Privacy you can understand

We collect only what we need to keep you protected.

1. Introduction and Scope

  • Data Controller: Andreas Thun, Sweden.
  • This Privacy Policy complies with the EU General Data Protection Regulation (GDPR) and Swedish data protection laws.
  • For privacy inquiries, contact the Swedish Data Protection Authority (IMY) at imy.se.
  • We collect and process personal data only to deliver Vorasense and comply with legal obligations.

2. Data We Collect

  • Account Data: Account Data: Email address, name, OAuth profile information (Google/Apple).
  • Device Data: Device Data: Device ID, extension version, browser type, last activity.
  • Usage Data: Usage Data: Number of analyses performed, quota usage, feature usage patterns.
  • Technical Data: Technical Data: IP address, user agent, timestamps, error logs.
  • Chat Data: Chat Data: Incoming chat message fragments for analysis (not stored after processing).

3. Legal Basis for Processing

  • Contract (GDPR Art. 6.1.b): We process data necessary to deliver the Service and manage your subscription.
  • Legitimate Interest (GDPR Art. 6.1.f): We process data for security, fraud prevention, and service improvement.
  • Legal Compliance (GDPR Art. 6.1.c): We process data as required by law (e.g., accounting records).

4. How We Use Data

  • Deliver fraud detection analysis on your incoming messages.
  • Manage your account, authentication, and subscription.
  • Process billing through Paddle and generate invoices for accounting purposes.
  • Detect fraud, prevent abuse, and secure the Service.
  • Comply with legal and regulatory obligations.
  • Respond to support requests and troubleshoot issues.

5. Processing Architecture

  • Local Processing: Local (Your Browser): Message extraction, caching, and analysis rendering occur locally. Data does not leave your device.
  • Server Storage: Server (Our API): Authentication tokens, subscription data, and audit logs are stored securely.
  • AI Processing: AI Processing (Azure): Chat fragments are sent to Microsoft Azure AI for real-time analysis. Azure does not retain your data.
  • Encryption: All data in transit uses TLS 1.3 encryption. Server data is encrypted at rest using AES-256-GCM.

6. Data Retention

  • Session Tokens: Session tokens: 15 minutes (short-lived). Auth tokens: 30 days maximum.
  • Local Cache: Local cache on your device: Most recent 100 conversations. Cleared when extension is uninstalled.
  • Audit Logs: Server audit logs: 7 years (for legal/accounting compliance).
  • AI Analysis: Azure AI: Chat data is not retained. Analysis happens in real-time and is not stored.
  • Account Data: Account data: Retained until you request deletion or close your account.

7. Third Parties and Data Sharing

We share your data only as necessary to deliver the Service:

  • Microsoft Azure AI: Receives chat fragments for fraud analysis.
  • Paddle: Receives billing and account data for payment processing.
  • Google/Apple: Receive auth requests to verify your identity.
  • We do NOT sell your data to third parties.
  • We do NOT share your data with advertisers or marketing partners.
  • We may disclose data if required by law or court order.

8. International Data Transfers

  • Your personal data is stored in the European Union.
  • Chat analysis by Azure AI may involve processing in the United States.
  • Transfers outside the EU are protected by Standard Contractual Clauses (SCC) approved by the European Commission.
  • Microsoft Azure AI is subject to appropriate legal safeguards for data protection.

9. Automated Decision-Making

  • Vorasense uses automated AI scoring to assess message risk on a 0-100 scale.
  • AI scoring is advisory only. No automatic blocking or account suspension is triggered.
  • You can see the AI risk score and explanation for any message.
  • You have the right to request human review of any analysis result.
  • You have the right to object to automated decision-making under GDPR Art. 22.

10. Your GDPR Rights

  • Right of Access (Art. 15): You can request a copy of all data we hold about you.
  • Right to Rectification (Art. 16): You can correct inaccurate data.
  • Right to Erasure (Art. 17): You can request deletion of your data, subject to legal retention requirements.
  • Right to Restriction (Art. 18): You can limit how we process your data.
  • Right to Data Portability (Art. 20): You can receive your data in a portable format.
  • Right to Object (Art. 21): You can object to processing based on legitimate interest.
  • Right to Withdraw Consent: You can withdraw consent at any time (does not affect past processing).
  • To exercise these rights, contact [email protected].

11. Data Security

  • Browser: Messages are encrypted with AES-256-GCM before local storage.
  • Server: Data is encrypted at rest and TLS 1.3 in transit.
  • Auth tokens use SHA-256 hashing and are time-limited.
  • Rate limiting protects against unauthorized access and brute-force attacks.
  • All communication uses HTTPS with modern SSL/TLS standards.
  • Access to databases is restricted and logged.

12. Children's Privacy

  • Vorasense is intended for users 16 years and older.
  • We do not knowingly collect data from children under 16.
  • If we discover we have collected data from a child, we will delete it immediately.
  • Parents or guardians who believe their child's data was collected may contact support.

13. Cookies and Tracking

  • No cookies in the browser extension. The extension uses local storage only.
  • The Vorasense website uses session-only cookies for authentication.
  • We do not use Google Analytics or third-party analytics tracking.
  • We do not use any advertising or retargeting pixels.
  • No persistent tracking across websites.

14. Policy Changes

  • Material changes to this Privacy Policy will be notified 30 days in advance via email.
  • Your continued use of Vorasense after changes constitutes acceptance.
  • Previous versions of this policy are available upon request.

15. Contact and Complaints

  • Data Controller: Andreas Thun, Sweden.
  • For privacy questions: [email protected]
  • You have the right to lodge a complaint with the Swedish Data Protection Authority (IMY) at imy.se.
  • Complaints can also be filed with any EU data protection authority.
Back to home