Privacy Policy

1. Introduction and Scope

Vectorial Data ("Company," "we," "us," or "our") is committed to protecting your privacy and personal data in compliance with applicable global privacy laws. This Privacy Policy describes how we collect, use, process, disclose, and safeguard personal information when you access or use our blockchain analytics platform, API services, website, and related services (collectively, the "Services").

Scope: This Privacy Policy applies to www.vectorialdata.com, all subdomains, API endpoints, mobile applications (if any), and any services where this policy is linked.

Regulatory Compliance: We comply with:

• EU General Data Protection Regulation (GDPR) - Regulation (EU) 2016/679
• California Consumer Privacy Act (CCPA) & California Privacy Rights Act (CPRA) - Cal. Civ. Code §1798.100 et seq.
• Virginia Consumer Data Protection Act (VCDPA)
• Personal Information Protection and Electronic Documents Act (PIPEDA) - Canada
• Lei Geral de Proteção de Dados (LGPD) - Brazil

By using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, you must discontinue use immediately.

2. Data Controller and Contact Information

3. Information We Collect

3.1 Information You Provide Directly

• Account Registration Data: Email address, full name, password (bcrypt hashed, never stored in plaintext), username
• OAuth Provider Data: Email, name, profile photo, unique identifier from Google or GitHub
• Profile Information: Company name, job title, profile picture, bio, location (optional)
• Payment Information: Billing name, address, ZIP code. Note: Credit card data is processed exclusively by Stripe (PCI DSS Level 1 compliant); we never store card numbers, CVV, or full PANs
• Communications: Support tickets, emails, feedback, survey responses
• User-Generated Content: Saved wallet addresses (public blockchain data), watchlists, custom dashboards, API queries, notes

3.2 Automatically Collected Information

• Usage Data: API requests (endpoint, timestamp, request/response size, status codes), feature usage, page views, session duration, clickstream data
• Device & Browser Information: IP address, browser type & version, operating system, device type, screen resolution, user agent string
• Location Data: Geolocation derived from IP address (city/country level, not precise GPS)
• Cookies & Tracking: Session cookies, authentication tokens, preference cookies, analytics cookies (Google Analytics 4)
• Performance & Error Data: API latency, error logs, crash reports, stack traces (via Sentry.io)
• Security Logs: Failed login attempts, suspicious activity, rate limit violations, IP blocks

3.3 Information from Third-Party Sources

• OAuth Providers: Google (name, email, profile photo), GitHub (username, email, avatar)
• Blockchain Data Providers: Public on-chain data from Ethereum, Base, Arbitrum, Optimism, Polygon via Alchemy, DeFiLlama, CoinGecko APIs
• Payment Processor: Payment status, subscription status, billing failures from Stripe
• Analytics Services: Aggregated behavioral data from Google Analytics 4

3.4 Sports Betting Analytics Data

We collect and process sports-related data from third-party sources for informational and analytical purposes only:

• Live Sports Statistics: Real-time game data, player stats, team performance metrics, historical records
• Betting Odds & Lines: Odds data from third-party sportsbooks (we do NOT set odds or accept bets)
• Game Predictions & Forecasts: Statistical models, AI-generated predictions, probability calculations (for informational purposes only)
• Historical Sports Data: Past game results, seasonal statistics, trend analysis
• User Interaction Data: Sports watchlists, saved predictions, favorited teams/leagues

Data Sources: We aggregate sports data from publicly available APIs, third-party sports data providers, and licensed sports statistics services. We do NOT collect data directly from gambling operators, sportsbooks, or betting platforms.

No Gambling Activity: We do NOT process bets, handle gambling transactions, facilitate betting, or custody gambling funds. See Section 5 (How We Use Your Information) for details on how sports data is used.

4. Legal Basis for Processing (GDPR Compliance)

For EU/EEA/UK users, we process your personal data under the following legal bases (GDPR Article 6):

• Contractual Necessity (Art. 6(1)(b)): Account creation, authentication, API access, billing, service delivery
• Legitimate Interest (Art. 6(1)(f)): Security monitoring, fraud prevention, analytics, service improvement, customer support
• Consent (Art. 6(1)(a)): Marketing emails, non-essential cookies (you may withdraw consent anytime)
• Legal Obligation (Art. 6(1)(c)): Tax records, subpoena compliance, OFAC/sanctions screening, regulatory reporting

