Privacy Policy

How we collect, use, and protect your personal data

Last updated: January 3, 2026 • Effective: January 3, 2026

Quick Summary

  • • We only collect data necessary to provide our marketplace service
  • • We NEVER sell your personal data to third parties
  • • Payments are processed securely by Stripe — we never see your card details
  • • You can request access to, correction, or deletion of your data at any time
  • • We are GDPR compliant and based in Denmark

1. Data Controller

The data controller responsible for your personal data is:

Vectio

Magnoliavej 23

9000 Aalborg, Denmark

CVR: 46147286

Email: privacy@vectio.app

2. What Data We Collect

2.1 Account Information

Legal basis: Contract Performance (GDPR Art. 6(1)(b))

  • Email address — Used for login, account recovery, and important notifications
  • Password — Encrypted with bcrypt (we cannot read your password)
  • Display name — Shown to other users on the platform
  • Role — Creator or Brand, to provide appropriate features
  • Consent records — Timestamp of your acceptance of Terms and Privacy Policy

2.2 OAuth Data (When You Link Accounts)

Legal basis: Consent (GDPR Art. 6(1)(a))

When you voluntarily connect your YouTube or TikTok account:

  • YouTube — Email, name, profile picture, channel data
  • TikTok — Username, profile picture (TikTok does not provide email)
  • Access tokens — Securely encrypted and used only to fetch video performance

You can unlink these accounts at any time from Settings.

2.3 Content & Submissions

Legal basis: Contract Performance (GDPR Art. 6(1)(b))

  • • Video URLs (YouTube/TikTok links)
  • • Video titles and descriptions
  • • Performance metrics (views, likes, comments)
  • • Uploaded files (videos, images for campaigns)

2.4 Payment Information

Legal basis: Contract Performance (GDPR Art. 6(1)(b))

Stripe handles all payments. We do NOT store or have access to your credit card details. We only store transaction IDs, payout history, and amounts for accounting purposes.

2.5 Technical Data

Legal basis: Legitimate Interest (GDPR Art. 6(1)(f))

Our hosting providers (Vercel, Neon) automatically collect:

  • • IP address (for security and fraud prevention)
  • • Browser type and version
  • • Access timestamps

This data is collected at the infrastructure level and retained per our providers' policies (typically 30-90 days).

3. Cookies & Tracking

Essential Cookies (Required)

Cannot be disabled as they are necessary for the platform to function:

  • next-auth.session-token — Keeps you logged in
  • next-auth.csrf-token — Protects against cross-site attacks
  • vectio_cookie_consent — Remembers your cookie preferences

Functional Cookies (Optional)

Improve your experience by remembering preferences like "Remember me" on login. You can disable these in our cookie settings.

Analytics Cookies (Coming Soon)

We plan to use privacy-focused analytics. You will be asked for explicit consent before any analytics cookies are enabled.

4. How We Use Your Data

  • Provide our service — Account management, campaign participation, payouts
  • Process payments — Calculate earnings and process payouts via Stripe
  • Track video performance — Fetch metrics from YouTube/TikTok to calculate rewards
  • Communicate with you — Account updates, campaign notifications, support
  • Prevent fraud — Detect metric manipulation, fake accounts, abuse
  • Legal compliance — Tax reporting, regulatory requirements

We do NOT use your data for profiling, automated decision-making, or marketing purposes without explicit consent.

5. Third-Party Data Processors

We share your data only with the following service providers who are essential for our platform:

Stripe

Payment processing - Handles all financial transactions

Location: USA (EU-US Data Privacy Framework)

Neon

Database hosting - Stores your account and platform data

Location: EU (Frankfurt)

Vercel

Application hosting - Serves the platform

Location: Global (EU region primary)

YouTube API / TikTok API

Video metrics - Fetches performance data with your consent

Location: USA (Standard Contractual Clauses)

Resend

Email delivery - Sends transactional emails

Location: USA (EU-US Data Privacy Framework)

We NEVER sell, rent, or share your personal data for marketing purposes.

6. International Data Transfers

Some of our service providers are located outside the EU/EEA. When we transfer your data internationally, we ensure appropriate safeguards:

  • EU-US Data Privacy Framework — For providers certified under this framework
  • Standard Contractual Clauses (SCCs) — EU-approved contract terms
  • Adequacy decisions — For countries deemed adequate by the EU Commission

7. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

Right of Access

Request a copy of all personal data we hold about you

Right to Rectification

Request correction of inaccurate or incomplete data

Right to Erasure

Request deletion of your data ("right to be forgotten")

Right to Data Portability

Receive your data in a machine-readable format

Right to Object

Object to processing based on legitimate interest

Right to Restrict Processing

Request temporary halt to processing of your data

Right to Withdraw Consent

Withdraw consent at any time (e.g., unlink OAuth accounts)

Right to Lodge a Complaint

File a complaint with your local data protection authority

To exercise any of these rights, contact us at privacy@vectio.app. We will respond within 30 days as required by GDPR.

8. Data Retention

Data TypeRetention Period
Active account dataAs long as your account is active
Deleted account dataDeleted within 30 days of account deletion
Inactive accountsDeleted after 2 years of inactivity
Transaction records5 years (Danish bookkeeping law)
Server logs90 days
Consent records3 years after consent withdrawal

9. Data Security

We implement industry-standard security measures to protect your data:

  • • All data transmitted via HTTPS/TLS encryption
  • • Passwords hashed with bcrypt (one-way encryption)
  • • Database encrypted at rest (via Neon infrastructure)
  • • Access controls and authentication required for database access
  • • Regular security monitoring

In the event of a data breach affecting your personal data, we will notify you and the Danish Data Protection Authority within 72 hours as required by GDPR.

10. Children's Privacy

Vectio.app is not intended for persons under 16 years of age. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately at privacy@vectio.app, and we will delete such information.

11. Changes to This Policy

We may update this Privacy Policy from time to time. For significant changes, we will:

  • • Update the "Last updated" date at the top
  • • Notify you via email or in-app notification
  • • Give you 30 days notice before material changes take effect

Continued use of the platform after changes constitutes acceptance of the updated policy.

12. Danish Data Protection Authority

If you believe we have violated your privacy rights, you have the right to lodge a complaint with the Danish Data Protection Authority:

Datatilsynet

Carl Jacobsens Vej 35

2500 Valby, Denmark

Phone: +45 33 19 32 00
Email: dt@datatilsynet.dk
Website: datatilsynet.dk

13. Contact Us

For questions about this Privacy Policy or to exercise your data rights:

Privacy Inquiries

privacy@vectio.app

General Support

support@vectio.app
View Terms of Service →
Vectio | The marketplace for elite video creators