Privacy Policy (GDPR & CCPA Compliant)

Introduction

VectoSolve ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use our image vectorization service at vectosolve.com.

This policy complies with the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). If you are a resident of the European Economic Area (EEA), United Kingdom, or California, you have specific rights detailed in this policy.

Data Controller Information

Legal Basis for Processing (GDPR Article 6)

We process your personal data based on the following legal grounds:

• Contract Performance (Art. 6(1)(b)): Processing is necessary to provide the vectorization service you requested
• Consent (Art. 6(1)(a)): You explicitly consent to data collection when creating an account or using OAuth
• Legitimate Interests (Art. 6(1)(f)): Fraud prevention, security, and service improvement
• Legal Obligation (Art. 6(1)(c)): Compliance with tax, accounting, and legal requirements

1. Information We Collect

When you use VectoSolve, we collect the following types of information:

1.1 Google User Data

When you sign in with Google OAuth, we collect:

• Your email address
• Your name (first and last name)
• Your Google profile picture (optional)
• Basic account information necessary for authentication

1.2 User-Generated Content

• Images you upload for vectorization (PNG, JPG, WEBP files)
• Converted SVG files and conversion settings
• API tokens you create for programmatic access

1.3 Payment Information

• Payment transaction data (processed securely by Stripe)
• Billing information and credit balance

1.4 Usage Data

• Conversion history and timestamps
• Credit usage and transaction logs
• Browser type, device information, and IP address

2. How We Access, Use, Store, and Share Your Data

2.1 Data Access

We access your Google user data solely through the official Google OAuth 2.0 API for authentication purposes. We only request the minimum permissions necessary to provide our service (email and basic profile information).

2.2 How We Use Your Data

We use your information to:

• Authenticate your account and provide secure access to our services
• Process your images and convert them to SVG format
• Manage your credit balance and process payments
• Maintain your conversion history for your reference
• Provide customer support and respond to your inquiries
• Improve and optimize our vectorization service
• Comply with legal obligations

2.3 Data Storage and Retention Periods

Your data is securely stored using Supabase (PostgreSQL database) hosted in secure data centers with industry-standard encryption. User authentication data is encrypted at rest and in transit using TLS 1.3 protocols.

Retention Periods:

• Uploaded Images: Deleted immediately after conversion (within 5 seconds) - NEVER stored permanently
• Converted SVG Files: Stored in your conversion history until you delete them or close your account
• Account Data: Retained while your account is active and for 30 days after account deletion request
• Payment Records: Retained for 7 years for tax and legal compliance (GDPR Art. 6(1)(c))
• Usage Logs: Retained for 90 days for security and fraud prevention
• API Tokens: Retained until manually revoked or account deletion

2.4 Data Sharing

We do not sell, rent, or trade your personal information or Google user data to third parties. We only share your data with the following trusted service providers who help us operate our service:

• Google OAuth - For secure authentication (Google Privacy Policy applies)
• Stripe - For secure payment processing (Stripe Privacy Policy applies)
• Supabase - For secure database storage (Supabase Privacy Policy applies)
• Recraft AI - For AI-powered image vectorization processing (Recraft Privacy Policy applies)

These third-party service providers are contractually obligated to protect your data and use it only for the purposes we specify. We may also disclose your information if required by law, court order, or government regulation.

3. Data Protection and Security

We implement industry-leading security measures to protect your data from unauthorized access, disclosure, alteration, or destruction:

3.1 Technical Security Measures

• Transport Layer Security: All data transmission encrypted using TLS 1.3 protocol with HTTPS
• HSTS (HTTP Strict Transport Security): Enforced to prevent downgrade attacks
• Database Encryption: Data encrypted at rest using AES-256 encryption
• Password Security: Passwords hashed using bcrypt with salt (never stored in plaintext)
• API Token Security: Tokens generated with cryptographically secure randomness (64-byte hex)
• Row Level Security (RLS): Database policies ensure users can only access their own data
• OAuth 2.0: Industry-standard authentication protocol for Google sign-in
• Rate Limiting: Protection against brute-force attacks and API abuse

3.2 Organizational Security Measures

• Access to user data limited to authorized personnel only (principle of least privilege)
• Regular security audits and vulnerability assessments
• Security updates applied promptly to all systems
• Staff training on data protection and privacy best practices
• Incident response plan in place for security breaches

3.3 Security Headers

Our application implements the following security headers:

• X-Frame-Options: SAMEORIGIN - Prevents clickjacking attacks
• X-Content-Type-Options: nosniff - Prevents MIME type sniffing
• Referrer-Policy: origin-when-cross-origin - Controls referrer information
• Content-Security-Policy - Mitigates XSS and injection attacks

4. Data Retention and Deletion

Retention: We retain your account information and conversion history as long as your account is active. Your Google user data is stored only as long as necessary to provide our services.

