Privacy Policy

This Privacy Policy explains how Vistoa, Inc. ("Vistoa," "we," "us," or "our") collects, uses, discloses, retains, and protects information when people visit our public website, create or use a Vistoa account, participate in a pilot, connect business systems, receive support, interact with our communications, or otherwise use our data intelligence platform, APIs, reports, alerts, workflows, investigations, automations, dashboards, and related services (collectively, the "Services").

If Vistoa and a customer enter into a signed order form, services agreement, data processing addendum, security addendum, statement of work, or other written agreement, that agreement controls to the extent it expressly conflicts with this Privacy Policy. This Privacy Policy does not expand a customer's subscribed features, create a service-level commitment, or replace contractual data protection terms executed by Vistoa.

The Services are intended for business and organizational use. They are not directed to children and are not intended for personal, household, or consumer social-network use.

Vistoa acts as an independent controller for information we collect for our own business purposes, including website analytics, marketing, sales, account administration, security monitoring, billing administration, support, legal compliance, and improvement of the Services.

When a customer or authorized user submits Customer Content, connects a business system, imports records, configures watch queries, creates investigations, runs reports, or otherwise uses the Services to process information on behalf of that organization, Vistoa generally acts as a processor, service provider, or contractor for that customer, as those terms are used under applicable privacy laws. In that context, the customer determines the purposes and means of processing and is responsible for providing required notices, obtaining required permissions, and honoring applicable rights requests.

If you are an employee, contractor, prospect, customer, account contact, data subject appearing in a customer's connected source, or other individual whose information was submitted to Vistoa by a Vistoa customer, we may need to direct your request to that customer or coordinate with that customer before responding.

"Personal Information" means information that identifies, relates to, describes, can reasonably be associated with, or could reasonably be linked with an identifiable individual or household, as defined under applicable law.

"Customer Content" means data, files, text, records, credentials, configurations, queries, prompts, outputs, comments, reports, documents, connected-source payloads, evidence snippets, metadata, and other content submitted to, generated in, imported into, or processed through the Services by or for a customer or authorized user.

"Connected Source Data" means Customer Content obtained from systems or sources that a customer authorizes Vistoa to access, such as CRM, billing, accounting, support, analytics, communications, document, web-monitoring, RSS, and other business systems.

"Authorized User" means a person invited, provisioned, or permitted by a customer to access the Services.

Depending on your relationship with Vistoa, we may collect:

• Account and contact information, including name, business email, company, role, phone number, login identifier, tenant membership, invitation status, and communication preferences.
• Authentication and security information, including hashed credentials, session data, SSO identifiers, directory-sync identifiers, role assignments, capability grants, IP addresses, device and browser information, login attempts, audit events, and security logs.
• Customer Content and Connected Source Data, including records, fields, notes, snippets, files, object IDs, source timestamps, ownership metadata, relationship links, tags, status changes, workflow history, report inputs, evidence references, and user-generated configurations.
• Usage and telemetry information, including feature use, workflow events, connector health, API calls, webhook events, rate-limit events, search queries, dashboard interactions, page views, error events, latency, cost telemetry, prompt version metadata, and model-invocation metadata.
• Communications and support information, including messages, emails, meeting notes, feedback, troubleshooting details, implementation tasks, approvals, support-session records, and information you submit through forms.
• Billing and commercial information, including order details, invoice status, entitlement level, usage events, paid-pilot configuration, procurement contact information, and payment administration details. Vistoa does not need full payment-card numbers for ordinary platform operation.
• Website and cookie information, including cookie identifiers, referral URLs, approximate location inferred from IP address, browser type, device type, pages viewed, and interactions with our public site.

Customers decide what data to connect or upload. Customers should not submit sensitive personal information unless the customer's agreement with Vistoa permits that processing and the customer has configured appropriate access, retention, and legal controls.

