Privacy Policy

1. Who we are

Vashor is a marketing intelligence service that helps teams compare ad drafts against brand strategy and brand knowledge. This Privacy Policy applies to vashor.io, the Vashor web application, and the Vashor browser extension.

Prior to formal corporate incorporation, the Vashor service and related data processing are operated and managed directly by the founding team.

2. Information we collect

We collect the information needed to provide and secure the service:

• account information, such as name, email address, login method, role, team membership and session metadata;
• brand workspace content, such as uploaded brand documents, extracted brand knowledge, strategy fields, segments, corrections, monitoring sources and saved ad drafts;
• ad-check content, such as Google Ads or sandbox field snapshots containing text headlines, descriptions and structural elements that users submit for strategy checks;
• usage and diagnostics data, such as request logs, security events, audit history, UI session recordings, browser type, IP address and approximate geographic location derived from IP;
• communications you send to us, including support, privacy and administrative requests.

Because the Vashor browser extension operates inside live advertising interfaces, it is designed to read only ad-creation fields needed for strategy checks. We do not inspect, collect, read or transmit advertising-account credentials, banking or payment-card details, billing records or payment methods. We do not intentionally collect government identifiers, medical information or children's data.

3. Categories of personal information (CCPA)

For California residents, the categories of personal information we collect, as defined by Cal. Civ. Code §1798.140, are:

• Identifiers — name, email address, account ID, IP address.
• Commercial information — workspace plan and invoice metadata if a paid plan applies.
• Internet or other electronic network activity — request logs, audit history, UI session recordings, browser type and version.
• Geolocation data — approximate geographic location derived from IP (city/region level; we do not collect precise GPS coordinates).
• Professional or employment information — your role on a workspace team, such as Platform Admin, Owner, Director or PPC.
• Inferences — none drawn about personal traits for advertising, profiling or behavioural targeting.

We collect these categories directly from you, automatically when you use the service, or from your employer or workspace administrator when they invite you. We use them for the business purposes described in section 4. We retain each category as described in section 11.

4. How we use information

We use information to:

• operate the product, authenticate users and enforce account permissions;
• process brand documents, build brand strategy, answer knowledge questions and run ad strategy checks;
• show audit history, product diagnostics, support context and security events;
• detect abuse, debug product issues and improve reliability;
• comply with legal, security and operational obligations.

Google API Limited Use. The use and transfer to any other app of information received from Google APIs and Chrome extension APIs will adhere to the Chrome Web Store User Data Policy, including the Limited Use requirements.

5. AI processing

Vashor uses AI inference for document understanding, brand-knowledge answers, ad strategy checks, summaries and Strategy Compliance Index evaluations. When requests are routed through OpenRouter, Vashor configures OpenRouter to use only endpoints and providers that operate under Zero Data Retention ("ZDR") terms.

Under OpenRouter ZDR, OpenRouter only routes requests to endpoints with a Zero Data Retention policy. Prompts and outputs are not retained by OpenRouter unless prompt logging is explicitly enabled, and providers that do not retain your data are also unable to train on it.

Vashor does not use Customer Content, brand guidelines, ad drafts or Strategy Compliance Index scores to train its own general-purpose AI models. We do not authorize any model provider to use Customer Content for their own training or unrelated purposes.

6. Service providers and subprocessors

We do not sell user data or personal information, we do not use or transfer it for purposes unrelated to providing Vashor (such as advertising, marketing, profiling or AI training), and we do not use it to determine creditworthiness or for lending purposes.

We use a small number of service providers ("subprocessors") strictly to operate Vashor. They process data only on our instructions and are not permitted to use it for their own purposes. Current subprocessor categories:

• Hosting — Contabo (United States): production servers, databases and object storage.
• AI inference routing — OpenRouter (United States): model requests routed through OpenRouter, configured for Zero Data Retention.
• Authentication — Google LLC (United States): optional Google login (ID token verification only; we do not request offline access or third-party scopes).
• Product analytics — Google Analytics / Google LLC (United States): product usage analytics for pages, traffic and feature usage.
• Email delivery — transactional email provider, if configured, for account, security and invitation emails.

A current list of named subprocessors is available on request to support@vashor.io. We will provide reasonable advance notice of material new subprocessors.

