Introduction

This policy explains how VanticLab (our website, domain, and company) and Vantic Agent (our application, software, and chat interface) collect, use, store, and protect your data. We've written it in plain language so you can understand what happens with your information.

VanticLab is our SaaS website where you can learn about our services, sign up for an account, and access support.

Vantic Agent is an internal-facing digital coworker application that learns from your screen activity to help identify workflow friction and reduce cognitive overload.

Your privacy and control over your data are fundamental to how we operate. This policy covers both the website and the application.

1. What We Collect

This section covers data collection for both VanticLab (the website) and Vantic Agent (the application).

1A: VanticLab Website

1.1 Website Usage Data

When you visit the VanticLab website, we may collect browser information (browser type, version, language), device information (device type, operating system, screen resolution), IP address (anonymised where possible), pages visited and time spent on pages, referral sources (how you found our website), and click patterns and navigation paths. This information helps us understand how visitors use our website and improve the user experience.

1.2 Cookies and Tracking Technologies

We use cookies and similar technologies to remember your preferences and settings, analyse website traffic and usage patterns, and provide essential website functionality. You can control cookies through your browser settings. Some features may not work if you disable cookies.

1.3 Contact and Account Information

When you interact with VanticLab, we collect your email address (when you sign up, contact us, or subscribe to updates), name and contact details (if you provide them in contact forms), account information (if you create an account to access Vantic Agent), and authentication provider information (if you sign up using OAuth, such as Google or GitHub).

1.4 Support and Communication

If you contact us for support or inquiries, we collect your contact information, the content of your messages, any attachments you send, and communication history.

1B: Vantic Agent Application

1.5 Screen Observations (Vantic Agent Only)

When you enable context gathering in Vantic Agent, the application captures text content extracted from visible applications on your screen, application names (such as Chrome, Xero, or Gmail), window titles (such as "Invoice #1234 - Xero"), timestamps of when observations occur, and basic metadata about your workflow patterns.

1.6 What Vantic Agent Does Not Collect

We explicitly do not collect raw screenshots or images—only text extracted via OCR is processed. We do not collect audio or video recordings. We do not collect content from excluded applications—apps you exclude are never captured. We do not collect passwords or authentication credentials—these are automatically masked through pattern recognition and autonomous learning. We do not collect content from password managers or banking applications—these are excluded by default. We do not collect personal files or documents unless you explicitly upload them.

1.7 Manual Uploads (Vantic Agent Only)

You can manually upload text files, transcripts, or documents to provide context in Vantic Agent. These are treated the same way as automatic observations: encrypted and stored securely.

2. How We Process Your Data

This section explains how we process data for both VanticLab and Vantic Agent.

2A: VanticLab Website

2.1 Website Data Processing

Website usage data is processed to analyse website performance and user experience, improve website functionality and content, respond to support requests and inquiries, manage your account and authentication, and send important updates (only if you've opted in). We use standard web analytics tools and may use third-party services for analytics, hosting, and support.

2B: Vantic Agent Application

2.2 Local Processing (Primary)

All Vantic Agent observation data is initially processed locally on your device. Screen capture occurs on your device. OCR (text extraction) happens locally using Tesseract.js. Sensitive field masking is applied automatically before storage through pattern recognition and autonomous learning. Raw images are discarded immediately after text extraction—we never store screenshots.

2.3 Cloud Processing

When you use Vantic Agent, we may send text-only, filtered output to cloud services for summarisation of workflow patterns, semantic classification of tasks, theme extraction from sequences, and AI-powered responses to your queries.

Important restrictions: We never send screenshots or pixel data. We never send unfiltered content. AI providers only receive your current prompt, relevant conversation history from the current session, any documents you've explicitly attached or referenced, and system context needed to understand your business setup. Your broader client data stored in our databases is not sent—only the specific content relevant to your query. You can request Australian-only processing at any time.

2.4 Intelligence Generation (Vantic Agent Only)

From your observations, we generate workflow patterns (sequences of tasks you perform), friction signals (indicators of manual load, context switching, backtracking, data fragmentation, and waiting time), insights (daily and weekly summaries of your work patterns), and recommendations (suggestions for reducing workflow friction). All intelligence is derived from your observed activity, not from external integrations or third-party data sources.

