Privacy Policy

Who we are

Scope

This Policy covers personal information we process as a controller (e.g., our website visitors, prospective and current clients, vendors, and annotators), and personal information we process as a processor/service provider on behalf of our clients (e.g., datasets supplied by clients for evaluation, labeling, review, or other post-training activities).

When acting as a processor, we process personal information pursuant to our contract with the client and their instructions; clients remain responsible for providing any required notices to individuals.

Information we collect

We may collect the following categories of personal information:

1. Website & Communications Data – device identifiers, IP address, general location, pages viewed, referring URLs, cookies and similar technologies, and any information you send us via forms or email.
2. Account & Business Contact Data – name, email, phone, job title, company, billing details, and authentication information for Vetto accounts.
3. Annotator/Contributor Data – application details, background/skills information, identity verification data as legally required, work history, and work product metadata (e.g., time spent, quality metrics).
4. Operational & Security Data – logs, diagnostics, and telemetry used to provide, secure, and improve our services.
5. Client-Provided Data – any personal information contained within datasets clients supply for annotation, evaluation, red-teaming, or related services (e.g., text, images, audio, video, or other content). We process these datasets only under our clients' instructions.

We do not intentionally collect sensitive personal information unless required for specific projects or compliance (e.g., workforce eligibility checks), and then only with appropriate safeguards and minimization.

Sources of information

• Directly from you (forms, email, chat, or during contracting).
• Automatically from your device/browser when you use our websites or services.
• From clients or partners who provide datasets or business contact details.
• From service providers supporting background checks or identity verification when legally required.

How we use information (purposes and legal bases)

We use personal information to:

• Provide and operate our services (contractual necessity/GDPR Art. 6(1)(b)).
• Secure, monitor, and improve our services, infrastructure, and quality (legitimate interests/Art. 6(1)(f)).
• Manage relationships with clients, vendors, and annotators, including payments (contract/legitimate interests).
• Comply with legal obligations and enforce our agreements (legal obligation/Art. 6(1)(c)).
• Communicate about updates, opportunities, and security or service notices (legitimate interests/consent where required).
• Processor role: when processing client-provided data, we act on the client's documented instructions and for their specified purposes.

For Brazil (LGPD), we rely on bases such as performance of contract, compliance with legal/regulatory obligations, and legitimate interest, and on consent where required.

Cookies and similar technologies

We use necessary cookies for site operation and may use analytics cookies to understand usage and improve services. Where required, we obtain your consent for non-essential cookies. You can manage preferences via your browser settings or our cookie banner (where available).

Disclosures of personal information

We may disclose personal information to:

• Service providers/Processors that help us host, secure, monitor, test, and deliver services (e.g., cloud hosting and deployment, security scanning, code quality, dependency management). Our core stack includes AWS and Vercel for hosting and delivery; security tooling may include WAF, AWS Inspector, Beagle, SonarQube, and Dependabot.
• Professional advisors (legal, accounting) under confidentiality.
• Authorities where required by law or to protect rights and safety.
• Business transfers in connection with a merger, acquisition, or similar transaction with appropriate safeguards.

No sale or cross-context behavioral sharing

We do not sell personal information and we do not share personal information for cross-context behavioral advertising as defined by the CCPA/CPRA.

Sub-processors (for client data)

We use vetted sub-processors to provide infrastructure and security capabilities. A current list is available on request at privacy@vetto.ai. Clients may subscribe to change notifications via that page or by contacting us.

International transfers

We may transfer personal information to countries other than the one it was collected in, including the United States. We use appropriate safeguards for international transfers, such as contractual protections (e.g., Standard Contractual Clauses) and technical measures (e.g., encryption in transit and at rest). Where required, we will appoint an EU/UK representative and post their contact details in this Policy.

Security

We maintain administrative, technical, and physical safeguards designed to protect personal information, including (as applicable): network and application firewalls/WAF, least-privilege access controls, strong authentication and password standards, vulnerability scanning and remediation (e.g., AWS Inspector), code quality and dependency scanning (e.g., SonarQube, Dependabot), logging/monitoring, and encryption in transit and at rest. We require our service providers to implement appropriate security measures as well.

We regularly review access rights, maintain incident response procedures, and test our backups and recovery processes as part of our Business Continuity and Disaster Recovery program.

Data Retention

We retain personal information only as long as necessary for the purposes described in this Policy or as required by law or contract. For client datasets processed for annotation/evaluation and similar services, our standard retention period is up to 60 months unless a shorter period is specified by contract or law. Upon contract end or at the client's instruction, we delete or return personal information and securely dispose of any remaining copies consistent with our Data Retention & Destruction Policy.

Your choices & controls

• Opt-out of non-essential cookies/analytics: use your browser settings or our cookie banner where available.
• Marketing: you can unsubscribe from emails using the link in the message or by writing to contact@vetto.ai.
• Access, delete, or correct your data: email privacy@vetto.ai.
• Client datasets: contact the client that provided the data; we will support them as required.

Your privacy rights

Depending on your location, you may have rights to request:

• Access to your personal information
• Correction or updating of data
• Deletion of your information
• Data portability
• Restriction or objection to processing
• Rights related to automated decision-making (where applicable)

Children's privacy

Our services are not directed to children and we do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact privacy@vetto.ai so we can take appropriate action.

U.S. state privacy disclosures (including California)

If you reside in a U.S. state with a comprehensive privacy law (e.g., California, Colorado, Connecticut, Virginia, Utah), you may have rights to access, delete, correct, or obtain a portable copy of your personal information, and to opt out of targeted advertising and certain profiling.

California (CCPA/CPRA): For our own website and account data we act as a "business"; for client datasets we act as a "service provider/contractor." We do not sell personal information and do not share it for cross-context behavioral advertising.

Brazil (LGPD) — Additional notice

For individuals in Brazil, you have rights to confirm processing, access, correction, anonymization/blocking/deletion of unnecessary or excessive data, portability, information about shared use, and revocation of consent, among others.

To exercise your rights, email privacy@vetto.ai. You may also contact the ANPD or another competent authority.

Glossary (plain-language)

Controller:

decides why and how personal information is processed.

Processor/Service Provider:

processes personal information on behalf of a controller.

Personal information:

any information that identifies or relates to an identifiable person.

Client-provided data:

datasets and content supplied by clients for our services.

Changes to this Policy

We may update this Policy from time to time. If we make material changes, we will post the updated Policy. We encourage you to review this Policy periodically.