data retention where the provider supports it. [Confirm and keep accurate.]
4. International transfers
Where personal data is transferred outside the EEA, we rely on appropriate safeguards such as the EU Standard Contractual Clauses and/or adequacy decisions. [Confirm specifics with counsel.]
5. Retention
We retain account data for the life of the account and as required for legal, accounting, and security purposes. Prospect/importer data is retained per the customer's instructions and the DPA, and deleted or returned on termination, subject to legal retention obligations and backup cycles.
6. Your rights (GDPR)
Subject to conditions, you have the right to access, rectify, erase, restrict, port, and object to processing of your personal data, and to lodge a complaint with your supervisory authority. For data we process as processor (prospect data), please direct requests to the relevant customer (the controller); we will assist them as required. To exercise rights regarding data we control, contact [PRIVACY EMAIL].
7. Security
We implement technical and organisational measures appropriate to the risk (encryption in transit, access controls, least-privilege, logging). No system is perfectly secure; we will notify affected parties and authorities of personal-data breaches as required by law.
8. Cookies / similar technologies
[Describe cookies/local storage used for authentication and essential functionality, and any analytics. Provide a cookie notice/consent mechanism if non-essential cookies are used, per ePrivacy.]
9. Children
The Service is not directed to, and may not be used by, anyone under 18.
10. Changes
We may update this Policy; material changes will be notified through the Service or by email.
11. Contact
Questions or requests: [PRIVACY EMAIL] — [COMPANY LEGAL NAME], [REGISTERED ADDRESS].