We may collect information from:

• You, when you create an account, use the Services, contact us, submit a form, participate in a pilot, request support, or attend a meeting.
• Your organization or another customer, when they provision access, assign roles, connect sources, upload files, configure workflows, or designate you as an owner, reviewer, recipient, or stakeholder.
• Connected systems authorized by a customer, including providers such as CRM, billing, accounting, support, analytics, communications, document, web-monitoring, RSS, and similar business systems.
• Publicly available or commercially available sources, where a customer configures monitoring of market, media, company, regulatory, web, or other public information.
• Service providers, business partners, identity providers, security systems, email systems, analytics providers, hosting providers, and other vendors that support the Services.

We use information to:

• Provide, operate, maintain, secure, troubleshoot, and improve the Services.
• Authenticate users, maintain sessions, manage roles, enforce permissions, administer tenants, and prevent unauthorized access.
• Ingest, normalize, search, score, rank, summarize, cite, and route business signals, evidence, reports, investigations, alerts, dashboards, and workflow tasks.
• Operate connectors, webhooks, APIs, scheduled jobs, background functions, rate limits, usage meters, readiness checks, and audit logs.
• Provide implementation, customer success, support, training, administrative, billing, procurement, and account-management services.
• Communicate about the Services, respond to inquiries, send operational notices, provide security alerts, and share product or commercial updates where permitted by law.
• Detect, investigate, and prevent fraud, abuse, misuse, security incidents, policy violations, service degradation, and unlawful activity.
• Comply with legal obligations, enforce agreements, preserve legal rights, respond to lawful requests, and support corporate transactions.
• Create aggregated, de-identified, or statistical information that does not identify a customer or individual.

Vistoa uses AI-assisted systems to support platform functions such as extraction, normalization, semantic search, signal scoring, summarization, report generation, recommendation drafting, anomaly review, and workflow assistance. These functions are designed to keep source evidence, timestamps, confidence indicators, and review context attached to generated outputs.

Depending on customer configuration, Vistoa may process Customer Content through model providers, embedding providers, or AI gateway infrastructure for the limited purpose of providing the Services. Vistoa may record model metadata such as feature name, provider, model, prompt version, evidence count, token or cost estimates, latency, outcome, and error state to operate, audit, secure, and improve the Services.

Vistoa does not claim that AI outputs are legal, financial, employment, medical, or professional advice. Customers and authorized users remain responsible for reviewing outputs before relying on them or taking action.

We may use cookies, local storage, pixels, log files, and similar technologies to operate authentication, remember preferences, understand public-site performance, detect abuse, measure feature usage, improve marketing effectiveness, and support security. Some cookies are necessary for login and service operation. Others may be used for analytics or communications where permitted by law.

Browser settings may allow you to block or delete cookies. Blocking necessary cookies may prevent sign-in, tenant routing, session continuity, or other Service functionality from working correctly.

We do not sell Customer Content. We may disclose information as described below:

• To customers and authorized users, according to tenant membership, role, permissions, workflow assignments, report delivery settings, and customer configuration.
• To service providers and subprocessors that host, secure, monitor, support, email, analyze, search, store, process, or otherwise operate the Services on our behalf.
• To connected-source providers and third-party platforms when a customer authorizes an integration, webhook, OAuth connection, export, sync, or provider action.
• To professional advisers, auditors, insurers, banks, payment administrators, and legal representatives where reasonably necessary for business administration.
• To comply with law, legal process, governmental requests, court orders, subpoenas, and regulatory obligations.
• To enforce agreements, protect rights, protect safety, investigate misuse, prevent fraud, and respond to security incidents.
• In connection with a merger, acquisition, financing, restructuring, divestiture, bankruptcy, sale of assets, or similar corporate transaction, subject to appropriate confidentiality safeguards.
• With your direction, consent, or as otherwise disclosed at the time of collection.

The Services may integrate with third-party platforms, APIs, social networks, content sources, analytics providers, document systems, communications systems, billing systems, support systems, and other connected sources. Customer access to, use of, export from, or automation against those systems may be subject to the provider's own terms, privacy policies, developer policies, usage limits, deletion requirements, and content restrictions.

