Privacy Policy – Vecto

Last updated: March 14, 2026

This Privacy Policy explains how Vecto (“we”, “us”, “our”) collects, uses, and protects personal data when you use the Vecto application and related services.

If you have questions about this policy or your data, contact us at the email above.

1. Who this policy applies to

This policy applies to individuals who create an account and use the Vecto app.
The service is currently intended for individual users (B2C).

2. Data we collect

Account information

When you create an account, we collect:

• First name
• Last name
• Email address
• Password (stored securely and encrypted)

User content

You may store the following information in the app:

• Projects and sub-projects
• Tasks and actions
• Notes
• Planning data
• Due dates
• Estimated time needed
• Daily capacity and working days
• Task activity data (such as snooze counts or rollovers)

This content is stored so the app can function and provide planning features.

Voice command data

When you use voice commands, your browser’s built-in speech recognition (Web Speech API) converts your speech to text. Depending on your browser, this audio may be processed by the browser vendor’s servers (e.g., Google for Chrome). Vecto does not receive or store audio recordings — only the resulting text transcript is sent to our servers for processing.

Data from third-party integrations

If you connect an external service, we may retrieve and process additional data as described in section 6 below.

Technical data

We automatically process limited technical data necessary to operate the service:

• IP address
• Device/browser information
• Basic server logs

We do not use third-party analytics tools and do not track users for marketing purposes.

Support communications

If you contact us, we may store your message and contact details to respond.

3. How we use your data

We use personal data only to:

• Provide and operate the Vecto app
• Create and manage your account
• Store and display your tasks and planning
• Process payments and subscriptions
• Provide customer support
• Maintain security and prevent abuse
• Improve reliability and performance

We do not send marketing emails and do not sell personal data.

4. Legal basis (GDPR)

We process personal data under the following legal bases:

• Contract: to provide the Vecto service you signed up for
• Consent: for optional third-party integrations (Microsoft, Google) that you explicitly connect, and for AI-powered features (OpenAI) that you choose to use
• Legitimate interest: to maintain security, stability, and support
• Legal obligations: where required by law

5. Payments

Payments are handled by Stripe.
We do not store full payment card details.

Stripe may process:

• Billing information
• Payment method
• Transaction data

Stripe acts as an independent data controller for payment processing.
You can read Stripe’s privacy policy on their website.

6. Third-party integrations

Vecto offers optional integrations with third-party services. These integrations are only activated when you explicitly connect them in your account settings. Below we describe each integration, what data is involved, and how it is processed.

Microsoft (Outlook Calendar)

When you connect your Microsoft account, we access the Microsoft Graph API to:

• Read and write calendar events (to sync your Vecto planning with your Outlook calendar)
• Read your mailbox timezone setting (to display events in your local time)

We store an encrypted OAuth refresh token so the connection persists. We do not access your emails, contacts, or files. Microsoft acts as an independent data controller for your Microsoft account data. Your data may be processed by Microsoft in the United States; Microsoft provides safeguards under the EU–U.S. Data Privacy Framework and Standard Contractual Clauses.

Google (Google Calendar)

When you connect your Google account, we access the Google Calendar API to:

• Read your calendar events (to display them alongside your Vecto planning)
• Create and manage calendar events (to sync scheduled tasks to your Google Calendar)

We store an encrypted OAuth refresh token so the connection persists. We do not access your Gmail, Drive, or other Google services. Google acts as an independent data controller for your Google account data. Your data may be processed by Google in the United States; Google provides safeguards under the EU–U.S. Data Privacy Framework and Standard Contractual Clauses.

OpenAI (AI features)

Vecto uses OpenAI’s API to power AI features such as:

• Rewriting and summarizing meeting notes
• Voice commands (parsing spoken text into tasks or meeting agenda items)

When you use these features, relevant data is sent to OpenAI for processing. This may include task descriptions, meeting notes, voice command transcripts, and contextual data such as your project and meeting names. OpenAI acts as a data processor on our behalf. OpenAI does not use data sent via its API to train its models. Your data may be processed by OpenAI in the United States; OpenAI provides safeguards under the EU–U.S. Data Privacy Framework and Standard Contractual Clauses. OpenAI retains API inputs and outputs for up to 30 days for abuse monitoring, after which they are deleted.

Browser speech recognition (Web Speech API)

The voice command feature uses your browser’s built-in speech recognition to convert speech to text. In most browsers (such as Chrome and Edge), the audio is sent to the browser vendor’s servers (e.g., Google) for transcription. This processing is handled entirely by your browser and is subject to the browser vendor’s privacy policy. Vecto does not control or have access to this audio data.

Disconnecting integrations

You can disconnect any integration at any time via your account settings. When you disconnect, we delete the stored access and refresh tokens. Data that was already synced (e.g., calendar events displayed in your planning) may remain in our database until you delete it or your account.

7. Data storage and hosting

• Hosting: Microsoft Azure
• Database: Microsoft Azure
• Email services: Microsoft Azure
• Data is stored within the European Union

We take reasonable technical and organizational measures to protect data.

8. Data retention

• Active accounts: data is stored while your account exists
• After account deletion: data is retained for 30 days and then permanently deleted
• Backups may be introduced in the future and will be retained for a limited period only
• Basic server logs are retained only as long as necessary for security and stability

9. Your rights (EU/EEA users)

Under the GDPR, you have the right to:

• Access your personal data
• Correct inaccurate data
• Delete your data
• Restrict processing
• Object to processing
• Request data portability

You can delete your account directly from within the app.
For other requests, email: support@vecto-app.com

We respond to requests within the legally required timeframe.

10. Data sharing

We do not sell or rent personal data.

We only share data when necessary with:

• Stripe — payment processing (independent data controller)
• Microsoft Azure — hosting infrastructure (data processor)
• Microsoft Graph API — Outlook Calendar sync, if connected by the user (Microsoft is independent data controller)
• Google Calendar API — Google Calendar sync, if connected by the user (Google is independent data controller)
• OpenAI API — AI features such as meeting note processing and voice command parsing (data processor)

These providers process data under appropriate agreements (Data Processing Agreements and/or Standard Contractual Clauses where applicable).

11. Cookies

We use only essential cookies required for login sessions and basic functionality.

We do not use:

• Tracking cookies
• Marketing cookies
• Third-party advertising cookies

You can disable cookies in your browser, but the app may not function properly.

12. Security

We take security seriously and implement reasonable safeguards, including:

• Encrypted connections (HTTPS)
• Secure password storage
• Access controls
• Infrastructure security via Azure

No system is 100% secure, but we continuously improve protections.

13. International data transfers

The service is primarily offered to users in the European Union. Our hosting and database infrastructure is located within the EU.

However, when you use third-party integrations (see section 6), your data may be transferred to and processed in the United States by Microsoft, Google, or OpenAI. These transfers are safeguarded by:

• The EU–U.S. Data Privacy Framework (where the provider is certified)
• Standard Contractual Clauses (SCCs) approved by the European Commission

If accessed from outside the EU, data is still processed within the EU where possible.

14. Changes to this policy

We may update this Privacy Policy from time to time.
If changes are significant, we will notify users through the app or email.

The latest version will always be available within the app or on our website.

15. Contact

For privacy questions or requests: