Privacy Policy — Veysa Labs

01 Data Controller

VeysaLabs Pte. Ltd. ("we", "us", "our") is registered in Singapore. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our synthetic eye-tracking platform at veysalabs.com and app.veysalabs.com (the "Service").

We are committed to complying with the Singapore Personal Data Protection Act 2012 (PDPA), the EU General Data Protection Regulation (GDPR), and the UK GDPR.

Registered address: [REGISTERED ADDRESS], Singapore
Data Protection Officer: Andy
Contact: privacy@veysalabs.io

02 What Data We Collect

2.1 Account Data

When you create an account using email, we collect your email address, display name, and a hashed password. We do not store passwords in plain text.

2.2 Google OAuth Data

If you sign in with Google, we receive and store the following from your Google account:

Your Google account ID (a unique identifier, known as "sub")
Your display name
Your email address
Your profile picture URL

We do not access your Google contacts, calendar, files, or any other Google data beyond the above.

2.3 Project and Image Data

When you use the Service, you upload images (JPEG, PNG, WebP, PDF) for analysis. We store these images, the generated heatmap overlays, and the associated Creative Effectiveness Report data (scores, metrics, recommendations).

2.4 Usage and Analytics Data

We collect usage data including login timestamps, number of images processed, and feature usage. We also use Google Tag Manager (GTM) and Google Analytics to collect anonymised browsing data such as pages visited, session duration, and approximate geographic location. These analytics services may set cookies on your device (see Section 10).

2.5 Payment Data

Payment is processed by Stripe. We do not store credit card numbers, CVVs, or full card details on our servers. Stripe's own privacy policy governs payment data handling.

03 How We Use Your Data

To provide the Service: processing your images, generating heatmaps and Creative Effectiveness Reports, storing project data.
To authenticate you: verifying your identity when you log in, including via Google OAuth.
To communicate with you: transactional emails (welcome, password reset, team invitations), service updates, security notifications, and support responses. These are sent via Resend.
To improve the Service: aggregated, anonymised analytics via Google Analytics to understand feature adoption and usage patterns.
Marketing communications: only with your explicit consent. You can opt in or out of marketing emails at any time via your account settings or by using the unsubscribe link in any marketing email.

We do NOT use your uploaded images to train our AI models. Your creative assets remain your property and are never used for any purpose beyond generating your requested analysis.

04 Legal Basis for Processing (GDPR)

Under the GDPR, we process personal data on the following legal bases:

Contract performance: processing your data is necessary to provide the Service you have subscribed to (account data, image processing, report generation).
Legitimate interest: aggregated analytics to maintain, secure, and improve the Service.
Consent: for analytics cookies set by Google Tag Manager/Google Analytics, and for marketing communications. You may withdraw consent at any time.

05 Data Storage and Security

Your data is stored using the following infrastructure:

Database: Replit-managed PostgreSQL — stores account data, project metadata, and analysis results.
Image storage: Replit Object Storage — stores uploaded images and generated heatmaps.
GPU inference: Modal (AWS/GCP) — processes images through our saliency prediction model. Images are held in memory during processing only and are not persistently stored by Modal.

We implement the following security measures:

All data is transmitted over HTTPS/TLS encryption.
Passwords are hashed using industry-standard algorithms (bcrypt). We never store plaintext passwords.
Authentication tokens have defined expiry periods.
Access to production systems is restricted to authorised personnel only.

06 Data Retention

We retain your data as follows:

Account data: retained for the duration of your active account. Deleted within 30 days of account deletion.
Uploaded images and reports: retained while your account is active and for 30 days after account deletion.
Usage/analytics data: retained in anonymised/aggregated form. Google Analytics data retention is configured per Google's standard settings.
Payment records: retained as required by applicable tax and accounting regulations (typically 7 years).

07 Your Rights

Depending on your jurisdiction, you have the following rights:

Access: request a copy of the personal data we hold about you.
Rectification: request correction of inaccurate or incomplete data.
Erasure: request deletion of your personal data ("right to be forgotten").
Portability: request your data in a structured, machine-readable format.
Restriction: request we limit how we process your data.
Objection: object to processing based on legitimate interest.
Withdraw consent: withdraw consent for analytics cookies or marketing communications at any time.

To exercise any of these rights, contact us at privacy@veysalabs.io. We will respond within 30 days.

You also have the right to lodge a complaint with your local data protection authority. For EU residents, this is your national supervisory authority. For Singapore residents, this is the Personal Data Protection Commission (PDPC).

08 International Data Transfers

Our infrastructure providers may process data outside of your jurisdiction. We ensure adequate protection through:

Standard Contractual Clauses (SCCs) approved by the European Commission for transfers outside the EEA, where available.
Selecting infrastructure providers with industry-standard security certifications.
Ensuring all subprocessors provide contractual commitments to data protection standards equivalent to GDPR requirements.

09 Subprocessors

We use the following third-party services to provide the Service:

Provider	Purpose	Data Processed	Location
Replit	API hosting, database, file storage	All account, project, and image data	US
Modal	GPU inference (AI image processing)	Uploaded images (in-memory during processing)	US (AWS/GCP)
Google	OAuth authentication, analytics (GTM/GA)	Google account ID, name, email, profile picture; anonymised browsing data	US/Global
Resend	Transactional and marketing email delivery	Email address, display name	US
Stripe	Payment processing	Payment method details (managed by Stripe)	US/Global

10 Cookies

We use the following categories of cookies:

Essential Cookies

Required for the Service to function. These include authentication session tokens. No consent is required for essential cookies.

Analytics Cookies

We use Google Tag Manager and Google Analytics to understand how visitors use our website. These services may set the following cookies:

Cookie	Provider	Purpose	Duration
_ga	Google Analytics	Distinguishes unique visitors	2 years
_gid	Google Analytics	Distinguishes unique visitors	24 hours
_gat	Google Analytics	Throttles request rate	1 minute

Analytics cookies are only set with your explicit consent. When you first visit our site, a cookie consent banner will ask for your permission. You can change your cookie preferences at any time. If you decline analytics cookies, no tracking cookies will be set and your browsing will not be tracked.

We do not use advertising cookies or share browsing data with advertisers.

11 Children

The Service is not intended for individuals under 16 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will delete it promptly.

12 Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service at least 14 days before they take effect. Continued use of the Service after the effective date of changes constitutes acceptance of the updated policy.

13 Contact

For privacy-related enquiries or to exercise your data rights:

Email: privacy@veysalabs.io
Data Protection Officer: Andy
VeysaLabs Pte. Ltd., [REGISTERED ADDRESS], Singapore