Privacy Policy

1. Introduction

Viatoris AI (“Viatoris,” “we,” “us,” or “our”) operates the Viatoris platform at viatoris.ai. This Privacy Policy describes how we collect, use, store, and share personal information when you use our services.

By creating an account or using the Viatoris platform, you acknowledge that you have read and understood this Privacy Policy.

2. Information We Collect

Account information (provided by you)

• Name, email address, organization name
• Authentication credentials (we store only bcrypt-hashed passwords — never plaintext)
• Organization details and billing information

Google user data (via Google Sign-In)

• When you sign in with Google, we receive your Google account email address, display name, and unique account identifier
• We use Google Sign-In solely for authentication — to verify your identity and create or link your Viatoris account
• We do NOT access your Google Drive, Gmail, Google Calendar, Google Contacts, or any other Google services or data
• We do NOT request any sensitive or restricted Google API scopes
• The only Google data we store is your email address, display name, and Google account identifier, used exclusively for login and account management

Agent and operational data

• Agent identifiers (Decentralized Identifiers / DIDs), metadata, and cryptographic public keys
• Signed action receipts — cryptographically signed, tamper-proof audit records of agent actions
• Compliance profiles and reputation scores
• Webhook endpoint configurations and delivery logs

Automatically collected data

• API request metadata (endpoint path, HTTP method, timestamp, response status code)
• IP addresses for rate limiting, abuse prevention, and security monitoring
• Error logs for service reliability (personally identifiable information is stripped before logging to third-party error tracking services)
• Browser type and operating system (via standard HTTP headers) for compatibility purposes

3. Legal Basis for Processing

We process your personal information on the following legal bases:

• Contractual necessity: Processing necessary to provide the Viatoris platform under our Terms of Service (account management, receipt processing, reputation computation)
• Legitimate interests: Security monitoring, fraud prevention, service improvement, and enforcement of our terms
• Consent: Where you have given explicit consent, such as opting into marketing communications (we do not currently send marketing emails)
• Legal obligation: Where processing is required to comply with applicable law

4. How We Use Your Information

• Provide, operate, and maintain the Viatoris platform
• Authenticate your identity and manage your account and sessions
• Process, store, and verify signed receipts for your AI agents
• Compute reputation scores from receipt history
• Send transactional emails (account verification, password reset, magic link login, team invitations)
• Enforce rate limits, detect abuse, and prevent unauthorized access
• Monitor for security threats and respond to incidents
• Generate aggregate, anonymized usage analytics for service improvement
• Comply with legal obligations and respond to lawful requests

5. How We Store and Protect Your Information

• All data is stored in PostgreSQL databases hosted by US-based cloud infrastructure providers
• Data is encrypted in transit using TLS 1.2+ (HTTPS) and at rest via provider-level encryption
• Passwords are hashed using bcrypt with a work factor of 12
• API keys are encrypted using AES-256-GCM before storage
• Session tokens are cryptographically signed using HMAC-SHA256 with server-side secrets
• Row-level security (RLS) policies enforce tenant data isolation at the database level — your data is inaccessible to other organizations
• We retain your data according to your subscription tier: 30 days (Free), 60 days (Developer), 90 days (Pro), custom (Enterprise), unless a longer retention period is required by law or by your explicit request

6. How We Share Your Information

• We do not sell, rent, or trade your personal information
• We do not share Google user data with any third parties
• We may share data with the following categories of service providers, solely to operate the Viatoris platform:
  • Cloud hosting and database providers (for data storage and compute)
  • Email delivery services (for transactional emails only)
  • Content delivery and security providers (for DDoS protection and edge caching)
  • Error monitoring services (PII is stripped before transmission)
• We may disclose information if required by law, court order, or governmental request
• In the event of a merger, acquisition, or sale of assets, user data may be transferred to the successor entity, with prior notice to affected users
• All service providers are bound by data processing agreements that require them to protect your data

7. Google User Data — Limited Use Disclosure

Viatoris's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements:

• We access Google user data (email, name, account identifier) solely for the purpose of authenticating users to the Viatoris platform
• We do not use Google data for serving advertisements, conducting market research, or for any purpose unrelated to providing and improving the Viatoris platform
• We do not allow humans to read Google user data except where necessary for security purposes, to comply with applicable law, or with the user's affirmative consent
• We do not transfer Google user data to third parties except as necessary to provide or improve user-facing features of the Viatoris platform, with the user's consent, or as required by law

8. International Data Transfers

Viatoris is operated from the United States. If you access the platform from outside the United States, your personal information will be transferred to and processed in the United States. By using Viatoris, you consent to this transfer. We take appropriate safeguards to ensure your data is protected in accordance with this Privacy Policy regardless of where it is processed.

9. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Access: Request a copy of the personal data we hold about you
• Correction: Update or correct inaccurate account information through the dashboard or by contacting us
• Deletion: Request deletion of your account and associated personal data by contacting jared@viatoris.ai. Note: cryptographically signed receipts are immutable audit records by design and may be retained in anonymized form for audit integrity purposes, as described in our Terms of Service
• Portability: Export your data via the Viatoris API
• Objection / Restriction: Object to or request restriction of certain processing by contacting us
• Withdraw consent: Where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, contact us at jared@viatoris.ai. We will respond within 30 days.

10. Cookies and Local Storage

• We use strictly necessary httpOnly session cookies for authentication. These cookies identify your session and enable access to the dashboard. They do not track your activity across other websites.
• We do not use advertising, analytics, or third-party tracking cookies
• We do not use browser local storage or session storage for authentication

11. Data Breach Notification

In the event of a data breach that is likely to result in a risk to your rights, we will notify affected users via email and/or dashboard notification without undue delay, and in any case within 72 hours of becoming aware of the breach where feasible.

12. Security

We implement multiple layers of security to protect your data, including: TLS encryption for all data in transit, encryption at rest, cryptographic hashing of credentials, tenant isolation via database-level access controls, structured audit logging, web application firewall protection, and automated monitoring. If you discover a security vulnerability, please report it responsibly to jared@viatoris.ai.

13. Children's Privacy

Viatoris is a B2B platform intended for use by businesses and professionals. We do not direct our services to children under the age of 16, and we do not knowingly collect personal information from children under 16. If we become aware that we have collected such data, we will delete it promptly.

14. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email (to the address associated with your account) or by prominent notice on the platform at least 14 days before the changes take effect. Your continued use of the platform after the effective date of any updated Privacy Policy constitutes your acceptance of the changes.

15. Contact

If you have questions about this Privacy Policy or wish to exercise your rights, contact us at:

• Email: jared@viatoris.ai
• Viatoris AI, United States