Deletion: You can request deletion of your account and all associated data at any time by contacting us at support@vectosolve.com. Upon account deletion:

• Your Google user data (email, name, profile) will be permanently deleted
• Your conversion history will be removed
• Your API tokens will be revoked
• Some data may be retained for legal or accounting purposes as required by law (e.g., payment records for tax purposes)

Uploaded images are automatically deleted immediately after processing and are never stored permanently.

5. Your Rights and Choices

5.1 GDPR Rights (EEA/UK Residents)

If you are located in the European Economic Area or United Kingdom, you have the following rights under GDPR:

• Right of Access (Art. 15): Request a copy of all personal data we hold about you
• Right to Rectification (Art. 16): Correct inaccurate or incomplete data
• Right to Erasure (Art. 17): Request deletion of your data ("Right to be Forgotten")
• Right to Restriction (Art. 18): Limit how we use your data
• Right to Data Portability (Art. 20): Receive your data in a machine-readable format
• Right to Object (Art. 21): Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent at any time without affecting prior processing
• Right to Lodge a Complaint: File a complaint with your national data protection authority

5.2 CCPA Rights (California Residents)

If you are a California resident, you have the following rights under CCPA:

• Right to Know: Request disclosure of personal information collected, used, or shared in the past 12 months
• Right to Delete: Request deletion of personal information we have collected
• Right to Opt-Out: Opt out of the sale of personal information (Note: We do NOT sell personal information)
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

Categories of Personal Information We Collect (CCPA Disclosure): Identifiers (email, name), commercial information (purchase history), internet activity (usage logs), financial information (payment data via Stripe).

5.3 How to Exercise Your Rights

To exercise any of these rights, please contact us:

• Email: privacy@vectosolve.com or support@vectosolve.com
• Include "GDPR Request" or "CCPA Request" in the subject line
• We will respond within 30 days (GDPR) or 45 days (CCPA)
• You may be required to verify your identity to prevent unauthorized access

6. Google API Services User Data Policy

VectoSolve's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We only request access to Google user data that is necessary for providing our image vectorization service
• We do not use Google user data for serving advertisements
• We do not sell Google user data to third parties
• We do not use or transfer Google user data for purposes unrelated to our service's functionality

7. Cookies and Tracking

We use essential cookies and local storage to maintain your session and authentication state. These are necessary for the proper functioning of our service. We do not use third-party advertising or tracking cookies.

8. Children's Privacy

VectoSolve is not intended for use by children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us immediately.

9. International Data Transfers

VectoSolve operates globally, and your data may be transferred to, processed, and stored in countries outside your country of residence, including the United States. These countries may have different data protection laws than your jurisdiction.

9.1 Safeguards for International Transfers

When transferring data from the EEA/UK to third countries, we rely on the following legal mechanisms:

• Adequacy Decisions: We transfer data to countries recognized by the EU Commission as providing adequate data protection
• Standard Contractual Clauses (SCCs): We use EU-approved Standard Contractual Clauses with our service providers (Supabase, Stripe, Recraft AI)
• Your Explicit Consent: For transfers not covered by other mechanisms, we obtain your explicit consent

9.2 Data Processing Locations

• Supabase (Database): Data centers in US, EU regions available upon request
• Stripe (Payments): Processes payment data globally with GDPR/CCPA compliance
• Recraft AI (Vectorization): Processes images in secure cloud infrastructure
• Google OAuth: Processes authentication data according to Google's global infrastructure

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. We will notify you of any material changes by updating the "Last updated" date at the top of this policy. Your continued use of VectoSolve after such changes constitutes your acceptance of the updated Privacy Policy.