Legal

Privacy Policy

Last updated: 1 June 2026 · Version 2.0 · Effective immediately for new users; 14-day notice for existing users.

This Privacy Policy explains how Vyntro AI ("Vyntro", "we", "us", "our") collects, uses, shares, and protects your personal information when you use vyntro.ai and related services (collectively, the "Service"). We comply with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), and Pakistan's Prevention of Electronic Crimes Act 2016 (PECA) and Personal Data Protection Bill (where applicable).

1. Data Controller

The data controller responsible for your personal data is:

2. What Information We Collect

We collect only what we need to run, secure, and improve the Service.

2.1 Information you provide

  • Account data: email address, display name, password hash (we never see your plaintext password), profile picture (optional).
  • Authentication data: if you sign in with Google, we receive your email, name, and profile photo from Google's OAuth response. We do not receive your Google password.
  • Payment data: billing name, country, payment method type (JazzCash, EasyPaisa, or local Pakistani bank transfer), and the transaction reference you submit. Full bank or wallet credentials are handled by the respective payment provider and are never stored on our servers.
  • Content data: prompts you submit, attachments you upload (images), and AI-generated outputs (HTML/code).
  • Support data: messages you send via the contact form, partner application form, or email.

2.2 Information collected automatically

  • Device & connection: IP address, browser type and version, operating system, device type, screen size, timezone, language preference.
  • Usage data: pages visited, features used, generation counts, credits consumed, errors encountered, session timestamps.
  • Cookies & local storage: see our Cookie Policy for the full list and your controls.

2.3 Information from third parties

  • Google OAuth profile data (when you choose Google sign-in).
  • Payment confirmation references from JazzCash, EasyPaisa, and partnered Pakistani banks.
  • Fraud signals from rate-limiting and abuse-detection services.

3. Why We Process Your Data (Legal Bases)

Under GDPR Article 6, we rely on the following legal bases:

  • Contract performance — to create your account, deliver AI generations, process payments, send service emails.
  • Legitimate interest — to prevent fraud and abuse, enforce rate limits, monitor service health, improve product quality, secure our infrastructure.
  • Consent — for non-essential cookies (analytics, marketing), product newsletters, and any optional features you opt into. You can withdraw consent at any time.
  • Legal obligation — to comply with tax, accounting, anti-money-laundering, and law-enforcement requirements in Pakistan and elsewhere.

4. How We Use Your Data

  • To provide, maintain, and improve the Service.
  • To process payments, issue receipts, manage credits and subscriptions.
  • To authenticate you and protect your account from unauthorised access.
  • To detect, investigate, and prevent fraud, abuse, and security incidents.
  • To communicate service updates, security notices, billing alerts, and (with consent) marketing.
  • To respond to your support requests and legal enquiries.
  • To produce aggregated, non-identifying analytics for product decisions.
  • To comply with applicable laws and respond to lawful requests by public authorities.

5. Who We Share Data With

We do not sell your personal data. We share it only with the following categories of recipients, each bound by data-processing agreements:

  • Cloud hosting & database: Supabase (managed Postgres, file storage) — EU/US regions.
  • AI model providers: Google (Gemini), OpenAI (GPT), Anthropic (Claude) — for processing the prompts you submit. Providers process prompts on their own infrastructure and may retain them per their own policies.
  • Payment processors: JazzCash, EasyPaisa, and partnered local Pakistani banks. They receive only the data needed to verify the transaction reference you submit.
  • Email delivery: our transactional email provider for verification, receipts, and security alerts.
  • Analytics (only with your consent): aggregated product analytics provider.
  • Law enforcement & legal: when compelled by valid legal process, or to protect rights, safety, and property.
  • Corporate transactions: in the event of a merger, acquisition, or asset sale, with continuity of this Policy.

6. International Data Transfers

Vyntro is operated from Pakistan, but our infrastructure providers may process your data in the European Union, the United States, or other jurisdictions. Where data leaves the EEA/UK, we rely on:

  • European Commission Standard Contractual Clauses (SCCs).
  • Equivalent safeguards required by UK GDPR, Swiss FADP, and Pakistan's data-protection framework.
  • Provider-level certifications (SOC 2 Type II, ISO 27001) where available.

7. Data Retention

  • Account data: while your account is active, plus up to 3 years after deletion for legal, tax, and dispute-resolution purposes.
  • Generated content: until you delete the project, or up to 12 months after account deletion.
  • Payment records: 7 years as required by Pakistani tax law and international anti-money-laundering rules.
  • Server and security logs: 90 days, then aggregated.
  • Support correspondence: 2 years from last contact.
  • Cookie consent records: 13 months (renewal required annually).

8. Your Rights

Subject to the laws that apply to you, you have the right to:

  • Access a copy of the personal data we hold about you.
  • Rectify inaccurate or incomplete data.
  • Delete your account and associated personal data ("right to be forgotten"), subject to legal retention obligations.
  • Restrict or object to certain processing (e.g. legitimate-interest-based analytics).
  • Portability — receive your data in a structured, machine-readable format.
  • Withdraw consent at any time for processing based on consent.
  • Opt out of marketing at any time via the unsubscribe link or by emailing us.
  • Lodge a complaint with your local supervisory authority (e.g. EU DPA, UK ICO) or the relevant Pakistani authority.

To exercise any of these rights, email privacy@vyntro.ai. We respond within 30 days (extendable to 90 days for complex requests, with notice).

9. Children's Privacy

The Service is not intended for users under 16. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact privacy@vyntro.aiand we will delete it promptly.

10. Security Measures

  • TLS 1.2+ encryption in transit; AES-256 encryption at rest for the database.
  • Row-Level Security (RLS) policies — no user can read another user's data.
  • Hashed and salted passwords (bcrypt/argon2 via Supabase Auth).
  • Rate limiting and bot protection on authentication and payment endpoints.
  • Principle of least privilege for internal staff; audit logs on all admin actions.
  • Regular dependency scanning and security linting.
  • Backup snapshots with point-in-time recovery.

No system is 100% secure. We cannot guarantee absolute security but we take reasonable, industry-standard measures appropriate to the risk.

11. Breach Notification

In the event of a personal-data breach likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and notify affected users without undue delay via email and in-product banner.

12. Cookies

We use a small number of essential, functional, analytics, and marketing cookies. You can accept all, reject non-essential, or customise per category via the banner shown on your first visit. See the full Cookie Policy for details and controls.

13. Automated Decision-Making

We do not use your personal data for automated decisions that produce legal or similarly significant effects on you. AI generations are produced from your prompts and are not used to evaluate or profile you.

14. Changes to This Policy

We may update this Policy from time to time. For material changes, we will notify you at least 14 days in advance via email and an in-product banner. The "Last updated" date at the top reflects the latest revision. A version history is maintained on request.

15. Contact & Complaints

If you are unsatisfied with our response, you may complain to your local data-protection authority. For EU/EEA residents, find your authority at edpb.europa.eu.