2.5 No Training on Your Data

Your data is never used to train any AI models. It is used exclusively to provide you with a personalised experience within Vantic Agent.

3. How We Store Your Data

3.1 Website Data Storage

VanticLab website data is stored securely using industry-standard practices. Account information is stored in secure databases. Contact form submissions are stored temporarily for support purposes. Analytics data is anonymised and aggregated where possible. Website data is retained according to our data retention policies.

3.2 Vantic Agent Data Encryption

All Vantic Agent observation data is encrypted at rest using AES-256 encryption (AES-GCM mode). Your data is encrypted before being stored in the database. Each user's data is encrypted with appropriate key management. Encryption keys are managed securely via AWS KMS (ap-southeast-2 region) with quarterly rotation and are never stored alongside your data.

3.3 Storage Location

Primary storage: Your observations are stored in MongoDB Atlas in the Sydney region (ap-southeast-2). Local-first option: For local-first mode, processing and encryption occur on your device with encrypted cache storage. No cloud storage of screenshots: Raw images are never stored—only text-derived content.

3.4 Data Retention

For website data, account information is retained while your account is active. Contact form submissions are retained for support purposes and then deleted. Analytics data is anonymised and aggregated.

For Vantic Agent data, your observations are retained until you delete them. You can delete observations by date range or delete all observations at any time. Deleted observations are permanently removed from our systems. Account deletion removes all associated data within 90 days unless longer retention is required by law.

4. Your Privacy Controls

4.1 Website Controls

For VanticLab Website, you can control cookies through your browser settings. You can opt out of marketing communications (if applicable). You can delete your account through account settings. You can request deletion of your contact information.

4.2 Vantic Agent Capture Controls

For Vantic Agent Application, you have full control over when and what is captured. Start/Stop Toggle allows you to pause or resume context gathering at any time from the menu bar icon. App Exclusions let you exclude specific applications from capture (such as banking apps, password managers, or personal browser profiles). Multi-Monitor Control allows you to choose which screens to monitor on dual-screen setups. Default Exclusions mean banking and password manager applications are excluded by default.

4.3 Vantic Agent Data Management

You can manage your data through Selective Deletion (delete observations by date range—last hour, last day, or custom range), Complete Deletion (delete all observations at once), Data Export (export all your data anytime in machine-readable format), and Account Deletion (request full account and data deletion through account settings or support).

4.4 AI Processing Control (Vantic Agent Only)

For clients requiring strict data sovereignty, we can configure Australian-only AI processing using self-hosted models (Ollama and AnythingLLM). This keeps 100% of AI processing in Australia, though with some trade-offs in performance compared to frontier models. Contact team@vanticlab.com to discuss data residency configurations.

5. Security Measures

5.1 Website Security

VanticLab Website is protected by HTTPS/TLS 1.3 encryption for all website communications, secure authentication for account access, regular security updates and monitoring, and protection against common web vulnerabilities.

5.2 Application Authentication

Vantic Agent requires authentication via Supabase with enterprise-grade security, session-based authentication with secure JWT token management, MFA enforcement and role-based access controls, and no automatic fallback to unauthenticated access in production.

5.3 Encryption Standards

At rest: AES-256 encryption for all observation data, including backups and analytics snapshots. In transit: TLS 1.3 enforced end-to-end (end-user to Vercel to Supabase to MongoDB Atlas to AI providers). Key management: Encryption keys are managed via AWS KMS (ap-southeast-2) with quarterly rotation. Secrets are managed through Doppler secret manager with environment-specific scopes. Local cache: Local-first mode stores data in OS-provided encrypted vaults (macOS Keychain, Windows DPAPI).

5.4 Access Controls

Both VanticLab and Vantic Agent implement user isolation (each user can only access their own data), rate limiting (API endpoints are rate-limited to prevent abuse), input validation (all user inputs are validated and sanitised), role-based permissions with granular controls, and monthly access reviews by engineering and security leadership.

5.5 Security Practices

No insecure fallbacks: Production deployments require valid encryption keys and authentication. Regular security updates: Dependencies are kept up to date with automated security patch management. Error handling: Security-sensitive errors are logged without exposing sensitive information. Environment separation: Strict separation between development, staging, and production environments with no customer data in non-production environments.

6. How We Use Your Data

6.1 Website Data Usage

We use VanticLab website data to provide and improve website functionality, respond to your inquiries and support requests, manage your account and authentication, analyse website usage to improve user experience, and send important updates (only if you've opted in).

6.2 Vantic Agent Data Usage

We use your Vantic Agent data solely to provide workflow insights and friction analysis, generate personalised recommendations, support you through the conversational interface, and improve your work patterns and reduce cognitive overload.

6.3 What We Do Not Do

For both VanticLab and Vantic Agent, we do not sell your data to third parties. We do not share your data with external parties except as required to provide the service or as required by law. We do not use your data for advertising or marketing. We do not use your data to train AI models. We do not act on your behalf externally without your explicit permission. We do not access excluded applications or content you've marked as private (Vantic Agent).

6.4 Internal-Facing Only (Vantic Agent)

Vantic Agent is designed for internal operations only. We never contact customers or external parties on your behalf. We never access external business systems without permission. We never perform actions in third-party applications without your approval.

7. Data Sharing and Third Parties

7.1 No Data Sales

We do not sell, rent, or trade your personal information or observation data.

7.2 Service Providers

We use third-party services to operate VanticLab and Vantic Agent. All service providers meet minimum security requirements including SOC 2 Type II compliance (minimum), encryption in transit (TLS 1.2 or higher), encryption at rest (AES-256 or equivalent), and contractual confidentiality obligations.

For VanticLab Website, we use website hosting and infrastructure (Vercel), analytics services (to understand website usage), and support and communication tools.

For Vantic Agent, our infrastructure includes:

Cloud Infrastructure:

• Database: MongoDB Atlas (Australia, ap-southeast-2 region) for primary data storage

• Authentication: Supabase for user authentication and token management

• Application Hosting: Vercel (global edge network)

• CDN: Cloudflare for public content only (authenticated routes bypass CDN)

• Email: Resend for transactional emails only (password resets, notifications)

AI Processing Providers:

• United States: OpenAI (GPT models), Anthropic (Claude models), xAI (Grok), Google AI Studio (Gemini models), Groq (inference layer), Cohere (embeddings)

• European Union (France): Mistral AI (GDPR-compliant alternative)

• Australia: Ollama and AnythingLLM (self-hosted option for complete data sovereignty)

All AI providers operate under no-training policies for API customers. Your data is never used to train their models.

7.3 Subprocessor Changes

We'll give you at least 30 days' notice before adding any new subprocessor that will process your client data. You'll be notified via email to your account administrator, update to our subprocessor page, and in-app notification banner.

If you reasonably object to a new subprocessor on data protection grounds (security concerns, jurisdictional issues, regulatory conflicts), notify us in writing within 15 days. We'll work with you in good faith to find an alternative solution or, if we can't resolve it, you can terminate your subscription without penalty.

7.4 Legal Requirements

We may disclose your data if required by law, court order, or government regulation, but only to the extent necessary to comply with such requirements.

8. Your Rights

8.1 Access

For VanticLab Website, you can access your account information through account settings. You can contact us to request access to your website data.

For Vantic Agent, you can access your data through the conversational interface (ask about your observations), privacy controls (view excluded apps, deletion history), and account settings (view account information).

8.2 Correction

For VanticLab Website, you can correct your account information through account settings. Contact us to correct any website-related data.

For Vantic Agent, you can correct your account information through account settings. Observation data cannot be edited, but you can delete incorrect observations and add new ones.

8.3 Deletion

For VanticLab Website, you can delete your account through account settings. You can request deletion of contact form submissions by contacting support.

For Vantic Agent, you can delete specific observations by date range, delete all observations, and delete your account and all associated data. All deletion requests are processed immediately and permanently.

8.4 Portability

For VanticLab Website, you can request export of your account data through support.

For Vantic Agent, you can export your observation data by requesting it through support or using the export feature. We will provide your data in a machine-readable format.

