VectorAI LogoVECTORai

Data Processing Addendum

**Effective Date:** December 1, 2025
**Last Updated:** December 1, 2025

1. Introduction

This Data Processing Addendum ("DPA") forms part of the VectorAI Terms of Service and Privacy Policy. It governs the processing of personal data by VectorAI and its subprocessors in compliance with:

  • EU General Data Protection Regulation (GDPR)
  • California Consumer Privacy Act (CCPA)
  • UK Data Protection Act 2018
  • Other applicable data protection laws

This DPA applies when VectorAI processes personal data on behalf of users (acting as a "Data Processor") or for its own purposes (acting as a "Data Controller").

2. Definitions

Terms used in this DPA:

  • "Controller" means the entity that determines the purposes and means of processing personal data (typically the user/customer)
  • "Processor" means the entity that processes personal data on behalf of the Controller (VectorAI in most cases)
  • "Subprocessor" means any third-party processor engaged by VectorAI (e.g., Stripe, Supabase, Modal)
  • "Personal Data" means any information relating to an identified or identifiable natural person
  • "Processing" means any operation performed on personal data (collection, storage, use, transmission, deletion)
  • "Data Subject" means the individual to whom personal data relates
  • "Standard Contractual Clauses (SCCs)" means the EU Commission-approved template for international data transfers

All other terms have the meanings defined in our Terms of Service and Privacy Policy.

3. Roles and Responsibilities

3.1 VectorAI as Data Controller

VectorAI acts as a Data Controller when processing:

  • User account information (email, password, subscription status)
  • Payment information (via Stripe)
  • Usage analytics and service improvement data
  • Marketing communications (with consent)

**Responsibilities:**

  • Determine purposes and means of processing
  • Ensure lawful basis for processing (consent, contract, legitimate interest)
  • Comply with data subject rights requests (access, deletion, portability)
  • Implement appropriate security measures

3.2 VectorAI as Data Processor

VectorAI acts as a Data Processor when processing:

  • Uploaded images on behalf of users
  • Content generated from user inputs (SVG outputs)

**Responsibilities:**

  • Process data only as instructed by the user (via service usage)
  • Implement technical and organizational measures to protect data
  • Assist with data subject rights requests
  • Delete or return data upon request

3.3 User as Data Controller

When users upload images containing personal data (e.g., photos of individuals), the user is the Data Controller and must:

  • Ensure they have a lawful basis to process that data
  • Obtain necessary consents from data subjects
  • Comply with data protection laws in their jurisdiction
  • Indemnify VectorAI for any violations arising from their use

4. Subprocessors

VectorAI engages the following subprocessors to provide the Service:

4.1 Current Subprocessors

Subprocessor Purpose Location Security Certifications
Supabase, Inc. Database, authentication (incl. OAuth), file storage United States (AWS) SOC 2 Type II, ISO 27001
Modal Labs GPU-accelerated AI processing United States (AWS) SOC 2 Type II
Stripe, Inc. Payment processing, subscription management United States, EU PCI-DSS Level 1, SOC 2
SendGrid/Postmark Transactional email delivery United States ISO 27001, SOC 2
Google LLC OAuth authentication (Sign-In with Google) United States, EU ISO 27001, SOC 2
Google Analytics Website analytics (if consent granted) United States ISO 27001, Privacy Shield (legacy)
PostHog Product analytics (if consent granted) United States, EU SOC 2 Type II

4.2 Subprocessor Agreements

All subprocessors are bound by:

  • Data Processing Agreements (DPAs) equivalent to this document
  • Standard Contractual Clauses (SCCs) for international transfers
  • Confidentiality obligations to protect personal data
  • Security requirements aligned with GDPR Article 32

4.3 Subprocessor Changes

We will notify users of new subprocessors 30 days in advance via:

  • Email to registered address
  • In-app notification
  • Update to this DPA with new "Last Updated" date

**Objection Right:** If you object to a new subprocessor on reasonable grounds, you may:

  • Terminate your subscription with a pro-rata refund
  • Request data deletion
  • Contact us at info@vectorai.cc to discuss alternatives

5. Data Processing Details

5.1 Categories of Data Subjects

  • VectorAI users (account holders)
  • Individuals depicted in uploaded images (if applicable)
  • Newsletter subscribers
  • Support ticket requesters

5.2 Categories of Personal Data Processed

Account Data:

  • Email address, hashed password, subscription status, credits balance, OAuth provider (if using Google Sign-In)

OAuth Data (Google Sign-In):

  • Google account email, profile name, profile picture URL, OAuth tokens (encrypted)

Payment Data (via Stripe):

  • Billing name, payment card type (last 4 digits), billing address

Image Metadata:

  • File name, file size, upload timestamp, processing status

Usage Data:

  • IP address, user agent, browser type, pages visited, feature usage

Communication Data:

  • Support emails, consent records, marketing preferences

5.3 Purposes of Processing

  • Provide vectorization services
  • Manage user accounts and subscriptions
  • Process payments
  • Send transactional and marketing communications (with consent)
  • Analyze service usage for improvement
  • Prevent fraud and abuse

5.4 Data Retention Periods

  • **Input Images:** 24 hours (automatic deletion)
  • **Output SVGs:** 24 hours (automatic deletion)
  • **Processing Logs:** 90 days (automatic deletion)
  • **Account Data:** Until user requests deletion
  • **Payment Records:** 7 years (legal requirement for tax compliance)
  • **Consent Records:** 3 years (proof of compliance)

6. Security Measures (GDPR Article 32)

VectorAI implements the following technical and organizational measures:

6.1 Technical Measures

  • Encryption in Transit: TLS 1.3 for all data transmission
  • Encryption at Rest: AES-256 for database and file storage
  • Password Security: Bcrypt hashing (cost factor 10)
  • Access Controls: Role-based access control (RBAC) with row-level security (RLS)
  • Multi-Factor Authentication (MFA): Available for user accounts
  • Automated Backups: Daily encrypted backups with 30-day retention
  • Intrusion Detection: Automated security monitoring and alerts

6.2 Organizational Measures

  • Employee Training: Annual data protection and security training
  • Access Restrictions: Need-to-know principle for data access
  • Incident Response Plan: Documented breach notification procedure (72-hour GDPR timeline)
  • Vendor Audits: Annual security reviews of subprocessors
  • Data Minimization: Collect only necessary data, automatic cleanup policies
  • Privacy by Design: Security considerations in all feature development

6.3 Certifications & Audits

  • SOC 2 Type II: Planned for 2026 (via infrastructure providers)
  • ISO 27001: Inherited from Supabase, Modal (infrastructure layer)
  • PCI-DSS: Inherited from Stripe (payment layer)
  • Penetration Testing: Annual third-party security audits

7. Data Subject Rights

VectorAI assists users in fulfilling data subject rights requests:

7.1 Right to Access (GDPR Art. 15)

How to Exercise: Email info@vectorai.cc or use in-app "Export My Data" feature
Response Time: 30 days
Format: JSON or CSV export

7.2 Right to Rectification (GDPR Art. 16)

How to Exercise: Update information in account settings or email info@vectorai.cc
Response Time: Immediate (for self-service), 30 days (for complex requests)

7.3 Right to Erasure (GDPR Art. 17) - "Right to be Forgotten"

How to Exercise: Use "Delete Account" feature or email info@vectorai.cc
Response Time: 30 days for complete deletion
Exceptions: Payment records retained for 7 years (legal obligation)
Note: If using Google Sign-In, you should also revoke VectorAI's access via Google Account Permissions

7.4 Right to Data Portability (GDPR Art. 20)

How to Exercise: Use "Export My Data" feature
Format: Machine-readable JSON
Scope: Account data, processing history, consent records

7.5 Right to Object (GDPR Art. 21)

How to Exercise: Opt-out of marketing emails via unsubscribe link or account settings
Effect: No more marketing communications (transactional emails still sent)

7.6 Right to Restrict Processing (GDPR Art. 18)

How to Exercise: Email info@vectorai.cc
Effect: Temporary suspension of non-essential processing

7.7 Automated Decision-Making

VectorAI does not engage in automated decision-making or profiling that significantly affects users (GDPR Art. 22).

