Privacy Policy
Last updated: 2026-05-17 · Effective immediately for new customers, from the next billing cycle for existing customers.
1. Introduction
This Privacy Policy describes how Vexta CMO ("Vexta CMO", "we", "us", or "our"), a service operated by VITI Security, collects, uses, discloses, retains, and protects information when you visit our websites, use our applications and services, communicate with us, or otherwise engage with the platform (collectively, the "Services"). It also describes the rights and choices available to individuals whose personal information we process. By accessing or using the Services you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of this Privacy Policy, you should not access or use the Services.
We may update this Privacy Policy from time to time to reflect changes in our practices, our Services, applicable law, or for other operational, legal, or regulatory reasons. When we make material changes we will notify you by reasonable means, which may include posting the revised policy on our website with an updated "Last updated" date, by sending you an email to the address associated with your account, or through an in-product notification. Your continued use of the Services after the effective date of the revised Privacy Policy constitutes your acceptance of the updated terms.
2. Scope and Applicability
This Privacy Policy applies to personal information we collect or process about you when you visit our public marketing pages, register for an account, use the Services, attend or participate in events we host or sponsor, communicate with our personnel through email or other channels, respond to surveys, request a demonstration of the Services, or otherwise interact with us. It applies to personal information processed by us in our capacity as a controller. Where we process personal information on behalf of our customers (for example, when customers upload, transmit, or otherwise submit information through the Services about their own end users or business contacts), we generally act as a processor. In such cases, the privacy notice of our customer governs the processing, and you should contact that customer to exercise your rights with respect to such personal information. For clarity, the data processing addendum we make available separately governs our processor relationships with customers and supplements this Privacy Policy.
3. Information We Collect
We collect information about you from a variety of sources. The categories described below are illustrative and not exhaustive; the specific information we collect about a particular individual depends on the nature of that individual's interaction with us and the purpose of the interaction.
3.1 Information You Provide Directly
When you create an account, request a demonstration, fill out a form on our website, subscribe to our communications, or otherwise affirmatively choose to share information with us, we collect the information you provide. This may include your full name, business or personal email address, postal address, telephone number, employer name, job title, professional role, the size of your team or organization, your reasons for evaluating the Services, billing information necessary to charge for paid plans, account credentials (which we never store in plain text), preferences regarding communications and language, content of inquiries and support tickets you submit, and any other information you elect to provide. If you choose to provide information about other individuals (for example when inviting a teammate to join your workspace) you represent that you have appropriate authority and consent to share that information with us.
3.2 Information Collected Automatically
When you interact with our websites, applications, and Services, we and our authorized service providers automatically collect certain information using server logs, cookies, similar technologies, and comparable mechanisms. This information may include your internet protocol address, internet service provider, approximate geographic location derived from your internet protocol address, device type and identifiers, operating system, browser type and version, browser language, referring and exit pages, pages and content you view, the date and time of your visit, the time spent on individual pages, clickstream and navigation data, errors encountered, and similar usage metrics. We may combine this automatically-collected information with information you provide directly in order to improve the Services and personalize your experience.
3.3 Information from Third Parties
We may receive information about you from third parties, including joint marketing partners, business partners, social networks (where you choose to connect or authenticate using a social network), analytics providers, advertising networks, search information providers, lead lists we lawfully obtain, public databases, and professional information services. We may combine information we receive from third parties with information you provide directly to us and with information collected automatically. We use third-party information for purposes such as verifying or supplementing information in our records, identifying business opportunities, marketing, fraud prevention, and security.
3.4 Information You Submit Through the Services
Customers may use the Services to submit, upload, store, transmit, or process content (the "Customer Content"). Customer Content may include personal information of the customer's own employees, agents, contractors, end users, prospects, leads, or other individuals. Except as required to provide the Services, comply with law, or as otherwise described in this Privacy Policy or the applicable customer agreement, we do not access, use, or disclose Customer Content for our own purposes. Customer Content remains the property of the customer and is processed by us as a processor on the customer's documented instructions.
3.5 Communications
When you communicate with us by email, telephone, web form, chat, or other means we collect the content of those communications along with metadata associated with them, such as your name and contact details, the date and time of the communication, and any attachments or supplemental materials. We may retain communications for purposes of customer support, training, quality assurance, dispute resolution, recordkeeping, and security.
4. How We Use Your Information
We use the information we collect for the following purposes, consistent with applicable law and as described in any specific notices or consents we provide at the time of collection. We may use a single category of information for multiple purposes and may combine information from multiple sources to better fulfil these purposes.
- To provide, operate, maintain, secure, and improve the Services, including authenticating you to your account, delivering the functionality you request, personalizing your experience, and measuring usage and performance.