8.5 Objection

For VanticLab Website, you can opt out of marketing communications (if applicable), control cookies through browser settings, and delete your account.

For Vantic Agent, you can object to data processing by disabling context gathering, excluding specific applications, requesting Australian-only processing, and deleting your account.

9. Children's Privacy

Neither VanticLab nor Vantic Agent is intended for use by individuals under the age of 18. We do not knowingly collect data from children. If you believe we have collected data from a child, please contact us immediately.

10. International Data Transfers

10.1 Where Your Core Data Lives

All client operational data (workflows, configurations, business information, conversation history) is stored in MongoDB Atlas Sydney region (ap-southeast-2). This ensures data remains under Australian jurisdiction and subject to Australian Privacy Principles.

10.2 Where Data Travels for Processing

AI processing may route through United States (OpenAI, Anthropic, xAI, Google AI Studio, Groq, Cohere), European Union/France (Mistral AI for GDPR-compliant processing), or Australia (self-hosted Ollama/AnythingLLM for complete data sovereignty).

Other services such as Supabase (authentication), Resend (transactional emails), and Vercel (application hosting) are located in the United States. Cloudflare CDN operates globally but only handles public marketing content—authenticated routes bypass CDN entirely.

10.3 Data Sovereignty Options

Standard Configuration provides core data stored in Australia (MongoDB Atlas Sydney) with AI processing routed to optimal providers based on task complexity, data sensitivity, and speed requirements.

Australian-Only Configuration provides core data stored in Australia with AI processing only through self-hosted models. This ensures 100% Australian data residency but with some performance trade-offs compared to frontier models. This option is best suited for highly regulated industries, government contractors, or absolute data sovereignty requirements.

All international transfers are subject to appropriate safeguards, including encryption and contractual protections.

11. Data Breach Notification

In the unlikely event of a data breach that affects your personal information, we will notify you as soon as practicable after becoming aware of the breach, provide details about what information was affected, explain the steps we're taking to address the breach, and advise on steps you can take to protect yourself.

12. Changes to This Policy

We may update this policy from time to time to reflect changes in our practices or legal requirements. We will notify you of significant changes via email or in-app notification, update the "Last Updated" date at the top of this policy, and provide a summary of changes when material updates are made.

Your continued use of VanticLab or Vantic Agent after changes become effective constitutes acceptance of the updated policy.

13. Contact Us

If you have questions, concerns, or requests regarding this policy or your data:

Email: support@vanticlab.com
Technical Security Inquiries: team@vanticlab.com
In-app: Use the conversational interface to ask privacy-related questions
Account Settings: Access privacy controls through the settings icon

We aim to respond to all privacy inquiries within 5 business days.

VanticLab Pty Ltd
ACN: 679 533 076

Registered Address:
Shop 2/290 Boundary Street,
Spring Hill QLD 4000, Australia

Website: www.vanticlab.com

Phone: +61 406 781 569

14. Australian Privacy Principles

While we strive to align with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth), this policy is written in plain language for clarity. For formal compliance status or specific legal questions, please contact us directly.

Summary

VanticLab Website

What we collect: Website usage data, contact information, account details. How we protect it: HTTPS/TLS 1.3 encryption, secure authentication, industry-standard security practices. Your control: Cookie controls, opt-out options, account deletion.

Vantic Agent Application

What we collect: Text from your screen (when you enable it), application names, window titles, timestamps. How we protect it: AES-256 encryption at rest, TLS 1.3 in transit, local-first processing option, no raw screenshots stored, secure authentication, data stored in Australia (MongoDB Atlas Sydney). Your control: Start/stop capture, exclude apps, multi-monitor control, delete data by timeframe, Australian-only processing option, export your data, delete your account.

What we don't do (both): Sell your data, share with third parties for their purposes, use your data for advertising, train AI models on your data, access excluded apps (Vantic Agent), act externally without permission.

Our commitment: Your privacy and control are fundamental. We're transparent about what we do, and you're always in control.

This policy is effective as of the date listed above. By using VanticLab or Vantic Agent, you acknowledge that you have read and understood this policy.