Vexly Privacy Policy

This Privacy Policy applies to:

• Visitors to our website
• Customers and authorized users who create accounts
• Users who connect third-party integrations and channels (for example, Slack, Discord)
• Users who submit prompts/messages, upload documents, or otherwise provide content to the Service

This Privacy Policy does not cover third-party services you connect (for example, Slack/Discord, cloud providers, or other tools). Their privacy practices are governed by their own policies.

Customer Content

Content you or your authorized users provide to the Service, including prompts/messages, uploaded documents, configuration data, and content retrieved from connected tools and channels at your direction.

Integrations / Channels

Third-party tools or communication platforms you connect to the Service.

Output

Responses, summaries, classifications, suggested actions, tool results, and other outputs generated or returned by the Service.

LLM Providers

Third-party model providers that may process Customer Content to generate Output.

A) Information you provide directly. We may collect:

• Account information (for example, name, email, organization, login credentials or authentication tokens where applicable)
• Billing information (for example, subscription plan, payment status, invoices). Payment card data is typically handled by our payment processor (we generally receive limited billing metadata, not full card numbers).
• Customer Content, including: prompts/messages sent to the Service; uploaded documents; agent configuration settings; and data retrieved from Integrations/Channels at your direction.

B) Information from Integrations and Channels (when you connect them). If you connect third-party Integrations or Channels, we may collect and process information from them as authorized by you and within the scopes/permissions you grant, such as:

• Message content and metadata (for example, Slack/Discord content where the Service is installed and configured)
• Tool data and results returned from connected services (for example, knowledge bases, repositories, cloud resources, ticketing tools)

C) Automatic collection (device, usage, and logs). We may automatically collect:

• Usage data (features used, actions taken, timestamps, credit consumption, basic performance metrics)
• Device and connection data (IP address, browser type, device identifiers, OS, referring URLs)
• Log data (system logs, error reports, diagnostic events)

D) Cookies and similar technologies. We may use cookies or similar technologies to:

• Keep you signed in
• Maintain preferences
• Improve reliability and performance
• Measure usage of our website and Service

You can control cookies through your browser settings; some features may not function without them.

• Provide and operate the Service, including generating Output and running agent workflows you request
• Process and store Customer Content to support retrieval, context, and responses
• Maintain security and prevent fraud/abuse, and enforce our Terms and Acceptable Use Policy
• Provide customer support and troubleshoot issues
• Improve and develop the Service, including reliability, performance, and feature adoption analytics (including aggregated and/or de-identified metrics)
• Billing and account administration, including subscriptions, invoices, and plan enforcement
• Comply with legal obligations and respond to lawful requests

To generate Output, the Service may send certain Customer Content to LLM Providers (for example: prompts, relevant tool results, and document excerpts) for processing. We limit what is shared to what is reasonably necessary to provide the Service.

Important: Output may be inaccurate or incomplete; you are responsible for verifying Output before relying on it.

Default: No Training on Your Customer Content. By default, we do not use Customer Content to train or fine-tune Vexly models. Where provider controls allow, we do not permit LLM Providers to use your Customer Content to train their models.

Optional opt-in (if offered). If we offer an option to allow certain Customer Content to help improve the Service (for example, evaluation or fine-tuning), we will present a clear opt-in control (for example, in dashboard data controls). You can opt out at any time using the provided controls and/or by contacting aiden.le@mail.vexly.io.

Aggregated/De-Identified usage data. We may use aggregated and/or de-identified usage metrics to operate and improve the Service, provided such data does not identify you or include Customer Content in identifiable form.

A) Service providers (subprocessors). We may share information with vendors that help us operate the Service, such as:

• Cloud hosting and infrastructure providers
• Database and logging/monitoring providers
• Analytics providers (limited to usage/performance measurement)
• Customer support tooling
• Payment processors (for billing)

These providers are authorized to process information only to provide services to us and are expected to protect it.

B) LLM Providers. As described above, limited Customer Content may be shared with LLM Providers to generate Output.

C) With your connected services. When you connect Integrations/Channels, we may send requests and data back to those services as needed to perform tasks you request (within your configured permissions).

D) Legal, safety, and enforcement. We may disclose information if we believe disclosure is reasonably necessary to comply with law or legal process; protect rights, safety, and security of Vexly, customers, or the public; or investigate or prevent fraud, abuse, or security incidents.

E) Business transfers. If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, information may be transferred as part of that transaction, subject to standard confidentiality protections.

We retain personal data and Customer Content for as long as necessary to:

• Provide the Service and support your account
• Comply with legal obligations
• Resolve disputes and enforce agreements
• Maintain security and prevent abuse

Retention periods can vary based on the type of data, contractual requirements, and legal obligations. We may delete or anonymize Customer Content upon account termination, subject to legal retention requirements and any settings disclosed in the dashboard.

Alpha Period. During the alpha period, data retention practices may change as we develop and refine the Service. Customer Content and associated data may be deleted, reset, or migrated as part of development updates or infrastructure changes. We recommend maintaining independent backups of any important data you provide to the Service during the alpha phase.

We use administrative, technical, and organizational measures designed to protect information. However, no security measure is perfect, and we cannot guarantee absolute security. If you suspect unauthorized access, contact aiden.le@mail.vexly.io.

You are responsible for safeguarding credentials, API keys, OAuth tokens, and channel tokens, and for configuring appropriate permissions/scopes for Integrations.

Unless we expressly agree in writing, the Service is not intended for:

• HIPAA-regulated protected health information
• PCI DSS payment card data
• Highly sensitive government identifiers (for example, Social Security numbers) at scale
• Other regulated sensitive data requiring specialized compliance not offered by Vexly

Do not upload or process such data in the Service unless you have a written agreement with us covering that compliance scope.

Depending on where you live, you may have rights to:

• Access, correct, or delete personal data
• Object to or restrict processing
• Request data portability
• Withdraw consent (where processing is based on consent)

To submit a request, contact aiden.le@mail.vexly.io. We may need to verify your identity and/or authority to act.

Business accounts (controller/processor). If you use the Service through an organization, that organization may be the "controller" of certain personal data in Customer Content and Vexly may act as a "processor" on its behalf. Requests may need to be directed through your organization.

We may process and store information in the United States and other locations where we or our service providers operate. If required by applicable law, we use appropriate safeguards for cross-border transfers.

The Service is not directed to children, and you must be at least 18 years old (or the age of majority where you live) to use the Service. We do not knowingly collect personal data from children.

We may update this Privacy Policy from time to time. We will post the updated version with a new "Last Updated" date and may provide additional notice for material changes (for example, by email or in-product notice). Continued use of the Service after changes take effect means you accept the updated Privacy Policy.