How we collect, use, store, and protect your data
Data Controller: Safe Harbour Informatics Inc ("we", "us", "our")
Website: www.vant.one
Contact: [email protected]
Safe Harbour Informatics Inc operates the vCAIO Platform (the "Platform"), a multi-tenant SaaS application that assists technology consultants and sales professionals in generating AI-driven proposals, assessments, and sales intelligence artifacts. This Privacy Policy describes how we collect, use, store, share, and protect personal data when you access or use the Platform.
This policy applies to all users of the Platform, including authenticated users, administrators, and any individuals whose data may be processed through the Platform's AI-powered features (such as transcript analysis or prospect management).
| Category | Data Elements | Legal Basis | Retention |
|---|---|---|---|
| Account Data | Name, email, OAuth ID, login method, role, tenant membership | Contractual necessity | Account duration + 30 days |
| Usage Data | Token consumption, operation types, billing summaries, usage trends | Legitimate interest (billing) | 24 months rolling |
| Prospect Data | Names, company names, industry, contact info, deal stage, notes | Contractual necessity | Account duration + 90 days |
| Assessment Data | Discovery transcripts, AI-generated roadmaps, SOWs, proposals, ROI calculations | Contractual necessity | Account duration + 90 days |
| Technical Data | IP address (rate limiting), browser user-agent (not stored), session tokens (JWT) | Legitimate interest (security) | Session duration only |
| Audit Data | Authentication events, access denials, error logs | Legal obligation | 12 months |
We do not collect or store: payment card numbers, CVV, or expiration dates (handled entirely by Stripe); biometric data; health or genetic data; or data from minors under 16 years of age.
Service Delivery. Account data and assessment data are processed to authenticate users, enforce role-based access control, and deliver the Platform's core features — including AI-driven proposal generation, transcript analysis, roadmap creation, and SOW generation.
Billing and Metering. Usage data (token consumption) is recorded per-tenant and per-operation to enforce monthly allowances, calculate overage, and provide transparent usage dashboards. No financial payment data is processed by our servers; all payment processing is delegated to Stripe, Inc.
Security and Fraud Prevention. Technical data (IP addresses) is used transiently for rate limiting (100 requests per 15 minutes per IP for API endpoints; 5 requests per 15 minutes for authentication endpoints). IP addresses are not persisted to any database.
AI Processing. When users invoke AI features, the relevant assessment data is transmitted to our LLM provider for inference. All prompts are sanitized through our prompt injection filter before transmission, and all LLM responses are scanned by our PII masking layer before being stored or displayed. We do not use customer data to train or fine-tune AI models.
The Platform operates as a multi-tenant system where each organization ("tenant") has its own isolated data partition. Every table containing tenant-specific data includes a tenantId column. All queries are filtered by the authenticated user's tenant context, enforced by middleware that rejects any request where tenant context is null or undefined.
All tRPC procedures that access tenant data use protected procedures requiring authentication and injecting the user's tenant context. Admin procedures additionally verify admin role before granting cross-tenant visibility. Tenant isolation is verified by automated tests.
| Third Party | Purpose | Data Shared | Safeguards |
|---|---|---|---|
| LLM Provider | AI inference | Sanitized assessment data, prompt text | PII masking; prompt injection filtering; no model training |
| Stripe, Inc. | Payment processing | Customer ID, email, name (via metadata) | PCI DSS Level 1; no card data on our servers |
| TiDB Cloud | Database hosting | All tenant data (encrypted) | TLS/SSL enforced; encryption at rest |
| S3 Storage | File storage | Uploaded files with non-enumerable keys | Server-side encryption; presigned URLs |
We do not sell, rent, or trade personal data to any third party. We do not use personal data for advertising or marketing purposes.
The Platform implements technical and organizational security measures aligned with OWASP Top 10 (2021) and OWASP Top 10 for LLM Applications (2025):
If you are located in the European Economic Area (EEA), United Kingdom, or California, you have the following rights under applicable data protection laws:
| Right | Description |
|---|---|
| Access | Request a copy of all personal data we hold about you |
| Rectification | Request correction of inaccurate personal data |
| Erasure | Request deletion of your personal data ("right to be forgotten") |
| Portability | Request your data in a structured, machine-readable format |
| Restriction | Request that we limit processing of your data |
| Objection | Object to processing based on legitimate interest |
To exercise any of these rights, email [email protected]. We will respond within 30 calendar days. If we need additional time (up to 60 days), we will notify you.
Account data is retained for the duration of the user's active account plus 30 days after account closure. Assessment data (transcripts, proposals, roadmaps) is retained for the duration of the account plus 90 days. Usage and billing data is retained on a 24-month rolling basis. Audit logs are retained for 12 months.
Upon account deletion or tenant decommissioning, all associated data is permanently deleted from the database and S3 storage within the retention periods specified above. Backups containing deleted data are purged within 90 days of the deletion event.
The Platform uses a single session cookie for authentication purposes. This cookie is HttpOnly (cannot be accessed by client-side JavaScript), Secure (transmitted only over HTTPS), and SameSite: None (required for cross-origin OAuth flow with the Secure flag).
We do not use advertising cookies, tracking pixels, or third-party analytics cookies. We do not participate in cross-site tracking or behavioral advertising.
Data may be processed in the United States and other jurisdictions where our infrastructure providers operate. When personal data is transferred outside the EEA, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission, or other lawful transfer mechanisms under GDPR Article 46.
We may update this Privacy Policy from time to time. Material changes will be communicated to users via the Platform's notification system or by email. The "Last Updated" date at the top of this document reflects the most recent revision.
For privacy-related inquiries, data subject requests, or complaints, please contact: