Privacy Policy for Tool Creators
Last updated: October 2025
This explains how VOST handles your data as a tool creator. We keep it simple, secure, and compliant with applicable privacy laws.
1. Information We Collect
Account Information:
• Email address and full name
• Password (encrypted, never stored in plain text)
• Profile information and preferences
Tool Configuration Data:
• Tool names, descriptions, and settings
• Workflow configurations and AI instructions
• Branding assets (logos, colors, themes)
• Subscription tier configurations
• Credit package settings
Financial Information:
• Stripe Connect account details (stored by Stripe)
• Creator balance and transaction history
• Auto-reload settings and payment methods (stored by Stripe)
• Payout history and platform fees
• AI API costs and usage
Usage & Analytics Data:
• Tool performance metrics
• Job execution statistics
• User subscription data (counts and revenue, not personal details)
• Dashboard interactions and feature usage
• System logs and error reports
Technical Information:
• IP addresses and device information
• Browser type and version
• Session data and cookies
• API usage and rate limiting data
2. How We Use Your Data
Service Delivery:
• Operating and hosting your tools on our infrastructure
• Processing AI requests through OpenRouter and Fal AI
• Managing authentication and access control
• Providing creator dashboard and analytics
Financial Operations:
• Processing payments and subscription billing
• Calculating and distributing creator payouts via Stripe Connect
• Managing creator balance and auto-reload
• Tracking AI costs and platform fees
• Tax reporting as required by law
Communications:
• Sending account notifications and security alerts
• Billing reminders and payout notifications
• Platform updates and new feature announcements
• Customer support responses
Platform Improvement:
• Analyzing usage patterns to improve features
• Identifying and fixing bugs
• Optimizing performance and reliability
• Developing new creator tools and capabilities
Security & Compliance:
• Preventing fraud and abuse
• Enforcing terms of service
• Complying with legal obligations
• Protecting against security threats
3. Data Sharing & Third Parties
We NEVER sell your data. We only share data with trusted service providers necessary for platform operation:
Stripe (Payment Processing):
• Payment information for subscription processing
• Stripe Connect data for creator payouts
• Financial transaction history
• Governed by Stripe's Privacy Policy
Supabase (Infrastructure):
• Account data and authentication
• Tool configurations and user data
• Database hosting and backups
• Governed by Supabase's Privacy Policy
AI Providers (OpenRouter & Fal AI):
• User prompts and inputs (as needed for AI generation)
• Model selection and parameters
• Usage metrics for billing purposes
• Note: AI providers may have their own data retention policies
Vercel (Hosting):
• Server logs and access data
• Performance monitoring
• CDN and edge caching
Legal Requirements:
• Law enforcement with valid legal process
• Court orders or subpoenas
• National security requests as required by law
• Protection of rights and safety
4. Access to End-User Data
What You Can See:
As a creator, you have access to:
• Aggregated analytics (total users, revenue, job counts)
• Subscription statistics (active subscribers, churn rates)
• Tool performance metrics (success rates, average execution time)
• Test coupon usage data
What You Cannot See (Without Direct Request):
• Individual user's personal information
• Specific prompts or inputs from users
• User-generated content from your tools
• Individual usage patterns
Your Responsibilities:
You are a data controller for your tool users and must:
• Comply with GDPR, CCPA, and other applicable privacy laws
• Provide your own privacy policy if collecting additional data
• Respect user privacy and data protection rights
• Report data breaches as required by law
Support & Debugging:
VOST support may access user data only when necessary to:
• Resolve technical issues you report
• Investigate abuse or terms violations
• Comply with legal requirements
5. Data Security
Technical Safeguards:
• TLS/SSL encryption for all data in transit (HTTPS everywhere)
• Encryption at rest for sensitive data in Supabase
• Secure password hashing (never stored in plain text)
• JWT tokens for authentication with secure cookie storage
• Regular security audits and vulnerability assessments
Operational Security:
• Access controls and role-based permissions
• Automated backups and disaster recovery procedures
• Monitoring for suspicious activity and abuse
• Incident response plans for data breaches
Important Note:
While we implement industry-standard security measures, no system is 100% secure. You are responsible for keeping your account credentials confidential. If you suspect unauthorized access, contact us immediately at support@vost.ai.