- To process transactions and administer your account, including billing, sending invoices and receipts, processing renewals, implementing refunds, and managing subscriptions.
- To communicate with you, including responding to your inquiries, sending administrative messages about your account, providing technical support, sending service-related notifications such as security alerts or product updates, and notifying you of changes to our policies or terms.
- To send you marketing and promotional communications about our products, services, events, and offerings, subject to your communication preferences and applicable law. You can opt out of marketing communications at any time using the unsubscribe mechanisms in our emails or by contacting us.
- To carry out research, statistical analysis, product development, and business operations, including troubleshooting, debugging, repair and improvement, capacity planning, and the development of new features, products, and services.
- To prevent, detect, investigate, and respond to fraud, abuse, security incidents, threats to the safety of persons or property, and violations of our terms, policies, or applicable law, including enforcing our rights and protecting the rights, safety, and property of ourselves, our customers, our personnel, and others.
- To comply with our legal, regulatory, accounting, tax, and recordkeeping obligations, respond to lawful requests from governmental authorities, courts, and law enforcement, and establish, exercise, or defend legal claims.
- For any other purpose that is reasonably necessary in connection with the foregoing or that we describe to you at the time of collection and to which you have consented where required by law.
5. Legal Bases for Processing
Where the General Data Protection Regulation, the UK General Data Protection Regulation, or comparable laws apply, we rely on one or more of the following legal bases to process personal information: the necessity of the processing for the performance of a contract to which you are a party or to take steps at your request prior to entering into such a contract; compliance with our legal obligations to which we are subject; our legitimate interests in operating and improving the Services, securing our systems, communicating with our customers and prospects, and developing our business, where those interests are not overridden by your rights and freedoms; and your consent where required by law, which you may withdraw at any time without affecting the lawfulness of processing carried out prior to withdrawal. Where we rely on consent, we will tell you so at the time of collection.
6. Disclosure of Information
We disclose personal information only as described in this Privacy Policy and consistent with applicable law. The categories of recipients and the circumstances of disclosure are as follows.
6.1 Service Providers
We engage third parties to perform services on our behalf, including hosting and infrastructure, communications, payments processing, customer relationship management, analytics, security services, fraud detection, support tools, identity verification, and similar functions. These service providers receive only the information they need to perform their services for us and are contractually required to protect that information, use it solely for the purposes for which it was disclosed, and not retain it longer than necessary. A current list of categories of service providers and key processors is available on request.
6.2 Business Affiliates
We may share information with our parent company, subsidiaries, and affiliated entities for the purposes described in this Privacy Policy. These entities are bound by terms consistent with this Privacy Policy and applicable law.
6.3 Business Partners
We may share information with business partners and joint marketing partners with whom we collaborate on offerings, events, or promotions. Where we share information for marketing purposes we do so only to the extent permitted by applicable law and consistent with your communication preferences.
6.4 Legal, Regulatory, and Safety Disclosures
We may disclose information when we believe in good faith that disclosure is required or permitted by law; to comply with a subpoena, court order, regulatory request, legal process, or other lawful demand; to enforce our terms, policies, agreements, or rights; to detect, prevent, or respond to fraud, security, or technical issues; to protect the safety, rights, or property of ourselves, our customers, our personnel, or any other person; or otherwise as required or permitted by applicable law.
6.5 Corporate Transactions
We may disclose information in connection with, or during negotiations of, any merger, acquisition, sale of company assets, financing, restructuring, reorganization, bankruptcy, or similar corporate transaction. In such circumstances information about you may be among the assets transferred. We will use reasonable efforts to require any successor to honor the commitments made in this Privacy Policy with respect to information collected before the transaction.
6.6 Aggregate and De-identified Information
We may use, share, license, or sell aggregate or de-identified information that does not reasonably identify any individual for any purpose. We commit not to attempt to re-identify such information and to take reasonable measures to prevent re-identification.
6.7 With Your Consent or At Your Direction
We may share information with third parties when you have given us your consent to do so or when you direct us to share the information, for example by configuring an integration or sharing a document through the Services.
7. International Data Transfers
We are a global organization and may transfer, store, and process personal information in countries other than the country in which it was originally collected, including in jurisdictions that may not provide the same level of data protection as your country of residence. Where required by law, we put appropriate safeguards in place to protect personal information when it is transferred internationally, including by entering into standard contractual clauses approved by the European Commission, equivalent jurisdiction-specific data transfer mechanisms, intra-group data transfer agreements, or by relying on derogations permitted under applicable law. You may request additional information about the safeguards we use by contacting us at the address provided below.
