Privacy Policy

Last updated: March 8, 2026

Data Controller

VEP Technologies Ltd. ("we", "us", "the Company") is the data controller for personal data processed through vep.live. Our Data Protection Officer can be reached at dpo@vep.live.

1. Data Stored in Your Browser (localStorage)

We use your browser's localStorage (not cookies) to remember a few preferences so the site works well for you:

• blog-theme — Your preferred color theme (dark or light).
• blog-reading-position — Your scroll position so you can resume reading where you left off.
• cookie-consent — Whether you accepted or rejected the consent banner.
• feedback-* — Which articles you've voted on (helpful yes/no), to prevent duplicate votes.

This data never leaves your browser. We cannot read it from our servers. You can clear it at any time via your browser's developer tools or site settings.

2. Cookies

We do not use cookies. No first-party cookies, no third-party cookies, no tracking cookies. Period.

3. Third-Party Services

We do not embed any third-party analytics, advertising, or tracking services. There are no Google Analytics, Facebook Pixel, Hotjar, or similar scripts on our pages. All code served on vep.live is first-party.

4. Email Subscriptions

If you choose to subscribe to our blog newsletter, we store your email address in our database. The legal basis for this processing is your explicit consent (GDPR Art. 6(1)(a)). We use it solely to send you new case studies and product updates.

• You can unsubscribe at any time by clicking the unsubscribe link in any email.
• We do not share, sell, or rent your email address to third parties.
• We do not send promotional emails on behalf of other companies.

5. Google Account Authentication & Gmail Integration

When you sign in with Google ("Sign in with Google" button), we request the following permissions through Google OAuth 2.0:

• OpenID, Email, Profile — To identify you and create your account. We store your email address, display name, and profile picture URL.
• Gmail Send (gmail.send) — To enable your digital AI employee to send emails on your behalf, using your actual email address as the sender. This ensures email authenticity for recipients.

How Gmail Send is used:

• Your digital employee can only send emails after you explicitly assign a task that requires email delivery.
• Every external email requires your explicit approval before it is sent. You see the full email draft in the chat interface and must click "Approve action" to authorize sending. No external email is ever sent without your consent.
• All approved actions are cryptographically logged with your identity, timestamp, and the action details, creating an immutable audit trail.
• Internal emails (within your company domain) may be sent without individual approval, as they are part of normal workflow operations.
• We store your Google OAuth refresh token securely in our database to maintain email sending capability. We never read your inbox, access your contacts, or perform any action beyond sending emails you have explicitly approved.

Revoking access: You can revoke Gmail access at any time through your Google Account permissions. After revocation, your digital employee will no longer be able to send emails from your address.

6. AI Employee Action Approval System

VEP employs a multi-layer security system for actions performed by AI digital employees:

• Internal actions (search, analysis, drafting) — Performed freely within the platform, no approval required.
• External actions (sending emails outside your company, API calls to third-party services, publishing content) — Require explicit approval from the account owner or authorized managers.
• Multi-signer approval — For organizations with management hierarchies, external actions can require approval from multiple authorized personnel (50%+ of managers must approve).
• Audit logging — Every approved and rejected action is permanently logged with: the approver's identity, timestamp, action details, and digital signature.

The legal basis for processing data related to AI employee actions is the performance of a contract (GDPR Art. 6(1)(b)) and your explicit consent for Gmail integration (GDPR Art. 6(1)(a)).

7. Analytics

When you read a blog post, we collect two anonymous engagement metrics via the browser's sendBeacon API. The legal basis is our legitimate interest in improving content quality (GDPR Art. 6(1)(f)):

• Scroll depth — How far down the page you scrolled (as a percentage).
• Time on page — How long you spent on the page (in seconds).

This data is sent alongside the post's slug (URL path). It does not include any personally identifiable information — no IP address is stored, no user ID, no device fingerprint. We use this data in aggregate to understand which content is most engaging.

6. Data Retention

• localStorage data — Persists in your browser until you clear it. We have no server-side copy.
• Email subscriptions — Retained until you unsubscribe or request deletion.
• Analytics data — Aggregated server logs retained for up to 90 days, then purged.
• Consent records — Accept/reject logs retained for 3 years per GDPR Art. 7(1) accountability requirements.

7. International Transfers

Our servers are located within the European Union (Hetzner, Helsinki, Finland). We do not transfer personal data outside the EU/EEA. If this changes in the future, we will update this policy and ensure appropriate safeguards (e.g., Standard Contractual Clauses) are in place.

8. Your Rights (GDPR & CCPA)

Under the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), you have the right to:

• Access — Request a copy of any personal data we hold about you.
• Rectification — Request correction of inaccurate data.
• Erasure — Request deletion of your data ("right to be forgotten").
• Portability — Receive your data in a structured, machine-readable format.
• Restriction — Request that we limit processing of your data.
• Objection — Object to processing based on legitimate interest.
• Withdraw consent — At any time by clicking "Reject All" in Cookie Settings or by contacting us.
• Non-discrimination (CCPA) — We will not discriminate against you for exercising your privacy rights.

We will respond to any data request within 30 days (GDPR) or 45 days (CCPA).

9. Supervisory Authority

If you are unsatisfied with our response to a privacy concern, you have the right to lodge a complaint with your local data protection supervisory authority. For EU residents, a list of authorities is available at edpb.europa.eu.

10. Changes to This Policy

We may update this privacy policy from time to time. Any changes will be posted on this page with an updated "Last updated" date. For material changes, we will display a notice on our blog.

11. Contact

For any privacy-related questions or data requests:

• Data Protection Officer: dpo@vep.live
• General inquiries: privacy@vep.live