Privacy Policy

Vectego ("we," "our," or "us") operates the Vectego platform accessible at https://vectego.com and related mobile or web applications (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect information about you when you use our Service. By accessing or using the Service, you agree to this Privacy Policy. If you do not agree, please discontinue use of the Service.

We are committed to handling your personal information with the highest standards of security and transparency, in compliance with all applicable privacy and data protection laws, including but not limited to: the General Data Protection Regulation (GDPR); the UK GDPR; the California Consumer Privacy Act and California Privacy Rights Act (CCPA/CPRA); the Virginia Consumer Data Protection Act (VCDPA); the Colorado Privacy Act (CPA); the Connecticut Data Privacy Act (CTDPA); the Texas Data Privacy and Security Act (TDPSA); the Florida Digital Bill of Rights (FDBR); the Montana Consumer Data Privacy Act; the Oregon Consumer Privacy Act; the Indiana Consumer Data Protection Act; Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and Quebec Law 25; Australia's Privacy Act 1988; and all other applicable U.S. state, federal, and international data protection laws. We also comply with the Google API Services User Data Policy where applicable.

We collect the following categories of personal information:

We use the information we collect for the following purposes:

• Service delivery: to create and manage your account, provide platform features, process subscriptions, send transactional communications, and respond to support requests.
• Personalization: to generate AI-matched opportunity recommendations, personalize email drafts, and tailor content to your academic interests and goals.
• Product analytics and improvement: to analyze usage patterns, measure feature performance, identify bugs, and make data-driven decisions about product development. This includes aggregating and analyzing behavioral data across our user base to improve our algorithms and recommendation models.
• AI model development: we may use de-identified, aggregated, or pseudonymized user data to train, evaluate, and improve our proprietary AI and machine learning models that power features such as email drafting, opportunity recommendations, and researcher discovery. Such data is processed in a manner that minimizes re-identification risk.
• Marketing and communications: to send you product updates, promotional content, newsletters, and information about new features or partner offerings, where you have provided consent or where permitted by law. You may opt out at any time.
• Business analytics and partnerships: to generate aggregated, statistical, or de-identified insights about our user base and platform usage, which we may share with business partners, investors, or affiliates for research, analytics, or commercial purposes. Such shared data does not directly identify individual users unless required by the context of the partnership.
• Legal and safety: to comply with applicable laws and regulations, enforce our Terms of Service, prevent fraud, and protect the rights, property, or safety of Vectego, our users, or the public.
• Corporate transactions: in connection with a merger, acquisition, financing, sale of assets, or similar transaction, your information may be transferred as part of that transaction.

We do not sell your personal information in the traditional sense. However, we may share your information with third parties in the ways described below, which under certain privacy laws (such as the CCPA) may constitute a "sale" or "sharing" of personal information for cross-context behavioral advertising or commercial purposes. California residents and other users with applicable rights may opt out of such sharing — see Section 10.

• Service providers and vendors: we share information with trusted third-party service providers who perform functions on our behalf, including cloud hosting (Supabase/PostgreSQL), payment processing, email infrastructure, analytics services, and customer support tools. These providers are contractually obligated to protect your data and use it only for the specified purpose.
• Business partners and affiliates: we may share aggregated, de-identified, or pseudonymized user information with our business partners, affiliates, and commercial collaborators to support joint marketing initiatives, co-branded offerings, research, analytics, and product integrations. We may also share contact information and usage data with partners who offer complementary services to students, educators, or academic organizations, for marketing or outreach purposes consistent with your consent or applicable law.
• Advertising and analytics networks: we may work with third-party advertising and analytics partners who use cookies, pixels, or similar technologies to collect information about your use of the Service and other websites to deliver targeted advertising, measure ad effectiveness, and perform audience analysis.
• Google API data: information obtained through Google APIs, including Gmail data, is not shared with third parties for advertising purposes and is not used to develop, improve, or train generalized AI/ML models. It is used exclusively to provide the features you explicitly request.
• Legal requirements: we may disclose your information if required to do so by law, subpoena, court order, or regulatory authority, or if we believe disclosure is necessary to protect our rights, prevent fraud, or ensure safety.
• Business transfers: in the event of a merger, acquisition, restructuring, or sale, your information may be transferred to a successor entity, subject to the same privacy protections.
• With your consent: in any other circumstances, we will share your information only with your explicit consent.

We retain your personal information for as long as your account is active or as needed to provide the Service. After account deletion, we retain certain data for up to 90 days to allow recovery, then delete or anonymize it, except where we are required to retain it longer by law (e.g., financial records, legal disputes). Aggregated, de-identified data derived from your usage may be retained indefinitely for analytics and model improvement purposes.