8. Data Retention
We retain personal information for as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, tax, audit, or reporting requirements; to enforce our agreements; to resolve disputes; protect against fraudulent or unlawful activity; and to establish, exercise, or defend legal claims. To determine the appropriate retention period for personal information we consider the amount, nature, and sensitivity of the information; the potential risk of harm from unauthorized use or disclosure; the purposes for which we process the information; whether we can achieve those purposes through other means; and applicable legal, regulatory, and contractual requirements. When we no longer need to retain personal information we will either delete it, anonymize it, or archive it in a form that does not permit identification, in each case in accordance with our retention policies and applicable law.
9. Cookies and Similar Technologies
Cookies are small text files that websites place on your device when you visit them. We and our authorized service providers use cookies and similar technologies (such as web beacons, pixel tags, local storage, software development kits, and similar mechanisms, collectively "Cookies") to operate the Services, remember your preferences, authenticate sessions, secure the Services against attack, analyze how our Services are used, improve our content and offerings, and support marketing activities. We use the following categories of Cookies:
- Strictly necessary Cookies. These are required for the operation of the Services and for security. They enable core functionality such as session management, authentication, and access controls, and cannot be disabled without breaking the Services. They do not collect personal information used for marketing.
- Preference Cookies. These remember choices you make to provide a more personalized experience, such as your language, interface preferences, and similar settings.
- Analytics Cookies. Where used, these help us understand how visitors interact with the Services in aggregate so we can measure and improve performance. These Cookies are configured to minimize the collection of identifying information.
- Marketing and Targeting Cookies. Where applicable, we or our marketing partners may use these to deliver relevant advertisements and to measure the effectiveness of marketing campaigns.
You can manage Cookies through your browser settings and through any consent management tools we provide. Disabling Cookies may degrade the functionality of the Services. Browser-based "Do Not Track" signals are inconsistent across browsers and not yet standardized; accordingly, we do not currently respond to such signals.
10. Your Privacy Rights
Subject to applicable law and the specific exceptions and conditions described below, you may have one or more of the following rights with respect to personal information we hold about you:
- The right to be informed about how we process your personal information, including the categories of information we collect, the purposes for which we process it, the categories of recipients to whom we disclose it, the period for which we retain it, and the sources from which we obtain it.
- The right to access the personal information we hold about you and to obtain a copy of that information in a portable format.
- The right to rectify or correct inaccurate or incomplete personal information.
- The right to erasure or deletion of personal information in certain circumstances, subject to our right to retain information necessary to comply with legal obligations, to establish or defend legal claims, or for similarly compelling reasons.
- The right to restrict or object to the processing of your personal information in certain circumstances, including the right to object to processing for direct marketing purposes.
- The right to data portability with respect to information you have provided to us where the processing is based on consent or contract and is carried out by automated means.
- The right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects concerning you or similarly significantly affects you, except as permitted by law.
- The right to withdraw consent where the processing is based on consent, without affecting the lawfulness of processing carried out prior to withdrawal.
- The right to lodge a complaint with a supervisory authority or comparable regulator if you believe our processing of your personal information infringes applicable law.
To exercise any of these rights, please contact us at the address provided below. We will respond to your request in accordance with applicable law. We may need to verify your identity before acting on your request, and may decline to honor requests in limited circumstances permitted by law, including where doing so would prejudice the rights and freedoms of others.
11. Rights of Residents of the European Economic Area, United Kingdom, and Switzerland
If you are located in the European Economic Area, the United Kingdom, or Switzerland, the rights described in section 10 apply with respect to personal information processed about you, subject to the conditions and exceptions established under applicable data protection laws. The data controller for processing of personal information described in this Privacy Policy is the Vexta CMO entity with which you have a relationship, except where this Privacy Policy identifies a different controller. You have the right to lodge a complaint with the supervisory authority in your country of residence, place of work, or place of an alleged infringement.
12. Rights of Residents of California
If you are a resident of California, the California Consumer Privacy Act and the California Privacy Rights Act grant you specific rights with respect to personal information we collect about you. These include the right to know the categories and specific pieces of personal information we have collected, the categories of sources from which we collected it, the business or commercial purposes for which we collected it, and the categories of third parties with whom we share it; the right to request deletion of personal information, subject to certain exceptions; the right to correct inaccurate personal information; the right to limit the use and disclosure of sensitive personal information; the right to opt out of the sale or sharing of personal information; and the right not to be discriminated against for exercising these rights. We do not sell personal information for monetary consideration, and we do not knowingly sell or share the personal information of consumers under sixteen years of age. To exercise any of these rights please contact us using the contact information provided below. We will verify your identity in accordance with applicable regulations before acting on your request. Authorized agents may submit requests on your behalf in accordance with applicable law.
