Privacy Notice and Processing Policy
Effective Date: June 2026
The Company is committed to the secure, transparent, and responsible processing of personal data. This Privacy Policy describes how we collect, process, utilize, share, and protect personal data in connection with our public-facing websites, physical platform architecture, and software-as-a-service governance interfaces.
1. Categories of Personal Data Collected
The Company collects and processes the following categories of personal data:
- Business Contact Information: Name, corporate email address, business telephone number, and physical mailing address.
- Employment Metadata: Job title, role, department, and organizational hierarchy.
- Technical Identifiers: Internet Protocol addresses, unique device hardware identifiers, browser operating system details, network routing paths, and cookie-based session identifiers.
- Platform Interaction Telemetry: Analytical data regarding features accessed, page navigation patterns, API request frequencies, and administrative console configuration histories.
- Inference Metadata: Prompt metadata, including transaction timestamps, targeted external models, and anonymized security policy violation metrics processed by the runtime gateway.
2. Legal Bases for Processing Under the GDPR
In accordance with Article 6 of the General Data Protection Regulation, the Company processes personal data under the following distinct legal bases:
- Performance of a Contract: Processing is necessary to perform our obligations under a valid agreement, including provisioning the software-as-a-service account, authenticating authorized users, and delivering customer support.
- Legitimate Interests: Processing is necessary to satisfy the legitimate interests of the Company or a third party, specifically in maintaining the security, integrity, and performance of the Platform, analyzing aggregate usage patterns to guide feature development, and identifying potential system abuses.
- Consent: Processing is conducted based on the explicit, freely given, and revocable consent of the data subject, such as the deployment of non-essential cookies or subscriptions to optional marketing communications.
3. Data Subject Rights
Subject to verification of identity and certain statutory exceptions, data subjects may exercise the following rights under applicable global privacy frameworks:
- Right of Access: The right to request and receive detailed information regarding the processing of their personal data, including a copy of the actual records held in a portable, structured format.
- Right to Rectification: The right to demand the immediate correction of inaccurate or incomplete personal data.
- Right to Erasure: The right to request the deletion of their personal data under specific conditions, such as when the data is no longer necessary for the original processing purposes.
- Right to Restrict or Object to Processing: The right to limit the scope of processing or object entirely to processing activities based on legitimate interests.
- Right to Portability: The right to request the direct transfer of their personal data to another service provider in a machine-readable format.
- Right to Withdraw Consent: The right to revoke previously granted processing consents at any time, without affecting the lawfulness of processing conducted prior to such withdrawal.
To exercise any of these rights, individuals may submit a validated request to the designated privacy officer at the contact details provided below.
4. Artificial Intelligence Data Safeguards and Minimization
To ensure compliance with the principles of privacy-by-design and privacy-by-default, the Platform incorporates specific structural safeguards:
- In-Transit Processing Only: The inline gateway operates as a transient processor. Real-time prompt payloads, user queries, and model completions are evaluated in temporary memory arrays and are not written to persistent storage databases unless the Client has explicitly configured the cryptographic audit vault feature for compliance purposes.
- Separation of Data: Prompt content and metadata metrics are completely segregated within the platform architecture, ensuring that administrative reporting tools cannot reconstruct or de-anonymize individual employee chat histories.
- No Third-Party Shared Access: Prompt payloads processed through the gateway are never transmitted to third parties or model providers for independent training, optimization, or evaluation purposes.
5. Data Retention, Localization, and Transfers
- Retention Limitations: Personal data shall be retained only for the minimum duration necessary to fulfill the specific processing purposes outlined in this policy, or as strictly required to comply with statutory legal records retention mandates.
- International Data Transfers: The Company operates a globally distributed hosting infrastructure. To the extent that personal data is transferred across international borders, including transfers outside the European Economic Area, the Company implements robust transfer safeguards. This includes the execution of standard contractual clauses approved by the European Commission or reliance on established adequacy decisions.
6. Contact Information and Inquiry Resolution
For questions, clarifications, or complaints regarding this Privacy Policy or our general data handling practices, individuals may contact us at:
- Email: privacy@vigil24.com
- Mailing Address: To be provided upon request.