Privacy Policy

VEKZT (“VEKZT,” “we,” “us,” or “our”) is an AI-powered SaaS platform that enables e-commerce brands and marketing agencies to produce performance-optimized ad creatives for paid advertising on Meta and other platforms. Our platform automatically retrieves information from your website and brand assets, then uses artificial intelligence to generate high-quality static ad images, faster and at a fraction of the cost of traditional creative production.

This Privacy Policy (“Policy”) describes how we collect, store, use, and share (“process”) your personal information when you use our services (“Services”), including when you:

• Visit our website at vekzt.com or any other website linking to this Policy
• Use the VEKZT platform to generate ad creatives
• Interact with us in connection with sales, support, or marketing

This Policy applies to all users, including individual users, e-commerce brands, and agencies (“User,” “you,” or “your”). By using our Services, you acknowledge this Policy. If you do not agree with its terms, please discontinue use of our Services.

For any questions, contact us at contact@vekzt.com.

Summary of Key Points

What we collect: Account information, billing data, brand assets, website data retrieved via automated crawling, and technical usage data.

How we use it: To deliver and improve our Services, generate ad creatives using AI, process payments, provide support, and meet legal obligations.

AI usage: We use generative AI to produce ad creatives on your behalf. We do not train AI models on your data. Our AI providers are contractually prohibited from using your input or output to train their general models.

Web crawling: When you provide a store URL, we automatically retrieve product data, pricing, images, and brand elements from your website to generate creatives. This data is stored in our database and used solely for your creative production.

Legal basis: We process data on the basis of contract performance, legitimate interests, consent, and legal obligations under GDPR.

Data sharing: We share data only with sub-processors necessary to deliver the Services (Stripe, Supabase, OpenAI, Google, Anthropic, Firecrawl), all under binding data processing agreements. We do not sell personal data.

Cookies: We use strictly necessary cookies and, with your consent, non-essential cookies for functionality and conversion tracking.

Your rights: You have the right to access, correct, delete, restrict, and port your data, and to object to certain processing. EEA/UK users have rights under GDPR; US users have rights under applicable state laws.

Updates: We will notify you of material changes by email or in-app at least 14 days before they take effect.

Contact: contact@vekzt.com

1. Data Controller and Roles

Data Controller for personal information collected via vekzt.com and the VEKZT platform:

VEKZT. Email: contact@vekzt.com. Website: vekzt.com

Data Processor: For personal data that our customers upload or make available through their websites and connected services (product data, brand assets, images, pricing), the customer is the data controller and VEKZT acts as a data processor in accordance with our Data Processing Agreement (DPA), available on request.

This distinction follows GDPR Art. 4(7) and (8) and Art. 28.

2. Information We Collect

2.1 Information You Provide Directly

• Account and profile data: name, business email address, company name, and optionally phone number and job title. Passwords are stored as cryptographic hashes and are never stored in plain text.
• Billing data: company name, billing address, and payment information. Card data is handled by Stripe; we do not store full card numbers or CVV codes.
• Brand brief and guidelines: information you upload describing your brand identity, target audience, visual style, and preferences for ad production.
• Support communications: messages, requests, and feedback you send us via email or the platform.

2.2 Information Collected Automatically

• Usage data: features accessed, timestamps, number of creatives generated, export actions, and similar usage patterns.
• Technical data: IP address, device type, browser type and version, operating system, language settings, and session identifiers.
• Approximate location data: derived from IP address. We do not collect precise GPS location.
• Log and security data: event logs used for platform operations, debugging, and security monitoring.

2.3 Information from Third-Party Sources

• Connected ad platforms: if you connect your Meta Ads account or similar platforms, we receive tokens and relevant metadata to support ad export functionality, strictly limited to what is necessary for the integration.
• Payment processor: Stripe may share transaction confirmation data with us for billing and subscription management purposes.

2.4 Special Category Data

We do not intentionally collect special categories of personal data as defined under GDPR Art. 9 (such as health data, biometric identifiers, racial or ethnic origin, religious beliefs, political opinions, or sexual orientation). We instruct customers not to upload such data to the platform. If we become aware that special category data has been submitted, we will promptly delete it.