7. Storage and location

Vashor production data is stored on infrastructure located in the United States. Customer workspaces, documents, extracted knowledge, ad-check snapshots, operational logs and audit history are stored in the United States. AI inference may be performed by OpenRouter and the model providers it routes to under the Zero Data Retention configuration described in section 5.

8. International data transfers

Vashor is a United States service. If you access Vashor from outside the United States, including from the European Economic Area, the United Kingdom, Switzerland or other jurisdictions, your personal information will be transferred to and processed in the United States, which may have different data-protection rules than your home jurisdiction.

Where required, we rely on appropriate transfer mechanisms (for example, the EU Standard Contractual Clauses) for transfers from those jurisdictions to the United States. You may contact us at support@vashor.io to request more information about the transfer mechanism used.

9. Cookies and similar technologies

Vashor uses a small set of cookies and similar local-storage technologies to operate the product, keep sessions secure, remember preferences and understand product usage:

• Authentication cookies and JSON Web Tokens to keep you securely signed in.
• Preference storage for UI choices (language, layout, current brand).
• Product analytics identifiers used by Google Analytics to understand page traffic and feature usage.
• Self-hosted diagnostic and session-replay events stored in Vashor's own database for product diagnostics and support reproduction.

We do not use advertising cookies or cross-site advertising pixels, and we do not configure Google Analytics for ad retargeting. You can clear cookies and local storage through your browser; doing so will sign you out and reset preferences.

10. Sensitive personal information

We do not knowingly collect "sensitive personal information" as that term is defined by the California Consumer Privacy Act (CCPA), including precise geolocation, government identifiers, account credentials of other services, racial or ethnic origin, religious or philosophical beliefs, union membership, genetic data, biometric data, health data, or sex-life or sexual-orientation data. Do not submit sensitive personal information through Vashor.

11. Security

We use access controls, role-based permissions, encrypted transport (TLS), operational logging and security monitoring to protect data. No system is perfectly secure, but we work to limit access to people and systems that need it to operate or support the product. If we become aware of a breach affecting your personal information, we will notify you and applicable authorities as required by law.

12. Retention

We retain personal information for the periods needed to operate the service and meet legal obligations:

• Account and workspace data — for the lifetime of the account, then up to 12 months after deletion or termination to preserve audit history and resolve disputes.
• Customer Content (documents, strategy, ad drafts, monitoring sources) — for the lifetime of the workspace; deleted from active systems after workspace deletion, subject to legal, security and operational retention limits.
• Audit and security logs — up to 24 months.
• Operational diagnostics and request logs — up to 90 days for full payload, up to 24 months in aggregated form.
• UI session recordings — up to 90 days.

Ad-check data — the Google Ads draft fields (headlines, descriptions, keywords and related elements) submitted for a strategy check — is used only to return the check result. It is deleted on user request or when the workspace is deleted.

We may retain information longer where required by law, by an investigation, or to enforce our Terms of Service.

13. Your privacy rights

Depending on where you live, you may have rights to access, correct, delete, port or receive a copy of your personal information, and to object to or limit certain processing.

California residents (CCPA / CPRA). You have the right to know what personal information we collect about you, to delete it, to correct inaccurate information, to opt out of sale or sharing and to limit the use of sensitive personal information. Vashor does not sell or share personal information as those terms are used by the CCPA, and we do not collect sensitive personal information as defined by the CCPA. You also have the right not to be discriminated against for exercising any of these rights.

EEA, UK and Switzerland residents. You have rights under the GDPR and equivalent laws to access, rectify, erase, restrict or object to processing, and to data portability. You may also lodge a complaint with your local supervisory authority.

To exercise any of these rights, email support@vashor.io. We may need to verify your identity before responding.

14. Children

Vashor is intended for business users and is not directed to children under 13. We do not knowingly collect personal information from children under 13. Do not use Vashor if you are under 13.

15. Changes

We may update this Privacy Policy as the service changes. The updated version will be posted on this page with a new effective date. If we make material changes, we will notify account holders by email or through an in-product notice before the changes take effect.

16. Contact

For privacy requests, questions about this policy or to request the current subprocessor list, contact us at support@vashor.io.