Privacy Policy

(a) Account data: email, name, hashed password (bcrypt). (b) Content data: files you upload, annotations, comments. (c) Usage data: access logs, browser/device info. (d) Payment data: handled directly by PayPal — we only receive transaction status, never card numbers.

Data is used to operate the Service (display files, send notifications, authorize access), process payments, respond to support, improve the product (aggregate analytics), and meet legal obligations.

We share minimum necessary data with: (a) Vultr Singapore (S3 storage), (b) PayPal (USD payments), (c) Anthropic via XessOne AI Gateway (comment processing when you click "Summarize" or "Draft AI" — Anthropic explicitly does NOT train models on API data), (d) MXroute (transactional email).

Files and primary data are stored on servers in Singapore (Vultr sgp1). The database runs on Vultr Singapore (sgp2) with PostgreSQL 17 and disk encryption. We do not move your data outside Asia without notice.

Active account data is kept while you have an account. After account deletion, personal data is removed within 30 days. Technical logs (no PII) are retained up to 90 days for security auditing.

You have the right to: (a) access your data, (b) correct inaccurate data, (c) delete your account and all content, (d) export your data (request via email), (e) withdraw consent to AI processing at any time by not using AI features.

We use a session cookie (`viscollab_session` — JWT, HTTP-only) and a language preference (`viscollab_locale`). For analytics we use XessOne Analytics, which is cookieless and does not track individual users across sites.

Full details in the Data Security page. In short: TLS 1.3 in transit, encryption at rest, JWT HS256, 24-hour presigned S3 URLs, per-workspace access control, bcrypt password hashing.

The Service is intended for users aged 17 and older. We do not intentionally collect data from minors.

Material changes will be announced at least 14 days before taking effect. Questions: hello@viscollab.com.