8. International Data Transfers

8.1 Transfer Mechanisms

When personal data is transferred outside the EEA, we use:

Standard Contractual Clauses (SCCs):

  • EU Commission Decision 2021/914 (Module 2: Controller-to-Processor)
  • Applied to all subprocessors in non-adequate jurisdictions

Adequacy Decisions:

  • UK adequacy decision (2021)
  • Switzerland adequacy decision (if applicable)

Supplementary Measures:

  • Encryption in transit and at rest
  • Pseudonymization where feasible
  • Regular security audits

8.2 US-Based Subprocessors

Impact of Schrems II Ruling:
Following the invalidation of Privacy Shield, we rely on SCCs with supplementary measures:

  • Transparent disclosure of subprocessor locations
  • Contractual prohibition on unlawful government access
  • Encryption rendering data unintelligible to third parties

8.3 Data Localization Requests

Enterprise customers may request data residency in specific regions. Contact sales@vectorai.cc for custom arrangements.

9. Data Breach Notification

9.1 Breach Response Procedure

In the event of a personal data breach, VectorAI will:

Within 72 Hours:

  • Notify affected users via email
  • Notify relevant supervisory authorities (if required)
  • Provide details on nature, scope, and likely consequences of breach

Immediate Actions:

  • Contain the breach (isolate affected systems)
  • Assess impact on data subjects
  • Document incident for compliance records

Follow-Up:

  • Implement corrective measures
  • Conduct post-incident review
  • Update security protocols to prevent recurrence

9.2 User Responsibilities

If users become aware of a breach involving data they control (e.g., unauthorized access to their uploaded images), they must notify us at info@vectorai.cc.

10. Audit Rights

10.1 User Audit Rights

Upon reasonable notice (30 days), users may request:

  • Documentation of security measures
  • Copies of subprocessor DPAs
  • SOC 2 reports (when available)
  • Data processing records relevant to their account

Limitations: Audits may not include on-site inspections or access to source code.

10.2 Regulatory Audits

VectorAI will cooperate with data protection authorities conducting investigations, subject to applicable law.

11. Liability and Indemnification

11.1 VectorAI Liability

VectorAI is liable for damages caused by:

  • Failure to comply with GDPR obligations as a processor
  • Acting outside or contrary to lawful instructions
  • Failure to implement appropriate security measures

Limitation: Total liability capped at the amount in Section 11 of the Terms of Service.

11.2 User Liability

Users are liable for:

  • Violations of data protection laws in their capacity as controllers
  • Uploading data they do not have rights to process
  • Failing to obtain necessary consents from data subjects

11.3 Subprocessor Liability

VectorAI is liable for the acts of subprocessors to the same extent as its own acts (GDPR Art. 28(4)).

12. Term and Termination

12.1 Duration

This DPA remains in effect for as long as VectorAI processes personal data on behalf of users.

12.2 Effect of Termination

Upon termination of the Terms of Service or user account deletion:

  • VectorAI will delete or return all personal data within 30 days
  • Exceptions: Data retained for legal compliance (payment records) or defense of legal claims
  • User may request certification of deletion

12.3 Survival

Sections on Liability, Confidentiality, and Dispute Resolution survive termination.

13. Governing Law and Disputes

13.1 Governing Law

This DPA is governed by:

  • GDPR for EEA users
  • UK GDPR for UK users
  • CCPA for California residents
  • Delaware law for contractual disputes (as specified in Terms of Service)

13.2 Dispute Resolution

Disputes under this DPA shall be resolved per Section 14 of the Terms of Service (arbitration), except:

  • Data protection authority complaints (users may file with their local supervisory authority)
  • EU users retain the right to bring claims in EU courts under GDPR Art. 79

14. Contact Information

Data Protection Officer:
Email: info@vectorai.cc

Security Inquiries:
Email: info@vectorai.cc

GDPR Representative (EU):
[To be appointed if required under GDPR Art. 27]

CCPA Compliance:
Email: info@vectorai.cc

Supervisory Authority:
Users may contact their local data protection authority:
- **EU:** https://edpb.europa.eu/about-edpb/about-edpb/members_en
- **UK:** Information Commissioner's Office (ICO)
- **California:** California Privacy Protection Agency

15. Amendments

This DPA may be updated to reflect:

  • Changes in data protection laws
  • New subprocessors
  • Enhanced security measures

Users will be notified of material changes 30 days in advance via email.

Acknowledgment:

By using VectorAI, you acknowledge that:
1. You have read and understood this Data Processing Addendum
2. You authorize VectorAI to engage the listed subprocessors
3. You agree to the international data transfer mechanisms described
4. You will comply with data protection laws when acting as a controller

Data Processing Addendum Version: 1.0
Effective Date: December 1, 2025

Standard Contractual Clauses: Available upon request at info@vectroai.cc