Privacy Policy
Last updated: May 7, 2026
This Privacy Policy explains how Vectorra collects, uses, and protects your data.
Data Controller
Vectorra is operated by Marek Stuchlý, a natural person located in the Czech Republic. This means I am the data controller responsible for your data under GDPR.
Contact: hello@vectorra.com
Data We Collect
Account Data
When you register, we collect:
- Email address
- Name (if provided)
- Organization name (if provided)
- Password (stored as a hash, never in plaintext)
- Avatar image (if uploaded)
Usage Data
When you use Vectorra, we store:
- Itineraries, blocks, and content you create
- Client information you add to your CRM
- Files and documents you upload
- Settings and preferences
- Activity logs (e.g., login times, feature usage)
Technical Data
Automatically collected:
- IP address (used for rate limiting and abuse prevention)
- Browser type and version
- Device information
- Pages visited within Vectorra
AI Interaction Data
When you use AI features:
- The content you submit (documents, prompts) is sent to Anthropic for processing
- We log usage counts (number of AI calls) for quota enforcement
- We do not log the content of your AI prompts or responses
Legal Basis (GDPR)
We process your data based on:
- Contract performance — to provide the service you signed up for
- Legitimate interest — to maintain security, prevent abuse, and improve the service
- Consent — for optional features like email notifications (you can opt out)
- Legal obligation — when required by law
How We Use Your Data
Your data is used to:
- Provide and maintain the service
- Authenticate you and secure your account
- Process AI features (when you use them)
- Send transactional emails (registration, password reset, notifications)
- Detect and prevent abuse
- Improve Vectorra (anonymized usage patterns only)
We do NOT:
- Sell your data to third parties
- Use your data for advertising
- Train AI models on your content
- Share your data outside what's necessary to provide the service
Third Parties
Vectorra uses these service providers:
| Provider | Purpose | Location | Data shared |
|---|---|---|---|
| Supabase | Database, authentication, file storage | EU (Frankfurt) | All app data |
| Vercel | Hosting, deployment | EU / Global | Request metadata, IP |
| Cloudflare | DNS, CDN, security | Global | Request metadata, IP |
| Resend | Transactional email | EU | Email address, email content |
| Anthropic | AI features (Claude) | US (with EU SCCs) | Content you submit to AI features |
| Sentry | Error tracking | EU | Error context, user ID (no personal content) |
All providers are contractually bound to GDPR-equivalent data protection through Data Processing Agreements (DPAs).
Data Storage and Transfers
- Primary data is stored in Supabase EU region (Frankfurt, Germany)
- Some processors (Anthropic, Cloudflare) operate globally; transfers outside the EU use Standard Contractual Clauses (SCCs)
Data Retention
- Active accounts: data retained as long as your account is active
- Deleted accounts: all personal data is permanently deleted within 30 days of account deletion request
- Backups: Supabase backups are retained for 7 days; deleted data is removed from backups within this window
- Logs: technical logs are retained for up to 90 days for security and debugging
Your Rights (GDPR)
You have the right to:
- Access — request a copy of your data
- Rectification — correct inaccurate data
- Erasure — delete your account and data
- Portability — export your data in a machine-readable format
- Restrict processing — limit how we use your data
- Object — to specific processing activities
- Withdraw consent — for optional processing
- Lodge a complaint — with the Czech Data Protection Authority (Úřad pro ochranu osobních údajů, www.uoou.cz)
To exercise any of these rights, email hello@vectorra.com. We will respond within 30 days.
Account data export and deletion are also available directly in Settings.
Cookies and Tracking
Vectorra uses only essential cookies needed for the service to function:
- Authentication cookies (Supabase) — keep you logged in
- CSRF tokens — security
- Session preferences — remember your sidebar state, theme, etc.
We use Sentry for error tracking. Sentry's snippets do not set cookies but may collect technical information about errors. This is a legitimate interest under GDPR.
We do NOT use:
- Advertising cookies
- Third-party analytics (Google Analytics, etc.)
- Cross-site tracking
Your Clients' Data
When you store information about your clients in Vectorra, you are the data controller for that data. Vectorra is the data processor.
You are responsible for:
- Obtaining consent from your clients before storing their data
- Informing them about how you use Vectorra
- Responding to their data subject requests
Vectorra provides tools to help (data export, deletion) but you are the primary contact for your clients' privacy questions.
Children's Privacy
Vectorra is not intended for users under 18. We do not knowingly collect data from children. If you believe a minor has registered, contact us immediately.
Security
We protect your data through:
- HTTPS encryption in transit
- Encrypted storage (Supabase managed)
- AES-256-GCM encryption for sensitive fields (BYOK API keys)
- Argon2 password hashing (Supabase managed)
- Row-level security policies on all data
- Regular security audits
Despite these measures, no system is completely secure. In the event of a data breach, we will notify affected users within 72 hours of becoming aware.
Changes to This Policy
Material changes will be communicated via email or in-app notification at least 14 days before taking effect.
Contact
Privacy questions or requests: hello@vectorra.com
Data Protection Authority (Czech Republic): www.uoou.cz
See also our Terms of Service.