Privacy

Global Privacy Policy

Effective Date: January 4, 2026

We at VestAI LTD (together with our affiliates, “VestAI,” “we,” “our,” or “us”) respect your privacy and are committed to keeping secure any information we obtain from you or about you. This Privacy Policy describes our practices with respect to Personal Data when you access or use our websites, applications, and services (collectively, the “Services”).

This is a single global policy. Some sections include region-specific wording (for example, EEA/UK/Switzerland legal bases and rights, or U.S. state disclosures) because laws differ by location. Where local laws provide additional rights, those rights apply to you.

Quick orientation. We collect account data, content you submit, technical usage data, and certain third-party signals (e.g., payments/fraud). We use it to run and secure the Services, support you, improve the product (including AI model improvement where permitted), and comply with law.

Governance

1. Data Controller

VestAI LTD, a company incorporated under the laws of the Republic of Cyprus, with its registered office at Grigoriou Xenopoulou 4B, Agia Paraskevi, Germasogeia, 4049, Limmasol, is the entity responsible for processing your Personal Data as a controller (or equivalent concept under applicable law).

UK representative (if required). If we appoint a representative under Article 27 UK GDPR, their details will be added here and kept up to date.

For EEA matters, our lead supervisory authority is: Office of the Commissioner for Personal Data Protection (Cyprus). You may also lodge a complaint with your local EEA authority, the UK Information Commissioner’s Office (ICO), or the Swiss Federal Data Protection and Information Commissioner (FDPIC), as applicable.

Collection

2. Personal Data We Collect

  • Account Information: name, contact details, credentials, date of birth (where needed), and subscription or transaction history. Payment details are processed securely by our payment processors; VestAI does not store full card numbers.
  • User Content: anything you submit to the Services (e.g., prompts, files, images, audio).
  • Communication Information: messages you send us (name, contact info, message content, support interactions).
  • Technical Information: IP address, browser/device type, timestamps, usage patterns, device identifiers, cookies and similar technologies.
  • Location Information: precise location is only collected if you enable location services; otherwise, location is inferred from your IP address.
  • Third-Party & Public Sources: data from partners (e.g., fraud/security services, payment processors) and publicly available information used to operate, develop, and secure our Services.

User Content and Derived Data

User Content includes information and materials submitted by users when interacting with the Services. VestAI may generate outputs based on such inputs and may create derived data (such as logs, metadata, embeddings, or system records) in order to operate, secure, and improve the Services. Derived data is used in accordance with this Privacy Policy and applicable law.

Purpose

3. How We Use Personal Data

  • Provide, maintain, and improve our Services.
  • Process payments and manage subscriptions (where applicable).
  • Communicate updates, support, and—where permitted—marketing.
  • Prevent fraud and abuse, and protect security and integrity.
  • Comply with legal obligations and establish, exercise, or defend legal claims.
  • Aggregate or de-identify data for analytics and research.
  • To train, fine-tune, and improve our AI models, where permitted by law and subject to your opt-out rights.

AI inference and training. VestAI processes user inputs to provide AI-driven inference services, including generating responses and insights requested by users. VestAI does not use personal data to train or fine-tune models for third-party reuse unless explicit consent is obtained or required by law.

Output handling. Outputs generated by the Services may reflect personal information provided by users. Users are responsible for ensuring that any use or sharing of such Outputs complies with applicable privacy and data protection laws.

Opt-out note. Where we offer model-training controls, you can use in-product settings (or contact us) to opt out, subject to applicable law and product limitations.

Sharing

4. Disclosure of Personal Data

  • Vendors & Service Providers: hosting, analytics, customer support, payment processors, etc., under contracts requiring processing only on our instructions with appropriate safeguards.
  • Affiliates: within our group to enable consistent service delivery.
  • Business Transfers: in connection with mergers, acquisitions, restructurings, or asset sales.
  • Legal & Safety: to comply with laws, enforce our terms, protect rights and property, detect abuse or fraud, and cooperate with regulators, courts, or law enforcement authorities.
  • Business Administrators: if you use a VestAI business/enterprise account, admins may access account data and Content subject to your organization’s policies.
  • Third-Party Integrations: when you choose to connect or share with external apps or users (governed by their policies).

Organizational accounts. In multi-user or organizational accounts, access to personal information is governed by role-based permissions and account settings defined by the account owner. VestAI implements technical and organizational measures to prevent unauthorized access across accounts.

Lifecycle

5. Retention

We retain Personal Data for no longer than is reasonably necessary for the purposes described in this Policy, unless a longer retention period is required by law (for example, for tax or accounting obligations).

Retention periods depend on data type, purpose, sensitivity, and legal obligations. Some data may be deleted or anonymized sooner per your settings or product behavior.

VestAI retains personal information only for as long as necessary to provide the Services, comply with legal obligations, resolve disputes, and enforce agreements. Certain operational data (such as logs or security records) may be retained for a limited period for auditing, security, and reliability purposes, unless deleted earlier upon a valid user request.

Control

6. Your Rights

Depending on where you live, you may have rights under local privacy laws (for example, access, correction, deletion, portability, restriction or objection, and the right to withdraw consent where processing is based on consent).

  • Access, rectify, or delete your Personal Data.
  • Restrict or object to processing (where applicable).
  • Data portability (where applicable).
  • Withdraw consent at any time (where processing is based on consent).
  • Lodge a complaint with your local authority (including the EEA authority, the UK ICO, or the Swiss FDPIC, where applicable).

You may exercise many rights via your VestAI account or by contacting us at privacy@vestai.com. We will respond in accordance with applicable law.

Verification. We may request proof of identity to verify your request before we act on it.

Safety

7. Children

Our Services are not directed to children under 13 (or the minimum age required by law in your country), and we do not knowingly collect Personal Data from children.

If we become aware that we have collected Personal Data from a child in violation of this Policy, we will promptly delete it unless retention is legally required.

If you believe we have collected Personal Data from a child in violation of this section, please contact privacy@vestai.com and we will investigate and take appropriate action.

Protection

8. Security

We use industry-standard measures including encryption in transit and at rest, access controls, monitoring, and other technical and organizational safeguards to protect Personal Data.

However, no system is completely secure; please take care when deciding what to share.

Law

9. Legal Bases and Similar Concepts

Some privacy laws require us to explain the “legal bases” (or similar concept) for processing. When applicable (including under the GDPR/UK GDPR and Swiss law), we rely on:

  • Performance of a contract: to operate the Services and process your requests.
  • Legitimate interests: improve Services, ensure security, prevent fraud, and conduct research (balanced against your rights).
  • Legal obligations: compliance with laws and regulations.
  • Consent: for certain marketing communications, cookies, or other processing where required.

In other jurisdictions, we process Personal Data consistent with the permissions and requirements of applicable law (for example, with your consent, to provide a requested service, for compliance, or for our legitimate business purposes such as security and product improvement).

Transfers

10. International Data Transfers

We may process data on servers outside your country, including the United States and other jurisdictions. These countries may have different data protection laws.

Where required by law, we use appropriate safeguards for cross-border transfers, such as: adequacy decisions, Standard Contractual Clauses (SCCs), UK transfer mechanisms (e.g., IDTA/UK Addendum), and other lawful measures.

You may request a copy of our Standard Contractual Clauses or other transfer safeguards by contacting privacy@vestai.com.

Cookies

11. Cookies and Similar Technologies

We use cookies, SDKs, and similar technologies to operate the Services, measure performance, and (where permitted) personalize content.

Consent. Where required by law, we obtain your consent before placing non-essential cookies. You may withdraw consent at any time via our cookie banner or browser settings.

Updates

12. Changes to This Policy

We may update this policy from time to time. Revised versions and effective dates will be posted here, unless another form of notice is required by law.

If we make material changes that affect your rights, we will provide additional notice, such as by email or in-app message.

Contact

13. How to Contact Us

For questions or requests, email privacy@vestai.com or write to:

VestAI LTD

Grigoriou Xenopoulou 4B, Agia Paraskevi, Germasogeia, 4049, Limmasol

Republic of Cyprus

Data Protection Officer. If VestAI appoints a Data Protection Officer, their name and contact details will be published here. If applicable, you may contact the DPO at dpo@vestai.com.