Vyso privacy policy

Privacy that is clear, practical, and built for modern teams.

Last updated: July 12, 2026. This policy explains how Vyso handles account information, uploads, AI processing, and media delivery.

1. Two kinds of data, two roles we play

This is the most important section to understand about how Vyso handles data.

Account Data (Vyso is the Controller). Information you or your organization give us to create and administer an account — name, work email, billing details, authentication data via Clerk, support communications. For this data, Vyso decides how and why it is processed, and we are directly accountable to you under privacy law.

Customer Content (Vyso is the Processor). The media assets, files, and associated metadata your organization uploads to the Service, plus any personal data embedded within that content (for example, a person’s face in a photo, a name in a document, or GPS coordinates in EXIF data). Here, your organization is the data controller and Vyso processes this content only on your organization’s instructions, under a Data Processing Agreement (DPA) available upon request.


2. Information we collect

We collect information in several categories:

  • Account & identity information: name, email, organization, role, authentication credentials processed through Clerk, billing and payment information via our payment processor, and support correspondence.
  • Customer content: uploaded files, metadata such as filenames, tags, and custom fields, and any personal data embedded within that content by you or your organization.
  • Usage & technical data: log events, feature usage, search queries, transformation requests, browser and device type, IP address, and approximate location derived from IP, collected for security, reliability, and product improvement.
  • Cookies & similar technologies: we use cookies and similar technologies for authentication, session management, analytics, and where applicable marketing. See our Cookie Policy at /cookies for the categories used and how to manage preferences. Non-essential cookies are only set with your consent where required by law.

3. Legal bases for processing (GDPR / UK GDPR)

Where GDPR or UK GDPR applies, we rely on contract, legitimate interests, consent, and legal obligation as appropriate.

  • Contract — to create your account and provide the Service you have signed up for.
  • Legitimate interests — for security, fraud prevention, product analytics, and service improvement, balanced against your rights.
  • Consent — for non-essential cookies, marketing communications, and certain AI features that process special category data.
  • Legal obligation — for tax, accounting, and regulatory compliance.

4. How we use information

We use data to provide and maintain the Service, deliver and transform media through our CDN, power search and organization features, maintain audit trails and activity logs, provide customer support, detect and prevent abuse or security incidents, and improve performance and reliability. We do not use Account Data to serve third-party advertising.


5. AI-powered features

Vyso offers AI features such as auto-tagging, similarity search, and content-based search.

  • What is processed: uploaded content and metadata are processed to generate tags, embeddings, or search results.
  • Model training: we do not use Customer Content to train foundation models for use outside your account, and we do not share Customer Content with third-party AI providers for their own model training.
  • Biometric or special category data: if your content includes faces or other biometric identifiers and you enable similarity search or facial-recognition-adjacent features, this may constitute special category data under GDPR or biometric data under laws such as Illinois’ BIPA. As the controller for this content, your organization is responsible for obtaining any required consent from the individuals depicted before enabling these features. Contact us if you would like these features disabled by default.
  • Opt-out: AI features can be disabled at the workspace level in Settings, or by contacting privacy@vyso.io.

6. Sharing of information & sub-processors

We share data only as needed to run the Service.

  • Authentication provider (Clerk): account login and session management.
  • Cloud object storage (S3-compatible): asset storage.
  • CDN provider: global media delivery.
  • AI/ML processing providers: auto-tagging and similarity search.
  • Payment processor: billing.
  • Analytics providers: product usage insights.
CategoryPurpose
Authentication provider (Clerk)Account login and session management
Cloud object storage (S3-compatible)Asset storage
CDN providerGlobal media delivery
AI/ML processing providersAuto-tagging and similarity search
Payment processorBilling
Analytics providersProduct usage insights

7. International data transfers

Where you have selected a storage region, Customer Content is stored in that region. Account Data and other operational data may be transferred internationally to where Vyso or its subprocessors operate. Where required, we rely on Standard Contractual Clauses, adequacy decisions, or equivalent safeguards for transfers out of the EEA, UK, or Switzerland.


8. Data retention

Account Data is retained for as long as your account is active, plus a reasonable period after closure for legal, tax, or dispute-resolution purposes. Customer Content is retained per your organization’s configuration and deleted upon account termination or explicit deletion requests, subject to a limited backup retention window. Logs and usage data are retained for a reasonable period for security and reliability purposes, then deleted or anonymized.


9. Security

We use industry-standard safeguards including encryption in transit and at rest, role-based access controls, and least-privilege access for team members. No system is 100% secure, but we are committed to protecting your data and notifying you of serious incidents in line with applicable law.


10. Your privacy rights

If you are an account holder, you may request access, correction, deletion, restriction, portability, or objection to processing of your Account Data, and withdraw consent where processing relies on it. Submit requests to privacy@vyso.io; we will respond within the timeframe required by applicable law, typically within 30 days.

California residents may request to know what personal information we collect, request deletion, correct inaccurate information, and opt out of sale or sharing of personal information. Vyso does not sell personal information and does not share it for cross-context behavioral advertising.

If your data is in someone else’s Vyso account, contact that organization directly. If you are unable to reach them, contact us at privacy@vyso.io and we will facilitate the request per our DPA obligations.


11. Children’s privacy

The Service is not directed to children under 16, and we do not knowingly collect Account Data from them. If you believe a child has provided us personal data, contact privacy@vyso.io and we will delete it.


12. Customer responsibilities (as controller of customer content)

If your organization uploads content containing other individuals’ personal data — such as photos, names, or biometric identifiers — you are responsible for having a lawful basis to collect and process that data, providing any required notices to the individuals depicted or referenced, obtaining consent where required, and responding to data subject requests concerning that content with Vyso’s support as processor under the DPA.


13. Regulated data (including HIPAA)

Vyso can support customers who need to process protected health information (PHI), but this requires a signed Business Associate Agreement (BAA) and specific account configuration. Contact privacy@vyso.io before uploading PHI to confirm your workspace is configured for HIPAA compliance. Absent a signed BAA, do not upload PHI to the Service.


14. Data breach notification

If we become aware of a security incident affecting your personal data, we will notify affected account holders without undue delay and in line with applicable legal timeframes, and we will support customers in meeting their own downstream notification obligations under the DPA.


15. Changes to this policy

We will update the “Last updated” date above when we make changes and will notify account holders by email or in-app notice for material changes.


16. Contact us

Questions about privacy, data requests, or how Vyso handles information can be sent to privacy@vyso.io.


Contact

If you have questions about privacy, data requests, or how Vyso handles your information, contact us at privacy@vyso.io.