1. Introduction

Vaizy B.V. ("Vaizy", "we", "us", or "our") provides a project management platform for teams running multiple projects — including milestone tracking, team and resource planning, financial management, risk management, budget health analytics, and AI-assisted insights via an OpenAI-powered assistant (the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect personal data when you visit vaizy.com or use the Service, and your rights under applicable laws including the General Data Protection Regulation (EU) 2016/679 ("GDPR"). By using the Service, you agree to this Privacy Policy.

2. Data Controller

Vaizy B.V. is the data controller for personal data processed in connection with account registration, billing, marketing, and website analytics. For personal data that our customers submit into the platform (project data, team records, financial entries, uploaded files, AI conversation inputs), Vaizy acts as a data processor on behalf of the customer. A Data Processing Agreement (DPA) governs this relationship and is available at vaizy.com/dpa. Contact: hello@vaizy.com

3. Information We Collect

3.1 Information you provide directly: — Account details (name, email address, company name) — Project data: milestones, timelines, team assignments, roles, cost rates, financial entries, risk records, and any other content submitted to the platform — AI conversation inputs: prompts and context sent to the AI assistant — Communications and support requests 3.2 Automatically collected data: — Usage data: features accessed, timestamps, session duration — Device and log data: IP address, browser type, operating system — Authentication events and security logs — Analytics data via PostHog (EU region) and Google Analytics 3.3 AI interaction data: — Prompts and context submitted to the AI assistant — AI-generated responses and metadata (token counts, request identifiers) — Conversation history stored in our Supabase-hosted database

4. Legal Basis for Processing (GDPR)

We process personal data under the following legal bases: — Contractual necessity: to provide the Service and fulfil our agreement with you — Legitimate interests: platform security, fraud prevention, product improvement, and operational monitoring — Consent: marketing communications and optional analytics features — Legal obligation: tax, accounting, and regulatory compliance

5. How We Use Your Data

— Provide, operate, and maintain the Service — Enable AI-powered features including the project assistant — Authenticate users and enforce role-based access controls — Monitor platform performance, reliability, and security — Conduct analytics to improve the product — Communicate with you about your account, updates, and support — Comply with legal obligations

6. AI Features and Data Protection

The Vaizy AI assistant is powered by OpenAI's GPT-4 model, accessed via a Supabase Edge Function. When you interact with the AI assistant: — Your prompts and project context are transmitted to OpenAI via secure server-side calls (not exposed to the browser) — AI conversation data is stored in our Supabase database with Row Level Security ensuring only you can access your conversations — OpenAI is contractually restricted from using your data to train its models under our enterprise agreement — AI outputs are probabilistic and may be inaccurate; you remain responsible for validating outputs before acting on them We do not apply automated processing that produces legal or similarly significant effects solely by AI.

7. Data Sharing and Subprocessors

We share data only with trusted subprocessors necessary to operate the Service: — Supabase (database, authentication, edge functions, real-time) — EU region — OpenAI (AI assistant processing) — US, with EU SCCs in place — Hetzner Online GmbH (hosting and infrastructure) — EU region (Germany), via Coolify — PostHog (product analytics) — EU region — HubSpot (CRM and early access communications) — US, with EU SCCs — Featurebase (in-app Help Center, support, and changelog) — EU, with EU SCCs where applicable — Nodemailer via SMTP (transactional email) All subprocessors are bound by Data Processing Agreements and provide GDPR-compliant safeguards. A current subprocessor list is available on request at hello@vaizy.com.

8. International Data Transfers

Where personal data is transferred outside the European Economic Area (EEA), we rely on: — Standard Contractual Clauses (SCCs) as approved by the European Commission — Adequacy decisions where applicable — Additional technical safeguards (encryption in transit and at rest) where required This applies in particular to transfers to OpenAI and HubSpot, both located in the United States.

9. Data Retention

— Account and profile data: retained while your account is active and for up to 90 days after deletion — Project and platform data: retained per your contract or until you request deletion — AI conversation data: retained in your account and deleted when you delete a conversation or your account — Security and authentication logs: retained for 30 to 180 days — Billing records: retained as required by Dutch accounting law (7 years) You may request deletion of your data at any time by contacting hello@vaizy.com.

10. Security Measures

We implement the following technical and organisational measures: — TLS 1.2+ encryption for all data in transit — Encryption at rest for Supabase-hosted data — Row Level Security (RLS) on all database tables — users can only access their own data — Role-based access controls (RBAC) within the platform — Authentication via Supabase Auth with MFA support (TOTP) — API keys and secrets stored in server-side environment variables only, never exposed to the browser — Automated removal of console logs in production builds — Supabase Edge Functions used for all server-side AI and integration calls No system is completely immune to risk. We will notify you in the event of a breach as required by GDPR.

11. Your GDPR Rights

If you are located in the EEA, you have the right to: — Access the personal data we hold about you — Rectify inaccurate or incomplete data — Request erasure of your data ("right to be forgotten") — Restrict processing in certain circumstances — Object to processing based on legitimate interests — Data portability (receive your data in a structured, machine-readable format) — Withdraw consent at any time where processing is based on consent To exercise any of these rights, contact hello@vaizy.com. We will respond within 30 days. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.

12. Data Breaches

In the event of a personal data breach, we will notify affected users and the relevant supervisory authority (Autoriteit Persoonsgegevens) without undue delay, and no later than 72 hours after becoming aware, as required by GDPR Article 33.

13. Children's Data

The Service is intended for business use by individuals aged 18 and over. We do not knowingly collect personal data from anyone under 18.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or via a prominent notice on the Service, and update the "Last updated" date at the top of this page.

15. Contact

Vaizy B.V. hello@vaizy.com vaizy.com