// Privacy Policy — content mirrors vantuz-platform/.planning/legal/PRIVACY-POLICY.md
const PRIVACY_SECTIONS = [
{ h: '1. Data we process', blocks: [
'**Account data** (to provide the service, under contract): your email, name, workspace name, plan, and authentication data managed by our identity provider. Integration credentials you connect are encrypted at rest and never shown back to your browser.',
'**Security telemetry** (to detect and respond to intrusions, under legitimate interests): when one of your honeytokens is accessed, we process the source IP address, user agent, timestamp and request metadata, plus enrichment derived from the IP (approximate geolocation, network/ASN, reputation) and incident metadata (risk score, MITRE technique, an AI-generated narrative). We strip sensitive headers (such as Authorization) before storage.',
'**Usage data**: basic logs needed to operate, secure and debug the service.',
'We do not sell personal data. We do not use it for advertising.',
] },
{ h: '2. Why we process it and our legal basis', blocks: [
{ table: {
head: ['Purpose', 'Legal basis (UK/EU GDPR)'],
rows: [
['Providing your account and the platform', 'Contract (Art. 6(1)(b))'],
['Detecting, investigating and containing intrusions (security telemetry)', 'Legitimate interests (Art. 6(1)(f); Recital 49 — network & information security)'],
['Sending service and security emails', 'Contract / legitimate interests'],
['Billing', 'Contract / legal obligation'],
['Security, fraud prevention, debugging', 'Legitimate interests'],
],
} },
'Our Legitimate Interest Assessment is available to regulators on request.',
] },
{ h: '3. Data residency and sub-processors', blocks: [
'We aim to keep security telemetry processed within the UK/EEA. We use the following sub-processors:',
{ table: {
head: ['Sub-processor', 'Purpose', 'Location'],
rows: [
['Supabase', 'Authentication and database', 'EU'],
['Railway', 'Application hosting', 'EU West (Amsterdam)'],
['Vercel', 'Frontend/site hosting', 'Global edge'],
['Cloudflare', 'DNS, CDN, WAF, edge worker', 'Global edge'],
['Upstash', 'Job queue (Redis)', 'Ireland (eu-west-1)'],
['Resend', 'Transactional email', 'Ireland (EU)'],
['Anthropic', 'AI incident narrative', 'United States'],
['VirusTotal, AbuseIPDB, Shodan', 'IP reputation enrichment', 'United States'],
],
} },
'Where data is transferred outside the UK/EEA (e.g. AI narrative and IP enrichment), we rely on appropriate safeguards (UK IDTA / EU Standard Contractual Clauses) and minimise the data transferred.',
] },
{ h: '4. Retention', blocks: [
'Account data: for the life of your account and as required by law afterward. Security telemetry: up to 12 months, then deleted or anonymised, unless a longer period is needed for an active security or legal matter or agreed by contract.',
] },
{ h: '5. Your rights', blocks: [
'Under UK/EU GDPR you may request access, rectification, erasure, restriction, portability, and you may object to processing based on legitimate interests. To exercise any right, email privacy@vantuz.co. You also have the right to complain to the UK Information Commissioner’s Office (ico.org.uk) or your local supervisory authority.',
'A note on security-incident data: if you are an individual whose IP appears in incident telemetry because a decoy was accessed, you may object; we will assess each request, balancing your rights against the security interest, and respond.',
] },
{ h: '6. Security', blocks: [
'We protect data with encryption in transit and at rest (AES-256-GCM for integration credentials), strict tenant isolation, access controls, optional two-factor authentication, and regular security testing.',
] },
{ h: '7. Children', blocks: [
'The service is not directed to children and is for business use only.',
] },
{ h: '8. Changes and contact', blocks: [
'We will post changes here and update the effective date. Questions or requests: privacy@vantuz.co. Controller: Vantuz Ltd, 71-75 Shelton Street, Covent Garden, London WC2H 9JQ.',
] },
{ h: '9. Collective security learning (anonymized)', blocks: [
'To improve detection and hardening recommendations for all customers, Vantuz may learn from **anonymized, aggregated patterns** derived from incidents — for example, which decoy type was triggered, the coarse attack surface, a risk band, and the categories of recommended actions. This learning is **internal only**. We never sell or share it, and it **never includes** your name, email, IP addresses, domains, internal URLs, secrets, exact token names, or any identifier that could link a pattern back to you. A workspace is represented only by an irreversible hash bucket, and aggregates are used only above a minimum-volume threshold so no individual record is identifiable.',
'You can **opt out** of contributing to collective learning at any time in your environment profile settings. Opting out does not reduce the protection you receive. Collective patterns may refine our recommendation priors and confidence calibration, but never drive an automatic or destructive action and never disclose that "another customer saw X".',
] },
];
function PrivacyPage() {
return (
);
}
ReactDOM.createRoot(document.getElementById('root')).render();