Legal
Privacy Policy
Effective date: May 1, 2026 · Vantio AI, Inc. (Delaware C-Corporation)
1. What We Collect
We collect account information (email address) when you sign up, payment information processed by Stripe (we never store raw card data), per-tenant usage telemetry (structured execution metadata only — bytes_severed, pid, target_host, action_taken, timestamps), and server logs necessary for security and operations. We also collect anonymous, opt-out product telemetry — an anonymous install ID, SDK/CLI version, runtime, OS, and aggregate call/redaction/block counts — to improve the product. This anonymous stream contains no API key, email, IP address, prompt content, or other PII. You can opt out at any time by setting VANTIO_TELEMETRY_DISABLED=1 or DO_NOT_TRACK=1.
2. Payload Quarantine
Vantio enforces a strict payload quarantine by design. Raw linguistic content — prompts, model completions, agent reasoning chains, or any personally identifiable information embedded in AI outputs — is structurally excluded from our ingest pipeline. The whitelist of permitted anomaly_metadata fields is enforced at the API layer and is auditable in our open-source ingest route.
3. Data Retention
Tier 02 anomaly events are retained for 90 days. Tier 03 WORM ledger retention is configurable up to 7 years to satisfy SEC Rule 17a-4, MiFID II, and SOC 2 Type II requirements. Account data is retained for the duration of your subscription plus 30 days after cancellation.
4. Data Sharing
We do not sell your data. We share data with: Stripe (payment processing), Supabase (database hosting, SOC 2 Type II certified), Google Cloud (Spanner WORM ledger for Tier 03), and Vercel (web app & API hosting). Each sub-processor is contractually bound to process data only as instructed by Vantio AI, Inc.
5. Your Rights
You may request access to, correction of, or deletion of your personal data at any time by emailing privacy@vantio.ai. Requests are fulfilled within 30 days. Data portability is available via the CSV export in your dashboard.
6. Security
All data in transit is encrypted via TLS 1.3. Data at rest is encrypted using AES-256. API keys are stored as salted hashes. The Supabase service role key used for writes is scoped to INSERT only — no SELECT, UPDATE, or DELETE on sensitive tables.
7. Contact
Vantio AI, Inc. · privacy@vantio.ai · Incorporated in Delaware, United States.