13. Rights of Residents of India
If you are a resident of India, the Digital Personal Data Protection Act and related rules grant you rights with respect to digital personal data we process about you. These include the right to be informed about the purposes and means of processing, the right to access summaries of the personal data we hold and the processing activities undertaken, the right to correction and erasure subject to applicable exceptions, the right to nominate another person to exercise these rights in the event of your death or incapacity, and the right of grievance redressal. You may also have the right to approach the Data Protection Board of India in the event of an unresolved grievance. Please direct any requests, complaints, or questions concerning your personal data to the contact information below.
14. Rights of Residents of Other Jurisdictions
Residents of other jurisdictions may have rights similar to those described above under their local data protection laws. We honor such rights to the extent required by the applicable law. Please contact us with any questions about the rights available to you in your jurisdiction.
15. Children's Privacy
The Services are not directed to children under the age of sixteen and we do not knowingly collect personal information from children under that age. If you are under the age of sixteen, please do not provide any information through the Services. If we learn that we have collected personal information from a child without the appropriate parental or guardian consent, we will take steps to delete the information in accordance with applicable law. If you are a parent or guardian and you believe your child has provided us with personal information without your consent, please contact us so we can take appropriate action.
16. Marketing Communications
With your permission where required, or otherwise consistent with applicable law, we may send you marketing communications about our products, services, events, and offerings. You can opt out of marketing communications at any time by following the unsubscribe instructions included in each email, by adjusting your communication preferences in your account settings, or by contacting us directly. Even after you opt out of marketing communications, we may still send you non-marketing communications relating to your account, our ongoing business relationship, or transactional matters such as receipts and account notifications.
17. Security
We maintain administrative, technical, organizational, and physical measures designed to protect personal information against unauthorized access, disclosure, use, alteration, accidental loss, and destruction. Our security program is based on widely recognized industry standards and frameworks and is reviewed and updated periodically. Despite our efforts, no method of transmission over the internet or method of electronic storage is one hundred percent secure, and we cannot guarantee absolute security. You are responsible for protecting your account credentials, exercising appropriate caution when sharing access to your account, and notifying us promptly of any suspected unauthorized activity.
18. Third-Party Sites and Services
The Services may contain links to, or integrations with, websites, applications, services, or content operated by third parties not controlled by us. We are not responsible for the privacy practices of such third parties and this Privacy Policy does not apply to information collected by them. When you visit a third-party website or use a third-party service, you should consult that party's privacy policy to understand how it collects and uses your information. The inclusion of a link or integration does not imply endorsement or affiliation.
19. Sensitive Information
We ask that you do not submit, post, or otherwise transmit any sensitive personal information through the Services except where such information is reasonably necessary for the use of the Services and is processed by us as a processor on behalf of a customer. Sensitive personal information may include information about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, health, sex life or sexual orientation, criminal records, or government identifiers. If you choose to submit sensitive personal information through the Services, you consent to the processing of that information in accordance with this Privacy Policy and the applicable customer agreement.
20. Business Customers and End Users
Where we process personal information on behalf of business customers (for example, in our capacity as a processor under the General Data Protection Regulation), the relevant business customer is responsible for determining the purposes and means of processing and for ensuring that appropriate notices have been provided and consents obtained from individuals whose personal information is included in Customer Content. If you are an end user, employee, contractor, or other individual whose personal information has been provided to us by a business customer, you should direct privacy inquiries and requests to that customer in the first instance. We will assist business customers in responding to such requests in accordance with the relevant customer agreement.
21. Automated Decision-Making
The Services include functionality that relies on machine learning, large language models, statistical analysis, heuristics, and similar automated techniques. These techniques are used to generate suggestions, perform analyses, surface anomalies, and assist users in their work. Decisions made through the Services are generally subject to human review and the Services are not designed to make decisions that produce legal effects concerning individuals or that similarly significantly affect them. Where you believe that an automated decision has affected you in a manner that requires human intervention or review, please contact us.
22. Accessibility
We are committed to making this Privacy Policy and the Services accessible to all individuals, including those with disabilities. If you need to access this Privacy Policy in an alternate format, please contact us using the contact information below and we will make reasonable accommodations.
23. How to Contact Us
If you have any questions about this Privacy Policy, our privacy practices, or your interactions with us, or if you wish to exercise any of the rights described in this Privacy Policy, please contact us at [email protected]. We respond to all reasonable requests in accordance with applicable law. When you contact us, please provide enough detail to enable us to identify your request and respond appropriately.
Last updated: 2026-05-17. This Privacy Policy is provided in English. Translations are provided for convenience; in the event of any conflict between the English version and a translated version, the English version shall prevail.