Legal

Privacy Policy

Last updated

This Privacy Policy explains what personal data Vaia.Space collects, why we collect it, how we use it, with whom we share it, and the rights you have over it. It applies to the website at vaia.space, the application at app.vaia.space, and any related services (collectively, the "Service").

We aim to be specific rather than open-ended. Where this Policy lists the OAuth scopes or integration permissions we request, we request only those scopes and will update this Policy before requesting additional ones.

1. Who is responsible for your data

Vaia is the company behind Vaia.Space, based in Novi Sad, Serbia. Our contact address for privacy matters is [email protected].

Vaia plays one of two roles depending on the data:

  • Controller for account-level data (your name, email, sign-in identifiers, billing-related data, support correspondence, telemetry of the website and app).
  • Processor for workspace data your organization records in the Service (time logs, projects, notes, leave records, HR records, integration content). For this data, your organization is the controller and instructs us through its use of the Service and through any data processing agreement we have signed with it.

2. Information we collect

2.1 Information you provide directly

  • Account information: name, email address, optional profile photo, language and timezone preferences, optional position and short bio.
  • Workspace content: anything you record in the Service — time logs, projects and tasks, notes, reminders, leave requests, HR records, files, comments, and similar.
  • Communications: messages you send us by email or via in-product feedback.
  • Waitlist: if you submit your email through the waitlist on our marketing site, we store it in Airtable until you are onboarded or you ask us to delete it.

2.2 Information from your sign-in provider

When you choose to sign in with Google or Microsoft, the provider shows you a consent screen listing exactly what we receive. We request only the following:

  • Sign in with Google — OAuth scopes openid, email, profile. Vaia.Space receives your Google account identifier, primary email address, name, profile picture, and locale. Vaia.Space does not request and does not have access to your Gmail, Google Calendar, Google Drive, Contacts, or any other Google service.
  • Sign in with Microsoft — OAuth scopes openid, email, profile, User.Read. Vaia.Space receives your Entra ID object identifier, primary email/UPN, display name, and profile photo. Vaia.Space does not request and does not have access to your Outlook mail, Calendar, OneDrive, Teams messages, SharePoint, or any other Microsoft 365 data.

You can revoke our access at any time from Google Account permissions or Microsoft Account permissions.

2.3 Information from integrations you authorize

  • Slack. When your administrator installs the Vaia.Space Slack app, we receive your Slack workspace identifier, the bot token issued to Vaia.Space, the names and IDs of channels you select for delivery, and the names and IDs of users we resolve in order to route mentions and deliveries. We request only the scopes needed to post messages and resolve names — typically chat:write, channels:read, groups:read, users:read, and users:read.email. We do not request the channels:history, groups:history, im:history, or mpim:history scopes, and we therefore cannot read the contents of any channel, including channels we post to. Uninstalling the Slack app revokes the bot token immediately.
  • Future integrations. When we introduce a new integration, the provider's consent screen will list the exact scopes we request and this section will be updated to describe what we receive and how we use it.

2.4 Information collected automatically

  • Technical data: IP address, browser and device type, operating system, language, referrer URL, timestamps of requests, and error logs. We use this to operate, secure, and debug the Service.
  • Cookies and similar: a session cookie that keeps you signed in, a preferences cookie for language selection, and — only after you consent — a Google Analytics cookie used to measure aggregate site usage on the marketing site. The consent banner is shown on first visit and your choice is stored locally; you can change it from the banner at any time.

3. How we use information

  • Provide the Service — authenticate you, maintain your account, render the workspace you belong to, process the actions you take.
  • Operate and secure the Service — detect abuse, prevent fraud, rate-limit and block automated attacks, investigate incidents, maintain backups.
  • Communicate with you — send sign-in codes, transactional notifications, in-product messages, and (where permitted) product announcements you can unsubscribe from at any time.
  • Improve the Service — analyze aggregate, non-identifying usage patterns and crash reports to identify bugs and improve features.
  • Comply with the law — meet legal obligations (for example, tax records or responding to lawful requests from authorities).

We do not sell personal data. We do not use Customer Content (your time logs, notes, files, integration content, or any other data your organization records in the Service) to train artificial intelligence or machine learning models, and we do not share it with any third party for that purpose.

