Privacy & Policy Notice
Comprehensive data protection and AI transparency policy
Last updated: January 2025 | Effective date: January 2025
1. Introduction
VEX ("we," "our," or "us") is committed to protecting your privacy and ensuring transparency in how we collect, use, and process your personal data. This Privacy & Policy Notice outlines our practices in compliance with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other applicable data protection laws.
This policy applies to all users of our AI-powered photo enhancement platform, including visitors to our website, users of our services, and individuals whose data we process. By using our services, you acknowledge that you have read and understood this policy.
Important AI Disclosure: Our services utilize artificial intelligence and machine learning technologies to process and enhance images. This policy specifically addresses how your data is used in AI processing, model training, and the rights you have regarding AI-generated outputs.
Data Controller Information
Data We Collect
Personal Data
We collect the following categories of personal data:
- Account Information: Email address, name, password (encrypted), and profile information you provide during registration
- Payment Information: Billing address, payment method details (processed securely through third-party payment processors)
- Uploaded Content: Photographs and images you upload for enhancement processing
- Usage Data: Service usage patterns, feature interactions, session duration, and frequency of use
- Device Information: IP address, browser type, device identifiers, operating system, and mobile network information
- Communication Data: Email communications, support tickets, and feedback you provide
AI-Specific Data
For AI processing, we additionally collect:
- Image Metadata: Technical information about uploaded images (resolution, format, dimensions)
- Processing Inputs: Enhancement parameters and settings you select
- AI Model Interactions: Data about how you interact with AI-generated outputs and feedback provided
- Derived Data: Inferences and patterns generated by our AI systems from your usage
How We Collect Data
We collect data through the following methods:
- Direct Collection: Information you provide when creating an account, uploading images, or communicating with us
- Automated Collection: Data collected automatically through cookies, web beacons, and similar technologies
- Third-Party Sources: Data from payment processors, analytics providers, and identity verification services
Purposes and Legal Basis for Processing
We process your personal data for the following purposes, each with its specified lawful basis under GDPR:
Service Provision (Article 6(1)(b) - Contract Performance)
To provide, maintain, and improve our photo enhancement services, process your uploaded images, deliver AI-generated outputs, and enable account functionality.
Service Improvement (Article 6(1)(f) - Legitimate Interest)
To improve our services through aggregated usage analytics and performance monitoring. We have conducted a legitimate interest assessment confirming that our interest in service quality outweighs your privacy interests, given the safeguards we implement.
Your Right to Object: You may object to this processing by contacting us at info@vexai.ai.
Security and Fraud Prevention (Article 6(1)(f) - Legitimate Interest)
To detect, prevent, and address technical issues, fraud, security threats, and abuse of our services.
Communication (Article 6(1)(a) - Consent)
To send you service-related communications, updates, and marketing materials (where you have provided explicit consent).
Legal Compliance (Article 6(1)(c) - Legal Obligation)
To comply with applicable laws, regulations, court orders, or government requests.
Business Operations (Article 6(1)(f) - Legitimate Interest)
To conduct business analytics, improve our services, develop new features, and manage our relationship with you.
Third-Party AI Services and Data Processing
AI Service Providers
Our services utilize third-party AI platforms to process and enhance your images. We currently use:
- Google Cloud Vision API (nanobanana): For image analysis and enhancement processing
- OpenAI/ChatGPT Models: For additional image processing and analysis capabilities
Data Processing by Third-Party AI Providers
When you upload images to our service, they may be transmitted to these third-party AI providers for processing. We have agreements with these providers that govern how your data is handled:
- Your data is processed only for the specific purpose of providing our image enhancement services
- We do not authorize these providers to use your data to train their models without your explicit consent
- Each provider has its own privacy policy and terms of service that govern their data handling practices
- Data retention by third-party providers is subject to their respective policies
Provider-Specific Privacy Policies
We encourage you to review the privacy policies of our AI service providers:
- Google Cloud Privacy: cloud.google.com/security/privacy
- OpenAI Privacy Policy: openai.com/policies
Your Choices Regarding Third-Party AI Processing
You have the following options:
- Opt-Out: You may opt out of using AI-enhanced features through your account settings
- Account Deletion: Deleting your account will remove your data from our systems and we will request deletion from third-party providers where possible
- Data Removal Request: You may request removal of specific images from our systems at any time
AI Output Accuracy
AI-generated outputs are probabilistic and may not always be perfect. We strive for high quality but cannot guarantee that every enhancement will meet your expectations. You should review outputs and use them at your discretion.
Data Sharing and Third Parties
We Do Not Sell Your Data
We never sell your personal data to third parties for their marketing purposes.
Third-Party Service Providers
We share data with the following categories of service providers to operate our services:
- Cloud Infrastructure Providers: AWS, Google Cloud, or similar providers for hosting and data storage
- AI Processing Services: Google Cloud Vision API and OpenAI for image processing
- Payment Processors: Stripe, PayPal, or similar for payment processing
- Analytics Services: Google Analytics or similar for usage analytics
- Email Services: For transactional and marketing communications
- Customer Support Tools: For managing support requests
Data Transfer Safeguards
All third-party providers are contractually bound to:
- Protect your data with security measures equivalent to or greater than ours
- Use data only for the specific purposes we authorize
- Not use data for their own training or improvement without separate consent
- Delete or return data upon request or contract termination
International Data Transfers
Your data may be transferred to and processed in countries other than your country of residence. We ensure adequate protection through:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions where applicable
- Compliance with the UK GDPR international transfer requirements
- Additional safeguards where required by law
Data Retention
We retain your personal data for different periods depending on the purpose:
Account Data
Retained while your account is active. Upon account deletion, most data is removed within 30 days, except as required for legal compliance.
Uploaded Images
Retained for 30 days after processing to allow re-downloading. You may request immediate deletion at any time. Images used in AI training are anonymized and may be retained in aggregated form.
Service Analytics Data
Aggregated usage analytics may be retained for service improvement purposes. Personal identifiers are removed from analytics data.
Payment and Transaction Records
Retained for 7 years to comply with tax and accounting requirements.
Analytics and Usage Data
Retained for 24 months in identifiable form, after which it is aggregated and anonymized.
Deletion and Anonymization
When data is no longer needed for its original purpose, we securely delete it using cryptographic erasure or physical destruction. For data that must be retained for legal reasons, we implement access restrictions and anonymization where possible.
Your Data Protection Rights
Under GDPR, CCPA, and other data protection laws, you have the following rights:
Right to Access (Article 15 GDPR)
You can request a copy of all personal data we hold about you, including information about how it's processed.
Right to Rectification (Article 16 GDPR)
You can request correction of inaccurate or incomplete personal data.
Right to Erasure (Article 17 GDPR)
You can request deletion of your personal data when it's no longer necessary for the purposes for which it was collected, or when you withdraw consent.
Note: For data processed by third-party AI providers, deletion requests will be forwarded to those providers, but we cannot guarantee deletion from their systems as this is subject to their policies and technical capabilities.
Right to Restrict Processing (Article 18 GDPR)
You can request restriction of processing while we verify the accuracy of your data or assess your objection to processing.
Right to Data Portability (Article 20 GDPR)
You can request your data in a structured, commonly used format for transfer to another service.
Right to Object (Article 21 GDPR)
You can object to processing based on legitimate interest, including AI model training. We will stop processing unless we have compelling legitimate grounds.
Right to Withdraw Consent
Where processing is based on consent, you can withdraw consent at any time through your account settings or by contacting us.
CCPA Rights (for California Residents)
California residents have the right to know what personal data is collected, used, or shared; the right to delete; the right to non-discrimination; and the right to opt-out of the sale of personal data (though we do not sell data).
How to Exercise Your Rights
To exercise any of these rights:
- Email us at info@vexai.ai
- Use the data management tools in your account settings
- Submit a request through our support portal
We will respond to your request within 30 days (or 45 days for complex requests) and may request verification of your identity.
Data Security Measures
We implement industry-standard security measures to protect your data:
- Encryption: All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption
- Access Controls: Strict access controls with principle of least privilege and multi-factor authentication for staff
- Regular Security Assessments: Annual penetration testing and continuous security monitoring
- Secure Development: Security-by-design practices and regular code reviews
- Incident Response: Established procedures for detecting, responding to, and reporting security incidents
- Employee Training: Regular security and privacy training for all personnel
While we take all reasonable measures to protect your data, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security.
Cookies and Tracking Technologies
We use cookies and similar technologies to:
- Essential Cookies: Required for basic site functionality and security
- Analytics Cookies: Help us understand how visitors use our site
- Preference Cookies: Remember your settings and preferences
- Marketing Cookies: Used with your consent for personalized marketing
You can manage cookie preferences through:
- Our cookie consent banner
- Your browser settings
- Your account preferences
Children's Privacy
Our services are not intended for children under the age of 18. We do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at info@vexai.ai, and we will take steps to delete such information.
If we become aware that we have collected personal data from a child under 18 without verification of parental consent, we will take steps to remove that information from our servers.
Changes to This Policy
We may update this privacy policy from time to time. Material changes will be communicated through:
- Email notification to registered users
- Notice on our website
- In-app notifications
Continued use of our services after changes constitutes acceptance of the updated policy. We encourage you to review this policy periodically.
International Data Transfers
Our services are global, and your data may be transferred to and processed in countries other than your country of residence. We ensure appropriate safeguards for international transfers:
- EU to US Transfers: We use Standard Contractual Clauses (SCCs) approved by the European Commission
- UK to Non-UK Transfers: We use UK International Data Transfer Agreements (IDTAs) or SCCs with UK addendum
- Other Transfers: We use appropriate safeguards as required by applicable law
You may request a copy of the safeguards we use by contacting us at info@vexai.ai.
Contact Information
For questions, concerns, or requests regarding this privacy policy or your personal data:
Email: info@vexai.ai
Website: vexai.ai
Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority in your jurisdiction, particularly in the EU member state where you reside or work, or where an alleged infringement of data protection laws has occurred.