We implement industry-standard technical and organizational security measures to protect your personal information against unauthorized access, disclosure, alteration, and destruction. These measures include:

• Encryption of data in transit using TLS 1.2 or higher.
• Encryption of sensitive data at rest using AES-256 or equivalent.
• Row-level security (RLS) policies in our database to enforce per-user data isolation.
• OAuth 2.0 token management with short-lived access tokens and secure refresh token storage.
• Access controls and principle of least privilege for internal systems.
• Regular security reviews, vulnerability assessments, and dependency audits.
• Incident response procedures to detect, contain, and notify of data breaches as required by law.

No method of transmission or storage is 100% secure. In the event of a data breach affecting your rights or freedoms, we will notify you and applicable regulators as required by law.

We use the following types of cookies and similar technologies:

• Strictly necessary cookies: session and authentication cookies required for the Service to function. These cannot be disabled.
• Analytics cookies: used to understand how users interact with the Service. We may use tools such as aggregate server-side analytics to collect this data.
• Preference cookies: used to remember your settings and preferences (e.g., dismissed banners).
• Marketing/advertising cookies: may be set by third-party advertising partners to deliver relevant ads and track campaign effectiveness.

You can control non-essential cookies through your browser settings. Disabling certain cookies may impair some Service functionality.

The Service is intended for users who are 13 years of age or older. We do not knowingly collect personal information from children under 13. Because many of our users are high school students (ages 13–17), we take additional care to limit data collection to what is necessary for the Service and to process such data in accordance with applicable laws, including the Children's Online Privacy Protection Act (COPPA) where applicable. If you are a parent or guardian and believe your child under 13 has provided us with personal information, please contact us at privacy@vectego.com and we will delete such information promptly.

Depending on your location and applicable law, you may have some or all of the following rights with respect to your personal information. These rights apply to residents of the EEA, UK, Switzerland, all U.S. states with applicable privacy laws (including but not limited to California, Virginia, Colorado, Connecticut, Texas, Florida, Montana, Oregon, Indiana, Iowa, and Tennessee), Canada, Australia, and other jurisdictions with data subject rights.

• Access / Know: request a copy of the personal information we hold about you, including the categories, sources, and purposes for which it is used.
• Correction: request correction of inaccurate or incomplete personal information.
• Deletion: request deletion of your personal information, subject to legal retention obligations and other exceptions permitted by law.
• Portability: receive your personal information in a structured, machine-readable format and, where technically feasible, have it transmitted to another controller.
• Objection / Restriction: object to or request restriction of certain processing activities, including processing based on legitimate interests or for direct marketing purposes.
• Opt out of sale / sharing / targeted advertising: residents of California and all other U.S. states whose laws provide a right to opt out of the sale, sharing, or use of personal information for targeted advertising may do so by contacting us at privacy@vectego.com. We will action such requests within the timeframe required by your applicable state law (typically 15–45 days).
• Limit use of sensitive information (California CPRA): you may request that we limit our use of sensitive personal information to purposes necessary to provide the Service.
• Automated decision-making: where applicable law requires, you may request information about and object to automated decisions made about you, including profiling with significant effects.
• Withdraw consent: where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.
• Marketing opt-out: you may unsubscribe from marketing emails at any time via the unsubscribe link in any marketing email or by emailing privacy@vectego.com. This does not affect transactional communications.
• Gmail disconnection: you may disconnect your Gmail account at any time from your account settings, upon which we delete your stored OAuth tokens.
• Lodge a complaint: you have the right to lodge a complaint with your applicable supervisory authority — including the relevant EU Data Protection Authority, the UK Information Commissioner's Office (ICO), the Office of the Australian Information Commissioner (OAIC), or your state Attorney General — if you believe we have not handled your data lawfully.

Manage your preferences directly: visit our Privacy Choices page to toggle marketing emails, opt out of data sharing, request a data download, or submit a deletion request — no email required for most actions.

To exercise any other rights, contact us at privacy@vectego.com. We will respond within the timeframe required by your applicable law (no later than 30 days for most jurisdictions, with a possible 30-day extension where permitted). We may need to verify your identity before processing your request. We will not discriminate against you for exercising any privacy rights.

Vectego's use of information received from Google APIs, including the Gmail API, adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We use Gmail data only to provide or improve the email campaign features explicitly requested by the user.
• We do not use Gmail data to serve advertisements.
• We do not allow humans to read your Gmail data except with your affirmative consent, for security purposes, or to comply with applicable law.
• We do not transfer Gmail data to third parties except as necessary to provide or improve the requested features, subject to the requirements of the Google API Services User Data Policy.

Your information may be transferred to and processed in countries other than your country of residence, including the United States, where data protection laws may differ from those in your jurisdiction. Where required, we use appropriate safeguards such as Standard Contractual Clauses (SCCs) or other legally recognized transfer mechanisms to protect your data.

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before providing any personal information.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised effective date and, where required by law, by sending you an email notification. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: