Privacy Policy

Vega (“Vega,” “we,” “us,” or “our”) operates a security-assessment platform that allows authorised technology resellers and managed service providers (“Customers”) to generate structured security assessments for their own prospects and clients (“End Companies”).

This Privacy Policy describes how we collect, use, share, and protect personal and business information when you use the platform.

Account information

• Name, email address, and role for each user authorised by your Customer organisation.
• Authentication metadata (login timestamps, password hash, multi-factor tokens) — handled by our authentication provider, Supabase.
• Display preferences (theme, language).

Customer-provided assessment data

• Prospect / End Company names, technology stacks, and any other information your authorised users enter into an assessment.
• AI-generated assessment outputs (executive summary, framework coverage, gaps, recommendations, risk register, business impact analysis, tabletop exercises, conclusion).
• Activity logs (who generated what, when).

You and your Customer organisation are the controller of the prospect / End Company data you enter. You are responsible for having a lawful basis to process it and for any obligations owed to those End Companies under applicable law.

Inferred and technical data

• IP address, browser type, device type — collected via standard server logs.
• Cookies strictly necessary for session management and theme preference. We do not use advertising or tracking cookies.

• To provide the platform: authenticate users, render assessments, generate PDF / PPTX deliverables, persist your work between sessions.
• To send the technology stack you submit to our AI provider (see “Subprocessors” below) so it can produce the assessment.
• To improve security and reliability: monitor for abuse, debug errors, audit access.
• To communicate operational matters: account changes, security incidents, service updates.

We do not use Customer-provided assessment data to train AI models, and we contractually prohibit our AI subprocessor from doing so.

We rely on the following third parties to deliver the platform. Each is contractually bound by data-protection terms equivalent to those stated here:

We will notify your Customer organisation in advance of any addition or replacement of a subprocessor, allowing reasonable time to object before the change takes effect.

Our subprocessors are located in the United States. If you or your prospects are located outside the United States, your information may be transferred to, stored in, and processed in the United States. We rely on standard contractual clauses or equivalent safeguards for any transfer of personal data from the European Economic Area, United Kingdom, or other jurisdictions with similar requirements.

• Account information: retained while the account is active, plus up to 90 days after account closure for legitimate operational reasons (audit, dispute resolution).
• Customer-provided assessment data: retained until your Customer organisation deletes it or terminates the platform agreement, plus up to 30 days for backups to expire.
• Server logs: retained for up to 12 months.
• Activity / audit logs: retained for the term of the platform agreement plus 12 months.

On request, your Customer organisation can ask us to delete or export specific assessment data. See “Your rights” below.

• Encryption in transit (TLS 1.2+) for all platform connections.
• Encryption at rest for the database (Supabase-managed AES-256).
• Row-level security (RLS) enforced on every database table — a user can only access data belonging to their own tenant.
• Role-based access controls within each tenant (Rep / Manager / Admin).
• Logged access trails for sensitive operations.
• Closed user registration — only admins of an existing tenant can invite new users.

No system is perfectly secure. If we become aware of a security incident affecting your data, we will notify the affected Customer organisation without undue delay.

Depending on where you are located, you may have rights to:

• Access the personal data we hold about you.
• Correct inaccurate data.
• Delete your data (subject to operational and legal limits).
• Export your data in a portable format.
• Restrict or object to certain processing.
• Withdraw consent (where processing is based on consent).
• Lodge a complaint with your local data-protection authority.

To exercise any of these rights, contact us at privacy@example.com. We will respond within 30 days.

We use only essential cookies necessary for the platform to function: session authentication and saved theme preference. We do not use advertising cookies, social-media cookies, or analytics cookies that identify individuals.

The platform is not directed to anyone under 16 and we do not knowingly collect personal data from children.

We may update this policy from time to time. Material changes will be notified to your Customer organisation in advance. Non-material clarifications take effect when posted, with a revised “Last updated” date.

For privacy questions, data-rights requests, or concerns:

Vega
[TODO: registered business address]
privacy@example.com