PRIVACY POLICY

Last updated: June 10, 2026

WHO WE ARE — AND THE TWO ROLES WE PLAY

Vutal is a business-to-business, agentic post-sales platform: it builds a per-customer intelligence graph from the business records and data sources our customers connect (such as CRM systems, email, chat, call transcripts, and documents) and operates AI agents that help customer-success teams run onboarding, adoption, renewal, and expansion playbooks across their accounts. Under the General Data Protection Regulation (GDPR), Vutal acts in two distinct roles, and your rights depend on which role applies:

  • Vutal as data controller. For the limited personal data we collect directly — your account information, billing details, website data, support correspondence, and product usage telemetry — Vutal is the data controller. This policy (Part A) describes that processing.
  • Vutal as data processor. For the business content our customers connect to or create in the platform — including personal data contained in CRM records, emails, chat messages, call transcripts, and documents — our customer is the data controller and Vutal is a data processor. We process that data only on the customer's documented instructions, under a Data Processing Agreement (DPA). Part B explains what that means for you.

Vutal Inc.
Email: legal@vutal.com

PART A — DATA WE PROCESS AS CONTROLLER

What we collect

When you create an account, use the platform, or interact with us, we collect:

  • Identity and contact data — name, work email address, company, role
  • Account credentials and authentication data (passwordless magic link, Google or Microsoft sign-in)
  • Billing and subscription information
  • Support and other correspondence with us
  • Product usage data — session information, feature usage, device and log data
  • Website data as described in our Cookie Policy

Purposes and legal bases (GDPR Article 6)

  • Providing your account and the service — performance of a contract, Art. 6(1)(b)
  • Billing and accounting — performance of a contract, Art. 6(1)(b), and compliance with legal obligations (tax, bookkeeping), Art. 6(1)(c)
  • Securing the platform and preventing abuse — our legitimate interest in keeping the service and our customers' data safe, Art. 6(1)(f)
  • Improving the product using usage telemetry — our legitimate interest in understanding how the platform is used, Art. 6(1)(f). This relies on usage and operational data; we do not use customer-connected content for our own purposes (see Part B).
  • Marketing communications — your consent, Art. 6(1)(a), which you can withdraw at any time

We do not deliberately collect special categories of personal data (GDPR Article 9) and ask that you do not submit such data to us in account or support channels.

PART B — DATA WE PROCESS ON OUR CUSTOMERS' BEHALF

When a customer connects data sources to Vutal (for example a CRM, email, calendar, chat, or document system), the content of those systems — which can include personal data about the customer's employees, customers, prospects, and other contacts — is processed by Vutal as a processor, on the customer's documented instructions, under a Data Processing Agreement. The customer, as controller, is responsible for the lawful basis for that processing and for informing the individuals concerned.

If your data appears in a Vutal customer's workspace (for example, because you corresponded with one of our customers), the customer — not Vutal — decides the purposes of that processing. Requests to access, correct, or delete that data should be directed to the relevant organization. If you contact us directly, we will forward your request to the customer concerned and assist them in responding, as the GDPR requires of a processor.

AI processing and profiling — what actually happens

Vutal uses artificial intelligence in two ways. First, it extracts, organises, summarises, and assesses information in the content our customers connect — building the per-customer intelligence graph. This includes automated analysis that may constitute profiling under GDPR Article 4(4): for example, account- and relationship-level health and engagement assessments, which can include activity-based signals relating to individual business contacts (such as a key contact becoming inactive). Second, Vutal's agents prepare — and, where the customer has configured it, carry out — steps of the customer's onboarding, adoption, renewal, and expansion playbooks. Agent autonomy is controlled by the customer: the customer sets autonomy ceilings per capability, higher-stakes actions escalate to the customer's team, and agent activity is recorded in an event ledger. All of this processing is performed on the customer's instruction and for the customer's purposes, and Vutal does not make solely automated decisions producing legal or similarly significant effects about individuals. We do not use customer content to train AI models — neither our own nor our AI provider's (per Google Cloud's Vertex AI terms, customer prompts and outputs are not used to train Google's models).

RECIPIENTS AND SUB-PROCESSORS

We do not sell personal data. We share personal data with a defined set of service providers (sub-processors) that help us run the platform, under written data-processing agreements: database hosting, application hosting, AI inference (Google Vertex AI), background job processing, caching, file storage, and transactional email. A current sub-processor register — including each provider's role and processing location — is available on request at legal@vutal.com, and customers receive advance notice of sub-processor changes under the DPA. We may also disclose personal data where required by law (see "Government access requests" below) and in connection with a business transfer, in which case this policy continues to apply to the transferred data.

INTERNATIONAL TRANSFERS

Customer databases are hosted in the EU by default (AWS eu-central-1, Frankfurt). Where personal data is transferred outside the EU/EEA — for example, AI processing for organizations on our global residency setting runs in the United States (Google Cloud) — we rely on the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) together with supplementary measures, and the UK Addendum where UK data protection law applies. A copy of the relevant safeguards is available on request. Customers can elect an EU data-residency setting designed to keep AI processing in EU regions with a fail-closed guard (the system refuses rather than route EU data outside the EU); we confirm availability of end-to-end EU-only processing in writing to customers who require it.

GOVERNMENT ACCESS REQUESTS

If a public authority requests access to personal data we process, we will review the request for legal validity, limit any disclosure to what the law requires, challenge overbroad requests where reasonably possible, and — unless legally prohibited from doing so — notify the affected customer before disclosure. We have published no personal data in response to such requests to date.

RETENTION

We keep personal data only for as long as necessary for the purpose it was collected:

  • Account and billing data — for the life of your account, and thereafter only as long as legal obligations (such as bookkeeping and tax law) require.
  • Customer-connected content (processor data) — for as long as the customer instructs. When a customer's subscription ends, data is available for export for 30 days; deletion then proceeds through a controlled lifecycle (a short, cancelable grace window followed by destruction of the customer's dedicated database, confirmed by a written deletion certificate). Backup copies roll off within the backup-retention cycle.
  • Items deleted inside the platform — purged on a defined schedule after soft-deletion.

SECURITY

The following measures protect personal data on the platform today:

  • A dedicated, isolated database per customer — not a shared database with a customer-id column
  • EU data residency by default for customer databases (Frankfurt)
  • Encryption in transit (TLS with full certificate verification) and at rest at the storage layer
  • Application-layer AES-256-GCM encryption of integration credentials and OAuth tokens, with per-organization keys
  • Role-based access control on every API call; access on a need-to-know basis
  • A controlled deletion lifecycle with written deletion certificates

We are pursuing ISO/IEC 27001 and SOC 2 Type II certifications; these programs are underway and reports will be made available to customers when issued. We do not currently hold these certifications. No system is perfectly secure; if a personal data breach affecting you or your organization occurs, we will notify affected customers without undue delay in accordance with our contractual and legal obligations.

YOUR RIGHTS

Where Vutal is the controller (Part A), you have the following rights under GDPR Articles 15–21: access to your personal data, rectification, erasure, restriction of processing, data portability, and objection (including to processing based on legitimate interest and to direct marketing). Where processing is based on consent, you may withdraw it at any time. To exercise these rights, contact legal@vutal.com; we respond within one month as the GDPR requires.

Where Vutal is a processor (Part B), these rights apply against the customer that controls your data; we will forward any request we receive to them and assist in their response.

For EU/EEA residents

If you believe your personal data has been processed in a way that does not meet GDPR requirements, you have the right to lodge a complaint with your local data protection supervisory authority. Contact details: European Data Protection Board — List of Supervisory Authorities

For California residents

California residents have rights under the CCPA/CPRA, including the right to know what personal information we collect, the right to delete it, the right to correct it, and the right to non-discrimination for exercising these rights. Vutal does not sell or share personal information as defined by the CCPA. To exercise these rights, contact legal@vutal.com.

CHANGES TO THIS POLICY

We will update this policy as our product and legal posture evolve and will revise the "Last updated" date above. Material changes affecting customers' data are also notified under the DPA.

CONTACT

Vutal Inc.
Email: legal@vutal.com