Privacy Policy.

• Account information: email, name, profile fields, timezone, and authentication metadata.
• Usage information: product actions, task history, logs, and performance/diagnostic events.
• Communication data: support messages, inbound/outbound emails, and related metadata.
• Integration data: tokens and metadata for connected third-party services you authorize.
• Device/network data: IP address, user agent, and session/cookie identifiers.
• Marketing identifiers: Meta Pixel identifiers such as _fbp and _fbc.
• Advertising data: campaign performance metrics, ad creative metadata, targeting parameters, and conversion events (including hashed email and user ID) sent to advertising platforms via server-side APIs.
• Billing data: saved payment method identifiers (stored by Stripe; we do not store full card numbers), transaction records, ad spend charges, and Stripe Connect account identifiers for withdrawals.
• Customer payment data: transaction records, subscription status, and chargeback/dispute metadata for payments your customers make through the Service (processed by Stripe).
• Infrastructure credentials: database connection strings, API tokens, and deployment configuration for provisioned cloud resources, stored encrypted (AES-256-GCM).
• AI generation data: prompts, generated media (video, image, audio), and associated metadata.
• Browser session data: URLs visited, page content, screenshots, and form interaction data from automated browser sessions operated by agents on your behalf.

• Provide and secure the service, including authentication and account management.
• Execute autonomous and user-triggered workflows using your settings and connected tools.
• Create, manage, and optimize advertising campaigns on your behalf, including transmitting conversion events to advertising platforms for campaign optimization.
• Send outbound communications on your behalf or at your direction.
• Provision and manage cloud infrastructure resources, including storing and using credentials for infrastructure services.
• Generate AI content (text, video, image, audio) using third-party AI model providers.
• Operate automated browser sessions on your behalf.
• Process billing, subscriptions, customer payments, and payment operations including daily ad spend charges and withdrawal payouts via Stripe Connect.
• Display company activity on public dashboards and subdomain landing pages where public visibility is enabled.
• Monitor quality, prevent abuse, investigate incidents, and improve reliability.
• Send service notices and product communications.
• Measure marketing performance and attribution.

We process personal data where needed to:

• Perform our contract with you (service delivery, ad campaign management, infrastructure provisioning, and support).
• Comply with legal obligations.
• Pursue legitimate business interests such as security, fraud prevention, and product improvement.
• Operate marketing analytics and attribution as described in this policy and our Terms.

We share data with service providers that help us operate the product (for example, hosting, payments, email delivery, analytics, and error monitoring). We may also disclose data when required by law, to enforce terms, or to protect rights and safety.

Specific data sharing includes:

• Advertising platforms (Meta). When you enable advertising features, we share hashed personal identifiers (SHA-256 hashed email addresses and user IDs), purchase and lead conversion events, and browser pixel identifiers with Meta via the Conversions API (CAPI) for ad optimization and attribution.
• AI model providers (Anthropic, OpenAI, Google). Prompts, tool context, and associated metadata are shared with AI model providers to execute agent tasks and generate content.
• Infrastructure providers (GitHub, Render, Neon). Project configuration is shared to create and manage cloud resources provisioned on your behalf.
• Email delivery (Postmark). Outbound email content and recipient addresses are shared for email delivery.
• Email verification (Hunter.io). Email addresses are shared for deliverability verification.
• Browser automation (Browserbase). URLs and interaction instructions are shared to operate automated browser sessions.
• Public dashboards. If your company's public visibility is enabled (the default), certain business activity data (execution logs, metrics, social media posts) is publicly accessible on your company dashboard and subdomain. You can disable public visibility in your account settings.

See our Subprocessors page for current provider categories.

We use cookies and similar technologies for session security, product functionality, and marketing attribution. Details are in the "Cookies and Tracking" section of our Terms of Service.

• We keep account and operational records for as long as needed to provide the service.
• If you delete your account, we currently apply a soft-delete period of up to 30 days before permanent deletion, unless longer retention is required by law or legitimate security/accounting needs.
• Advertising data: campaign metrics and performance data are retained for the life of your account plus 12 months for reporting purposes.
• AI-generated content: generated media and prompts are retained until you delete them or your account is terminated, plus the soft-delete period.
• Infrastructure credentials: encrypted credentials are deleted immediately upon resource teardown.
• Browser session data: screenshots and extracted data are retained for the duration of the agent execution session and may be stored in execution logs for up to 30 days.
• We may retain de-identified or aggregated data that does not identify you.

We use technical and organizational safeguards designed to protect personal data, including:

• OAuth tokens and service credentials encrypted using AES-256-GCM before storage.
• Infrastructure credentials (database passwords, API tokens) encrypted at rest.
• Payment processing handled entirely by Stripe; we do not store card numbers.
• Server-side conversion events sent to Meta use SHA-256 hashing for personally identifiable information.

No method of storage or transmission is perfectly secure, so absolute security is not guaranteed.

• Access and update profile information in-product where available.
• Request account deletion from your settings page or by contacting us.
• Disable advertising features and associated data sharing at any time in your account settings.
• Request deletion of provisioned cloud resources.
• Unsubscribe from non-essential marketing emails using unsubscribe links.
• Manage browser cookie settings and tracking preferences.

To make a privacy request, contact privacy@vitor.com from the email associated with your account.

If you are a resident of a US state with applicable privacy legislation (such as California, Colorado, Connecticut, Virginia, or similar), you may have additional rights including the right to access, correct, or delete your personal information, and the right to opt out of certain data sharing.

We do not sell personal information. We do not use personal information for targeted advertising beyond the marketing attribution described in this policy.

To exercise your rights, contact privacy@vitor.com. We will respond within the timeframes required by applicable law.

Vitor and its providers may process data in countries outside your residence. We use contractual and operational safeguards designed to protect transferred personal data.

Vitor is not intended for individuals under 18, and we do not knowingly collect data from children.

We may update this Privacy Policy. The effective date above indicates the current version. Continued use of the service after updates means the updated policy applies.

• Privacy inquiries: privacy@vitor.com
• General support: contact@vitor.com

Policy version: 2026-02-25