Privacy Policy

Categories of personal data we may collect:

• Account data. Email address, hashed password, Google OAuth identifier (when used), display name, and connection identifiers from a third-party sign-in provider.
• Creator content. Audio, video, written documents, web URLs, and other material a creator uploads or authorizes us to ingest. With that authorization, we transcribe audio/video, split the result into searchable segments, and generate vector embeddings.
• Listener questions and answers.The text of each question submitted to a creator's chat surface, the AI-generated answer returned, the citations referenced, and the model/token counts.
• Payment data. Billing identifiers from Stripe (customer id, session id, payment-source reference). We do not receive or store full credit-card numbers; those are handled directly by Stripe.
• Technical data. IP address (hashed for anonymous-listener rate limits), user agent, request timestamps, cookie identifiers, and aggregate operational metrics.

We use personal data to:

• operate the Service: authenticate users, ingest content, serve AI chat;
• enforce per-listener and per-creator usage limits;
• process payments and renewals;
• communicate operational notices, support replies, and policy updates;
• diagnose bugs and improve performance using aggregate operational metrics;
• comply with legal obligations and enforce our agreements.

We do not sell personal data. We do not use customer content to train third-party general-purpose models without separate written authorization from the customer.

We rely on a small set of named sub-processors to operate the Service. Each handles a specific function; none receives data outside its purpose.

• Anthropic. Large-language-model inference for synthesizing answers from retrieved content and for title / speaker-name extraction passes.
• OpenAI. Text embeddings for chunk + voice-note search.
• Modal Labs. GPU-hosted speech-to-text and speaker diarization on audio/video uploads.
• Pinecone. Vector index for retrieval (embeddings only; no plaintext).
• Stripe. Payment processing for subscriber-tier and setup fees, and enterprise contract billing.
• Cloudflare (Workers + R2). Edge compute for the API and object storage for raw uploads + cold-storage transcripts.
• Supabase. Managed Postgres for accounts, entitlements, content metadata, and the query log.
• Fly.io. Runtime for the long-running ingestion worker.
• Vercel. Hosting for the dashboard at app.vestryai.com.
• Google. OAuth identity when a user signs in with Google.

We add or change sub-processors only when necessary to operate or improve the Service. Institutional customers may subscribe to advance notice via the DPA.

To submit a takedown request, send written notice to privacy@vestryai.com identifying (a) the allegedly infringing content (URL, source-file identifier, or enough detail for us to locate it), (b) the basis of the claim, (c) your contact information, and (d) a good-faith statement, under penalty of perjury, that the use is unauthorized. We will remove or disable access to the identified content within a commercially reasonable time, notify the creator who uploaded it, and provide a counter-notice mechanism. Vestry does not adjudicate ownership; it follows the parties' documented resolution or a court order. See the Enterprise T&C /legal/enterprise §5 for the institutional-customer version of this process.

Account data is retained for the life of the account plus a brief grace period for recovery. Raw audio/video uploads are deleted from R2 after the transcript derivative has been written and verified (typically within seven days of successful ingest); the textual derivatives we retain are sufficient to re-chunk and re-embed without the original audio. Listener questions and answers are retained for as long as the creator account is active; on deletion of the creator account, the corresponding query log is deleted within thirty (30) days.

Depending on where you live, you may have the right to access, correct, or delete personal data we hold about you, to receive an export, or to object to certain uses. Submit requests to privacy@vestryai.com. We'll respond within thirty (30) days and verify your identity before acting on the request. End users of an embedded widget should direct rights requests first to the creator who controls that widget — Vestry processes that data on the creator's behalf.

We use first-party cookies to keep you signed in (a `vestry_listener` or `vestry_creator` cookie tied to the .vestryai.com domain), to remember per-creator session state, and to provide checkout return handling. We do not use third-party advertising cookies. Closing your browser or clearing cookies signs you out; the underlying account data is unaffected.

Vestry is based in the United States and the sub-processors above operate in the United States and the European Economic Area. When personal data of EEA / UK residents moves out of those regions, we rely on the European Commission's Standard Contractual Clauses, supplemented by appropriate technical and organizational measures, as the transfer mechanism.

We encrypt data in transit (TLS) and at rest (sub-processor-provided AES-256 at the storage layer). Access to production systems is gated behind individual SSO accounts with required two-factor authentication. We log production reads and writes to a tamper-evident audit trail.

The Service is not directed at children under 13, and we do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided personal data to us, contact us and we will delete it.

We'll post updates to this page, change the “Last updated” date, and — for material changes — notify creators via email. Continued use of the Service after a change indicates acceptance.

For privacy inquiries, write to privacy@vestryai.com.