Customers are responsible for ensuring that they have the necessary rights and notices to connect a source, import data, analyze content, create reports, send webhooks, export results, or act on information obtained from third-party systems. Vistoa may restrict, suspend, or modify access to provider content when needed to comply with law, provider requirements, security obligations, or customer agreements.

Where GDPR, UK GDPR, or similar laws require a legal basis, Vistoa processes Personal Information under one or more of the following bases:

• Performance of a contract, including providing accounts, access, support, security, and purchased Services.
• Legitimate interests, including operating, securing, improving, and marketing business services, preventing misuse, communicating with business contacts, and administering customer relationships.
• Consent, where required for certain communications, optional cookies, or other processing that legally depends on consent.
• Compliance with legal obligations, including tax, accounting, sanctions, export, security, and lawful-request obligations.
• Protection of vital interests or public interests where applicable and permitted by law.

When Vistoa acts as a processor for a customer, the customer's legal basis governs the customer's processing instructions.

We retain information for as long as reasonably necessary to provide the Services, maintain accounts, support customer workflows, comply with legal obligations, resolve disputes, enforce agreements, maintain security, and preserve auditability. Retention periods may vary by data class, customer configuration, source provider rules, contract terms, feature, and legal requirement.

Customers may configure or request retention policies for tenant data classes where supported by the Services. Some information may remain longer in backups, audit logs, security logs, legal-hold records, financial records, abuse-prevention records, or dispute-preservation records where retention is required or reasonably necessary.

Upon termination or expiration of a customer relationship, Vistoa may make Customer Content available for export for a reasonable period if commercially and technically feasible, then delete or make it inaccessible according to the applicable agreement, retention schedule, and legal obligations.

Vistoa uses technical, organizational, and administrative safeguards designed to protect information against unauthorized access, loss, misuse, alteration, and disclosure. These safeguards may include tenant-scoped authorization, row-level security controls, role and capability checks, signed sessions, audit logging, provider-token sealing, webhook signature checks, rate limits, transport security, security headers, access controls, and operational monitoring.

No method of transmission, storage, or processing is completely secure. Customers and authorized users must protect credentials, configure least-privilege access, promptly remove users who no longer need access, review connected-source permissions, and notify Vistoa of suspected unauthorized access.

Vistoa is based in the United States and may process information in the United States and other jurisdictions where Vistoa, service providers, model providers, hosting providers, connected-source providers, or support personnel operate. These jurisdictions may have data protection laws that differ from those in your location.

Where required, Vistoa uses appropriate transfer mechanisms, such as contractual safeguards, customer instructions, vendor commitments, and other lawful transfer mechanisms. This Privacy Policy does not state that Vistoa is certified under any data-transfer framework unless separately published by Vistoa.

Depending on your location and relationship with Vistoa, you may have rights to request access, correction, deletion, portability, restriction, objection, withdrawal of consent, appeal of a denied request, or information about certain disclosures. US state privacy laws may also provide rights to opt out of certain sales, sharing, or targeted advertising.

Vistoa does not knowingly sell Personal Information for money. If we use advertising or analytics technologies that are considered a "sale," "share," or targeted advertising under applicable law, we will provide required notices and opt-out mechanisms.

To exercise rights, email privacy@vistoa.com. We may need information to verify your identity, confirm your authority, locate relevant records, or determine whether the request should be handled by a Vistoa customer. Authorized agents may be required to provide proof of authority.

The Services are not directed to children under 18, and we do not knowingly collect Personal Information from children under 18. If you believe a child has provided Personal Information to Vistoa, contact us at privacy@vistoa.com, and we will take appropriate steps to review and delete the information where required.

We may update this Privacy Policy from time to time. The "Last updated" date identifies the latest version. If we make material changes, we may provide additional notice through the Services, by email, by posting a notice, or as otherwise required by law. Continued use of the Services after an update means the updated Privacy Policy applies to future processing.

Privacy requests and questions should be sent to privacy@vistoa.com. Legal notices unrelated to privacy should be sent to legal@vistoa.com.

If a separate customer agreement specifies a notice address or notice process, that agreement's notice process controls for contractual notices under that agreement.