Privacy Policy

Contact us any time at info@freshvista.ai. We handle a range of personal information—including protected health information (PHI), financial data, and biometric data—and we design our Services with privacy-safe defaults. When we process PHI for healthcare customers, we do so under HIPAA and a signed Business Associate Agreement (BAA). For EU/EEA personal data we follow GDPR, and when we act as a processor for business customers we operate under a signed Data Processing Addendum (DPA).

Industry note: our Services are not intended for military or defense uses. Please review our Terms of Service for other prohibited uses.

Plan-specific safeguards: every plan includes encryption in transit and at rest, role-based access with least privilege, and continuous monitoring. Enhanced contractual protections—such as HIPAA BAAs or GDPR DPAs—are available only on eligible Business/Enterprise plans. Lower tiers are not designed or permitted for PHI or other regulated data.

PHI may be uploaded only on HIPAA-enabled plans after a BAA is executed. EU/EEA personal data processed on behalf of an organization requires a signed DPA before data enters Business/Enterprise workspaces. If no BAA/DPA is in place (as applicable), do not upload PHI, special-category data, or other regulated data; such content may be removed.

By using the Services you acknowledge this Privacy Policy and our Terms of Service. When the law requires consent (for example, certain cookies or sensitive data uses), we will request it explicitly. This Policy covers what we collect, how we use and share it, and the choices and rights available to you.

• Information We Collect
• How We Use Information
• Sensitive & Regulated Data
• How We Share Information
• De-identified & Aggregated Information
• Your Choices & Rights
• Cookies & Similar Technologies
• International Data Transfers
• Security
• Data Retention & Deletion
• Automated Decision-Making
• Children’s Privacy
• Breach Notification
• Changes to this Policy
• How to Contact Us

• Provide, ingest, host, and process Customer Content; generate outputs; maintain accounts and billing.
• Secure and operate the Services, including fraud/abuse prevention, access controls, logging, monitoring, debugging, and support.
• Improve reliability and safety using aggregated or de-identified telemetry (latency, error rates, feature counts). We do not use telemetry to train models that learn from your specific content.

Legal bases (EU/EEA): contract necessity (Art. 6(1)(b)), legitimate interests (Art. 6(1)(f)), consent (including explicit consent where required for special-category processing in B2C), and legal obligation (Art. 6(1)(c)). Special-category data (Art. 9) is processed under the customer’s legal basis (B2B) or in B2C with explicit consent or another permitted ground.

PHI or other regulated data is only permitted on HIPAA/GDPR-enabled plans with a signed BAA/DPA. Do not upload such data on lower tiers.

We do not sell personal data or share it for cross-context behavioral advertising.

• Service providers (processors): Cloud hosting, storage, authentication, email, monitoring/logging, payments, and support providers operate under written contracts (including DPAs/BAAs where needed) that require confidentiality, appropriate security, and limited use.
• Legal and safety: We may disclose information if required by law or to protect the rights, safety, and security of users, the public, or the Services.
• Corporate transactions: Information may transfer during mergers, acquisitions, or financings under continued protections.

We may use and share de-identified or aggregated information for analytics, security, or product improvement. We will not attempt to re-identify it and prohibit our processors from doing so.

We verify identity, respond within 30 days for EU/EEA requests (with one extension if necessary), and may retain limited data required for legal or security obligations. We honor applicable U.S. state rights (access, correction, deletion, opt-out of sale/sharing/targeted advertising—we do not sell/share) and honor Global Privacy Control (GPC) signals. Appeals: reply to our decision and we will review.

We use strictly necessary cookies (login, security, session, performance) plus consent-based analytics (e.g., GA4) and configurable preferences elsewhere. Manage cookies via the in-product banner or Cookie Settings in the site footer. We configure analytics to minimize data collection and never allow advertising personalization.

We honor GPC signals where required, disabling analytics/marketing cookies automatically when detected. See our Cookie Notice for categories, purposes, retention, and vendors.

We are established in the EU/EEA. Data may be accessed from or transferred to countries where we or our providers operate. For EU/EEA transfers to countries without an adequacy decision we rely on EU Standard Contractual Clauses plus supplementary measures (encryption, access controls, vendor diligence, transfer assessments). Enterprise plans can offer EU-only processing options by contract when available.

• Encryption in transit (TLS/HTTPS) and at rest (databases, files, backups); managed keys with rotation.
• Role-based access control and least privilege; MFA enforced for privileged/admin accounts.
• Monitoring, logging with alerts, and a tested incident response plan.
• Secure development practices, code review, dependency scanning, and secrets management.
• Vendor risk management plus contractual safeguards for processors.
• Encrypted rolling backups and continuity procedures.

No method of transmission or storage is 100% secure; we continually improve our controls.

• Uploads & outputs: Free plans retain Customer Content for 7 days; paid plans retain for at least 30 days before archival/deletion. Admins can delete sooner. Extended retention is available on paid plans by contract.
• Service logs: Retained 14 days by default. We will update this Policy before extending that window.
• Account & billing data: Held for the life of the account and longer only as required for legal obligations (tax, accounting).
• Backups: Encrypted rolling backups ensure that deleted data ages out on schedule (typically within 30 days).
• Contract end: Admins may request exports during any archival window; after retention periods expire, data is permanently deleted. High-security paid tiers can offer short or zero retention, stricter access, or region pinning.

The Services are not directed to children under 16 (or 13 where applicable), and we do not knowingly collect personal data from children. If you believe a child provided data, contact us and we will delete it unless we have a lawful basis and verifiable consent.

Organizations that upload data about minors are responsible for obtaining required notices/consents (e.g., under GDPR, COPPA, FERPA) and for giving correct retention/deletion instructions. We act as a Processor/Service Provider and will process such data only on documented instructions (and on HIPAA-enabled plans with a BAA where PHI is included).

We maintain an incident response plan and promptly investigate, mitigate, and document any personal data breach.

If we are the Controller (e.g., self-serve accounts), we notify the supervisory authority without undue delay and within 72 hours when required, and inform affected individuals if the breach is likely to result in a high risk. When acting as a Processor, we notify the Customer without undue delay (providing facts, impact, and remedial steps for their GDPR Articles 33–34 obligations) and do not notify authorities or individuals unless instructed or legally required. Under HIPAA we notify Covered Entities without unreasonable delay and within contractual/statutory deadlines. We may share information in phases as investigations progress.

We may update this Policy periodically. Material changes will appear here with a new effective date, and we will provide additional notice (such as in-product or email) for significant updates. Continued use of the Services after the effective date constitutes acceptance.

Privacy & security inquiries: info@freshvista.ai

Postal: Freshvista / LyzeData Privacy Team, Čakovec 40000, Croatia