6. Your Privacy Rights
Access & Portability:
• View all your account data through your dashboard
• Request a complete export of your data
• Download tool configurations and settings
Correction & Deletion:
• Update account information anytime
• Correct inaccurate data
• Delete your account and associated data
Control & Preferences:
• Manage email notification preferences
• Opt out of marketing communications
• Control what analytics we collect (where technically feasible)
How to Exercise Rights:
Contact us at support@vost.ai with your request. We'll respond within 30 days for GDPR requests and 45 days for CCPA requests. We may need to verify your identity before processing certain requests.
7. Cookies & Tracking
Essential Cookies (Required):
• Authentication and session management
• Security and fraud prevention
• Subdomain routing and functionality
• User preferences and settings
What We DON'T Do:
• No advertising or tracking cookies
• No third-party tracking pixels
• No cross-site tracking
• No data sales to advertisers
Browser Settings:
You can disable cookies in your browser, but VOST requires essential cookies to function properly. Authentication and sessions will not work without cookies enabled.
8. International Data Transfers
Data Storage Location:
Your data is primarily stored in the United States on Supabase infrastructure. By using VOST, you consent to your data being transferred to, processed, and stored in the United States.
International Users:
If you're located outside the US, please note that US privacy laws may differ from those in your country. We implement appropriate safeguards to protect your data regardless of location.
GDPR & European Users:
For EU/EEA users, we rely on Standard Contractual Clauses (SCCs) for data transfers and comply with GDPR requirements for international data transfers.
9. Data Retention & Deletion
Active Accounts:
We retain your data as long as your account is active or as needed to provide services.
Account Deletion:
When you delete your account:
• Personal data is deleted within 30 days
• Tool configurations are permanently removed
• Backup copies are purged within 90 days
• Some anonymized analytics may be retained
Legal Retention:
We retain certain data longer when required by law:
• Financial records: 7 years (tax compliance)
• Transaction history: 7 years (financial regulations)
• Legal disputes: Duration of dispute + statute of limitations
• DMCA notices: Permanent record for compliance
Unpublished Tools:
Data from unpublished tools is retained for 90 days to allow republishing, then archived.
10. Children's Privacy
VOST creator accounts require users to be at least 18 years old. We do not knowingly collect data from anyone under 18. If we discover we've collected data from someone under 18, we'll delete it promptly. If you believe we have data from a minor, contact us at support@vost.ai.
11. Changes to This Policy
We may update this privacy policy as our platform evolves or laws change. Material changes will be communicated via:
• Email notification to your registered address
• Prominent notice in your creator dashboard
• Updated "Last updated" date at the top of this page
We'll provide at least 30 days notice before material changes take effect. Continued use after changes constitutes acceptance. If you don't agree, you may delete your account before changes take effect.
12. California Privacy Rights (CCPA)
California residents have additional rights:
Right to Know:
• Categories of personal information we collect
• Sources of the personal information
• Business purposes for collection
• Categories of third parties we share with
Right to Delete:
• Request deletion of your personal information
• Exceptions apply for legal compliance and security
Right to Opt-Out:
• We don't sell personal information (so no opt-out needed)
Right to Non-Discrimination:
• We won't discriminate against you for exercising CCPA rights
How to Exercise CCPA Rights:
Email support@vost.ai with your request. We'll respond within 45 days and may verify your identity before processing.
13. GDPR Rights (European Users)
For EU/EEA residents:
Legal Basis for Processing:
• Contract performance (service delivery)
• Legitimate interests (platform improvement, security)
• Legal obligations (tax, financial regulations)
• Your consent (where applicable)
Your GDPR Rights:
• Right to access your personal data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing
• Right to withdraw consent
• Right to lodge a complaint with supervisory authority
Data Protection Officer:
For GDPR-related inquiries, contact support@vost.ai
EU Representative:
If required, we'll appoint an EU representative and provide contact details here.
14. Contact Us
For all privacy inquiries, data rights requests, GDPR matters, security issues, or general support, please contact us at: support@vost.ai