5. How We Use Your Information

• Service Provision: Deliver blockchain analytics, API responses, dashboards, historical data access
• Authentication & Access Control: Verify identity via OAuth or email/password, manage sessions, enforce rate limits
• Personalization: Save watchlists, preferences, custom dashboards, theme settings
• Billing & Payments: Process subscriptions via Stripe, issue invoices, handle refunds/chargebacks
• Customer Support: Respond to inquiries, troubleshoot issues, provide technical assistance
• Security & Fraud Prevention: Detect abuse, prevent unauthorized access, block malicious IPs, enforce Terms of Service
• Analytics & Improvement: Monitor performance, identify bugs, optimize user experience, develop new features
• Marketing (with consent): Send promotional emails, product updates, newsletters (opt-out available)
• Legal Compliance: Respond to legal requests, enforce Terms, protect rights, comply with tax/regulatory obligations
• Business Operations: Mergers, acquisitions, audits, investor due diligence

6. Data Sharing and Third-Party Service Providers

6.1 Service Providers (GDPR Art. 28 Processors)

We share data with trusted service providers under Data Processing Agreements (DPAs):

• Hosting & Infrastructure: Vercel (SOC 2 Type II), Supabase (ISO 27001), Upstash (caching)
• Payment Processing: Stripe (PCI DSS Level 1)
• Authentication: Google OAuth, GitHub OAuth
• Blockchain Data: Alchemy, DeFiLlama, CoinGecko (public on-chain data only)
• Analytics: Google Analytics 4 (IP anonymization enabled)
• Error Monitoring: Sentry.io (error logs, stack traces)
• Email Delivery: SendGrid/AWS SES (transactional emails only)

6.2 Legal Disclosures

We may disclose personal data when required by law or to protect rights:

• Court orders, subpoenas, search warrants, regulatory investigations
• OFAC/sanctions compliance, anti-money laundering (AML) regulations
• Protection of our rights, property, safety, or those of users or the public
• Enforcement of Terms of Service or other agreements

6.3 Business Transfers (Change of Control)

In the event of a merger, acquisition, asset sale, bankruptcy, or reorganization, your personal data may be transferred to the successor entity. We will notify you via email at least 30 days before any such transfer and provide options to delete your account if you do not consent.

7. Data Security Measures

We implement industry-standard technical and organizational measures to protect personal data:

• Encryption in Transit: TLS 1.3 (Transport Layer Security) for all data transmissions
• Encryption at Rest: AES-256 encryption for database storage (Supabase), bcrypt (cost factor 12) for passwords
• Access Controls: Role-Based Access Control (RBAC), Row Level Security (RLS), multi-factor authentication (MFA) for admin access
• Network Security: Firewall protection, DDoS mitigation (Cloudflare/Vercel), intrusion detection systems
• API Security: Rate limiting, API key rotation, CORS policies, input validation, SQL injection prevention
• Monitoring & Auditing: 24/7 security monitoring, automated anomaly detection, regular security audits
• Compliance Certifications: SOC 2 Type II (Vercel, Supabase), ISO 27001 (Supabase), PCI DSS Level 1 (Stripe)
• Incident Response: We maintain a security incident response plan and will notify affected users within 72 hours of discovering a breach, as required by GDPR Article 33

Disclaimer: No system is 100% secure. We cannot guarantee absolute security but commit to using commercially reasonable efforts to protect your data.

8. Data Retention and Deletion

We retain personal data only as long as necessary for the purposes outlined in this policy or as required by law:

• Account Data (Active): Retained while account is active and for 90 days after account deletion (to allow recovery)
• Account Data (Deleted): Permanently deleted after 90-day grace period, except as noted below
• API Request Logs: 30 days (for debugging and security monitoring)
• Billing Records: 7 years from transaction date (tax compliance: IRS, HMRC, EU VAT requirements)
• Legal Hold Data: Retained indefinitely if subject to litigation, investigation, or regulatory inquiry
• Aggregated Analytics: Anonymized, de-identified data retained indefinitely (cannot be re-identified)
• Backup Data: Backups retained for 30 days, then permanently deleted

Secure Deletion: Data is deleted using secure deletion methods (e.g., cryptographic erasure, multi-pass overwriting) to prevent recovery.

9. Your Privacy Rights

9.1 GDPR Rights (EU/EEA/UK Residents)

• Right of Access (Art. 15): Request a copy of your personal data we hold
• Right to Rectification (Art. 16): Correct inaccurate or incomplete data
• Right to Erasure / "Right to be Forgotten" (Art. 17): Request deletion of your data (subject to legal exceptions)
• Right to Restriction of Processing (Art. 18): Limit how we use your data
• Right to Data Portability (Art. 20): Receive your data in machine-readable format (JSON/CSV)
• Right to Object (Art. 21): Object to processing based on legitimate interests or direct marketing
• Right to Withdraw Consent (Art. 7(3)): Withdraw consent anytime (does not affect prior lawful processing)
• Right to Lodge a Complaint (Art. 77): File complaint with supervisory authority (see Section 9.4)
• Automated Decision-Making (Art. 22): We do NOT use automated decision-making or profiling with legal/significant effects

9.2 CCPA/CPRA Rights (California Residents)

• Right to Know (§1798.110): Request categories and specific pieces of personal information collected
• Right to Delete (§1798.105): Request deletion of personal information (subject to exceptions)
• Right to Opt-Out of Sale (§1798.120): We do NOT sell personal information (no opt-out needed)
• Right to Correct (§1798.106): Correct inaccurate personal information
• Right to Limit Use of Sensitive Personal Information (§1798.121): We do not use sensitive PI beyond necessary purposes
• Right to Non-Discrimination (§1798.125): We will not discriminate against you for exercising CCPA rights

9.3 How to Exercise Your Rights

To exercise any privacy right:

1. Email privacy@vectorialdata.com with subject line: "Privacy Rights Request"
2. Include: Your full name, email address associated with account, specific request (e.g., "GDPR Right to Erasure")
3. We will verify your identity (may require additional proof) and respond within 30 days (GDPR/CCPA standard)
4. Requests are free of charge (first request); excessive/repetitive requests may incur reasonable administrative fees

9.4 Supervisory Authority Contact (GDPR Art. 77)

If you are in the EU/EEA/UK and believe we have violated your privacy rights, you may lodge a complaint with your local data protection authority:

• EU/EEA: European Data Protection Board - Member List
• UK: Information Commissioner's Office (ICO) - ico.org.uk

10. Cookies and Tracking Technologies

We use cookies and similar tracking technologies (web beacons, pixels, local storage) to enhance user experience:

10.1 Essential Cookies (Strictly Necessary)

• Authentication tokens (session management)
• Security tokens (CSRF protection)
• Load balancing cookies
• Legal Basis: Contractual necessity (cannot be disabled)

10.2 Performance & Analytics Cookies (Consent Required)

• Google Analytics 4 (anonymized IP, no cross-site tracking)
• Error tracking (Sentry.io session replays)
• Legal Basis: Consent (GDPR Art. 6(1)(a))
• Opt-Out: Google Analytics Opt-Out Browser Add-on

10.3 Functional Cookies (Consent Required)

• Theme preferences (dark/light mode)
• Language preferences
• Saved dashboard layouts

Cookie Management: You can manage cookies via browser settings. Disabling cookies may limit functionality.

11. International Data Transfers (GDPR Chapter V)

Your data may be processed in the United States, European Union, or other jurisdictions where our service providers operate. For transfers from the EU/EEA to third countries, we use:

• EU Standard Contractual Clauses (SCCs): Commission Implementing Decision (EU) 2021/914 - Module 2 (Controller-to-Processor)
• Adequacy Decisions: EU Commission adequacy decisions for specific countries (if applicable)
• Supplementary Measures: Encryption, pseudonymization, access controls per Schrems II (CJEU C-311/18)
• Service Provider Compliance: Vercel (EU data residency available), Supabase (EU Frankfurt region), Stripe (EU operations entity)

Request for SCC Copies: EU/EEA residents may request copies of SCCs by emailing dpo@vectorialdata.com.

12. Children's Privacy

Our Services are NOT intended for individuals under 18 years of age (or 16 in EU/EEA). We do not knowingly collect personal data from minors. If you are a parent/guardian and believe your child has provided us with personal information, contact privacy@vectorialdata.com immediately. We will delete such data within 30 days of verification.

Compliance: Children's Online Privacy Protection Act (COPPA) - 15 U.S.C. §§ 6501–6506

13. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or business operations. Material changes will be communicated via:

• Email notification to registered users (at least 30 days prior to effective date)
• Prominent notice on our website homepage
• In-app notification for dashboard users
• Updated "Last Updated" date at top of this policy

Continued use after changes = acceptance. If you do not agree to changes, you must discontinue use and request account deletion.

14. Contact Us