VeysaLabs Pte. Ltd. ("we", "us", "our") is registered in Singapore. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our synthetic eye tracking platform at veysalabs.com (the "Service"). We are committed to protecting your privacy and complying with the Singapore Personal Data Protection Act 2012 (PDPA), the EU General Data Protection Regulation (GDPR), and the UK GDPR.
01 Data Controller
VeysaLabs Pte. Ltd. is the data controller for personal data processed through the Service.
- Registered address: [YOUR REGISTERED ADDRESS], Singapore
- Data Protection Officer: [YOUR NAME]
- Contact: [email protected]
02 What Data We Collect
Account Data
When you create an account, we collect your email address and a hashed password (or authentication token if using third-party login). We do not store passwords in plain text.
Project and Image Data
When you use the Service, you upload images (JPEG, PNG, WebP) for analysis. We store these images, the generated heatmap overlays, and the associated Creative Effectiveness Report data (scores, metrics, recommendations).
Usage Data
We collect basic usage data including login timestamps, number of images processed, and feature usage. We do not use third-party analytics trackers. We do not track you across other websites.
Payment Data
Payment is processed by Stripe. We do not store credit card numbers, CVVs, or full card details on our servers. Stripe's own privacy policy governs payment data.
03 How We Use Your Data
- To provide the Service: processing your images, generating heatmaps and reports, storing project data.
- To authenticate you: verifying your identity when you log in.
- To communicate with you: service updates, security notifications, and support responses.
- To improve the Service: aggregated, anonymised usage statistics to understand feature adoption.
We do NOT use your uploaded images to train our AI models. Your creative assets remain your property and are never used for any purpose beyond generating your requested analysis.
04 Legal Basis for Processing (GDPR)
Under the GDPR, we process personal data on the following legal bases:
- Contract performance: processing your data is necessary to provide the Service you have subscribed to.
- Legitimate interest: basic usage analytics to maintain and improve the Service.
- Consent: where required, for example for marketing communications (which we do not currently send).
05 Data Storage and Security
Your data is stored using the following infrastructure:
- Database: Supabase (managed PostgreSQL). SOC 2 Type II certified.
- Image storage: Cloudflare R2 (S3-compatible object storage). ISO 27001 certified. All objects encrypted at rest (AES-256).
- AI inference: Modal (serverless GPU). SOC 2 Type II certified. Images are processed in memory and not persisted on inference servers.
- API hosting: Railway. All traffic encrypted in transit via TLS 1.3.
All data is encrypted in transit (TLS 1.3) and at rest (AES-256). Access to production systems is restricted to authorised personnel with multi-factor authentication.
06 Data Retention
We retain your data for the following periods:
- Account data: retained while your account is active, deleted within 30 days of account closure.
- Project and image data: retained while your account is active. You can delete individual projects or images at any time, and deletion is permanent.
- Usage data: retained for 12 months in aggregated form, then permanently deleted.
- Payment records: retained for 7 years as required by Singapore tax law (IRAS).
07 Your Rights
Under the GDPR and PDPA, you have the following rights:
- Access: request a copy of your personal data.
- Rectification: correct inaccurate personal data.
- Erasure: request deletion of your personal data ("right to be forgotten").
- Data portability: receive your data in a structured, machine-readable format.
- Restriction: request that we limit processing of your data.
- Objection: object to processing based on legitimate interest.
- Withdraw consent: where processing is based on consent, you may withdraw it at any time.
To exercise any of these rights, contact [email protected]. We will respond within 30 days.
08 International Data Transfers
Our infrastructure providers may process data outside of your jurisdiction. We ensure adequate protection through:
- Standard Contractual Clauses (SCCs) approved by the European Commission for transfers outside the EEA.
- Selecting infrastructure providers with SOC 2, ISO 27001, or equivalent certifications.
- Ensuring all subprocessors provide contractual commitments to data protection standards equivalent to GDPR.
09 Subprocessors
We use the following third-party services to provide the Service:
| Provider |
Purpose |
Location |
Certification |
| Supabase | Authentication & database | AWS (configurable region) | SOC 2 Type II |
| Cloudflare | Object storage (R2) & CDN | Global | ISO 27001, SOC 2 |
| Modal | GPU inference (AI processing) | US (AWS/GCP) | SOC 2 Type II |
| Railway | API hosting | US/EU (configurable) | SOC 2 Type II |
| Stripe | Payment processing | US/Global | PCI DSS Level 1 |
10 Cookies
We use only essential cookies required for authentication (session tokens). We do not use advertising cookies, tracking cookies, or third-party analytics cookies. No cookie consent banner is required because we only use strictly necessary cookies.
11 Children
The Service is not intended for individuals under 16 years of age. We do not knowingly collect personal data from children.
12 Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service. Continued use of the Service after changes constitutes acceptance of the updated policy.
13 Contact
For privacy-related enquiries or to exercise your data rights: