Legal

Privacy Policy

Last updated:

1. Who we are

VisionLabs ("we", "us", "our") operates the website at visionlabs.studio and the connected workspace and studio products (collectively, the "Services"). For the purposes of EU and UK data-protection law, VisionLabs is the data controller for the personal data described in this policy.

Contact: info@visionlabs.studio.

2. What data we collect

AccountEmail address, display name, bcrypt-hashed password, email-verification status, plan tier

Service usageChat messages you send, AI responses, conversation titles, monthly message count, monthly image-generation count, brand facts you've shared (stored as structured JSON to avoid re-typing)

AttachmentsImages and PDFs you upload or drop into the chat. Stored in our Supabase Storage bucket and transmitted to Anthropic / FAL as needed to produce a response.

Generated assetsImages, palettes, brand guide DOCX files, hand-off ZIPs and banner PNGs we generate on your behalf. Stored so you can re-download them.

Project workspacesProject names, colors, and per-project brand facts (Pro+ feature).

BillingSubscription status, plan tier, Stripe customer ID, Stripe subscription ID. Payment card data is handled by Stripe — we never see or store it.

TechnicalIP address (for rate-limiting and abuse prevention), browser user-agent, failed-login attempts, audit log of security-sensitive actions (sign-in, sign-out, password change, plan change, etc.)

CommunicationsEmails you send us, support exchanges

3. Why we use it & legal basis

To provide the Service (account creation, login, chat, billing) — legal basis: performance of a contract with you.
To prevent abuse and secure the Service (rate-limiting, blocking malicious traffic) — legal basis: legitimate interests.
To comply with tax and accounting law (retaining invoices) — legal basis: legal obligation.
To send transactional email (sign-up verification, password reset, billing notifications) — legal basis: performance of a contract.

We do not send marketing email without your explicit opt-in. We do not sell your data to third parties. Ever.

We use the following carefully selected processors to run the Service. Each is bound by a Data Processing Agreement and (where applicable) Standard Contractual Clauses.

SupabasePostgres database hosting (account, conversations, usage, brand facts, attachments). EU region (Frankfurt).

VercelWeb hosting and edge compute for the marketing site, workspace app and vector Studio.

AnthropicProvides the Claude language models (Haiku, Sonnet, Opus) that power the swarm agents. Your chat messages, attached images and PDFs are transmitted to Anthropic to generate responses. Anthropic does not use this data to train their models.

FAL.aiImage generation (FLUX, Recraft V4, Ideogram). When you trigger an image generation, the prompt is transmitted to FAL to render the image.

ResendTransactional email delivery (verification, password reset, billing, notifications). EU region.

StripePayment processing for paid subscriptions. Stripe is the controller of your payment-card data; we only store a customer ID and subscription status.

UpstashRedis-based rate limiting (counting requests per user to prevent abuse). EU region. Only stores a user identifier + counter, no chat content.

Cloudflare TurnstileBot / spam protection on the sign-up form. Privacy-friendly alternative to reCAPTCHA — no tracking cookies, no personal data shared with Cloudflare beyond IP + browser fingerprint at the moment of signup.

5. International transfers

Some of our sub-processors (notably Anthropic and Stripe) are headquartered in the United States. Where personal data is transferred outside the EU/EEA, we rely on the European Commission's Standard Contractual Clauses and equivalent safeguards. You can request a copy of the relevant SCCs by emailing us.

6. How long we keep it

Account data: until you delete your account.
Chat messages and conversations: until you delete the conversation, or until you delete your account.
Usage logs: 13 months (rolling, for the calendar-month rate-limit mechanism).
Billing records: 7 years (statutory retention period for EU/NL invoicing law).
Server logs: 30 days for security/abuse purposes.

7. Your rights under the GDPR

If you are in the EU, EEA or UK, you have the following rights regarding your personal data:

Access — request a copy of the data we hold about you.
Rectification — correct inaccurate data (also doable in your account settings).
Erasure — delete your account and all associated data (doable in settings; also email us if you need help).
Portability — receive your data in a machine-readable format.
Restriction — ask us to limit how we use your data.
Objection — object to processing based on legitimate interests.
Withdraw consent — where processing relies on consent.
Lodge a complaint with your local supervisory authority (in the Netherlands, this is the Autoriteit Persoonsgegevens).

Email info@visionlabs.studio to exercise any of these rights. We respond within 30 days.

8. Cookies & sessions

We use the following strictly necessary cookies:

Auth session — a signed JWT cookie that keeps you logged in. Expires after 30 days of inactivity.
CSRF token — protects against cross-site request forgery on form submissions.
Theme preference — stored locally in your browser (localStorage), never sent to our servers.

We do not currently use any analytics, advertising or tracking cookies. If we add analytics in the future, we will use a privacy-respecting tool (e.g. Plausible or Vercel Analytics) and update this policy.

9. Security

We take security seriously:

Passwords are hashed with bcrypt (cost factor 11). Plaintext passwords are never stored.
All traffic to and from our Services is encrypted with TLS.
API keys and secrets are stored in encrypted server-side environment variables, never in client code or logs.
Webhook integrations (e.g. Stripe) are signed and signature-verified server-side.
Database access is restricted to our application's service role; no public access.

No system is unbreachable. If you suspect a security issue, please email us at info@visionlabs.studio.

10. Children

The Service is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a minor has provided us with data, contact us and we will delete it.

11. Changes to this policy

We may update this policy from time to time. Material changes will be announced by email to active account holders at least 14 days before they take effect. The "Last updated" date at the top of this page always reflects the current version.

12. Contact us

Privacy questions, access requests, complaints: info@visionlabs.studio.