4. Legal bases for processing (EEA / UK)

If you are in the EEA or UK, the lawful bases we rely on are:

  • Performance of a contract — providing the Service to you and to your organization (Article 6(1)(b) GDPR).
  • Legitimate interests — securing the Service, preventing abuse, debugging, and limited product analytics (Article 6(1)(f) GDPR). You can object at any time.
  • Consent — for optional analytics cookies and for marketing communications, where applicable (Article 6(1)(a) GDPR). You can withdraw consent at any time.
  • Compliance with legal obligations — Article 6(1)(c) GDPR.

5. How we share information

We share personal data only with:

  • Your workspace. Members and administrators of the workspace you belong to can see the workspace data you contribute, in accordance with the role assigned to them.
  • Service sub-processors acting on our instructions and under written data-processing terms, including:
    • cloud hosting and database providers;
    • authentication providers you choose to use (Google, Microsoft);
    • integration providers your organization installs (e.g., Slack);
    • email-delivery providers for transactional emails;
    • Airtable, used solely for the marketing-site waitlist;
    • Google Analytics, used only after you consent, on the marketing site.
    A current list of sub-processors is available on request at [email protected].
  • Legal and safety. Authorities or other third parties when we believe in good faith that disclosure is required by law, or necessary to protect the rights, property, or safety of Vaia, our users, or others.
  • Corporate transactions. A successor entity in the event of a merger, acquisition, or sale of assets, subject to commitments at least as protective as this Policy.

6. International data transfers

We are based in Serbia. Some of our sub-processors are located in the European Economic Area, the United Kingdom, or the United States. When personal data is transferred outside the country where it was collected, we use safeguards such as the European Commission's Standard Contractual Clauses and equivalent mechanisms required by applicable law.

7. How long we keep data

  • Account data: for as long as your account exists, plus up to ninety (90) days after deletion to allow for accidental-deletion recovery, then permanently removed from primary systems.
  • Workspace data (Customer Content): until your organization deletes it or until your workspace is closed, plus the same ninety-day window.
  • Backups: retained for up to thirty-five (35) days and then overwritten on rotation.
  • Operational logs: retained for up to thirty (30) days, except security-relevant logs which may be retained for up to twelve (12) months.
  • OAuth refresh tokens: retained only while the corresponding sign-in or integration is active. Tokens are encrypted at rest and are never written to application logs.
  • Waitlist entries: until you are onboarded or until you ask us to delete the entry.

We may retain information longer where required by law (for example, accounting and tax records) or where reasonably needed to resolve disputes and enforce our agreements.

8. Your rights

Subject to applicable law (including the GDPR), you have the right to:

  • access the personal data we hold about you;
  • request correction of inaccurate or incomplete personal data;
  • request deletion of your personal data ("right to be forgotten");
  • request a copy of your data in a portable, machine-readable format;
  • request that we restrict or object to certain processing;
  • withdraw any consent you previously gave us;
  • lodge a complaint with a data-protection supervisory authority in the country where you live or work (for example, in Serbia, the Commissioner for Information of Public Importance and Personal Data Protection).

If your data sits in a workspace administered by your organization, we will route requests to your administrator where appropriate, since they are the controller for that workspace. To exercise your rights, write to [email protected].

9. Security

We take reasonable and appropriate technical and organizational measures to protect personal data, including encryption in transit (TLS), encryption at rest for stored credentials and OAuth refresh tokens, scoped access tokens that we do not log, access controls and least-privilege principles for our staff, and routine vulnerability and dependency scanning. No system is perfectly secure; we will notify affected users and relevant authorities of any personal-data breach in line with applicable law.

10. Children

The Service is intended for use in a professional context and is not directed at children. We do not knowingly collect personal data from anyone under the age of sixteen (16). If you believe a child has provided us with personal data, please contact us and we will delete it.

11. Automated decisions and AI

We do not use personal data for solely automated decision-making that produces legal or similarly significant effects on you. We do not use Customer Content to train third-party AI models, and we do not share Customer Content with third-party AI providers without your or your organization's explicit instruction.

12. Changes to this Policy

We may update this Policy from time to time. Material changes — in particular, any expansion of OAuth scopes, integration permissions, sub-processors, or retention windows — will be announced by email or in-product notice. The most current version is always available at https://vaia.space/privacy.

13. Contact

Questions about this Privacy Policy, or requests to exercise your rights, can be sent to [email protected].