2.5 Data About Minors

Our Services are not intended for individuals under 18 years of age. See Section 12.

3. Web Crawling and Automated Data Retrieval

A core function of VEKZT is the automatic retrieval of publicly available information from the website URL(s) you provide. This is carried out using Firecrawl, our web crawling sub-processor.

When you submit a store URL, VEKZT may automatically retrieve:

• Product information: product names, descriptions, images, pricing, variants, and availability
• Brand identity: logos, color palettes, fonts, and visual style elements
• Marketing content: slogans, value propositions, and other visible promotional text

This data is retrieved solely to generate ad creatives on your behalf. It is stored in our database (Supabase) and is not shared with third parties beyond what is necessary for creative production.

Your responsibilities as data controller: If the crawled website contains personal data about third parties (e.g., customer reviews with names, user-generated content), you are responsible as the data controller for ensuring that retrieval and processing of that data is lawful. VEKZT recommends that you only submit URLs where third-party personal data is either absent or its inclusion is legally justified.

You may request deletion of crawled data associated with your account at any time by contacting us at contact@vekzt.com.

4. How We Use Your Information

We process your information for the following purposes:

4.1 Service Delivery

• Create and manage your user account and subscription
• Crawl your website to retrieve brand and product data
• Generate ad creatives using AI based on your inputs
• Deliver creatives to your library and enable export to ad platforms
• Process payments and manage subscription billing

4.2 Platform Operations and Improvement

• Monitor platform stability, performance, and availability
• Diagnose and resolve technical issues
• Analyze usage patterns (on aggregated or pseudonymized data where possible) to improve features and user experience
• Develop new features and product capabilities

4.3 Security and Fraud Prevention

• Detect, investigate, and prevent unauthorized access, abuse, and security incidents
• Enforce our Terms of Service and Acceptable Use Policy
• Protect the rights, property, and safety of VEKZT, our users, and the public

4.4 Communication

• Send transactional notifications related to your account and subscription
• Provide customer support and respond to inquiries
• Send product updates and announcements where permitted
• Send marketing communications you have opted into

4.5 Legal and Regulatory Compliance

• Fulfill obligations under applicable law, including accounting and record-keeping requirements
• Respond to lawful requests from government authorities
• Exercise or defend legal claims

4.6 No Automated Decision-Making with Legal Effect

VEKZT does not use automated decision-making that produces legal or similarly significant effects on individuals, as described in GDPR Art. 22.

5. Legal Bases for Processing

We process personal data only where a valid legal basis applies. The table below sets out the legal bases we rely on under GDPR:

You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal, per GDPR Art. 7(3).

6. Use of Artificial Intelligence

VEKZT uses generative AI to produce static ad creatives on behalf of customers. The following principles govern our use of AI:

6.1 No Model Training on Your Data

We do not use your data (including website content, brand assets, uploaded files, or generated creatives) to train or fine-tune AI models. Our AI providers (Anthropic, Google, OpenAI) are contractually prohibited from using input or output processed through VEKZT to train their general-purpose models.

6.2 AI Providers as Data Processors

When generating creatives, your inputs (brand brief, product data, style instructions) are transmitted to our AI providers for processing. These providers act as our data processors under binding DPAs. Transmission is conducted via encrypted channels (TLS), and data is not retained by providers beyond what is necessary to complete the generation request. See Section 7 for a full list of sub-processors and links to their privacy policies.

6.3 AI Act Compliance

Where applicable under EU AI Act (Regulation (EU) 2024/1689), VEKZT takes appropriate measures regarding the transparency of AI-generated content. Creatives produced by VEKZT are identifiable as AI-generated within our platform interface.

As a customer deploying AI-generated content on your own advertising channels, you retain editorial responsibility for that content and are responsible for complying with applicable disclosure requirements in your jurisdiction.

6.4 No Automated Decision-Making

We do not use AI to make decisions that produce legal or similarly significant effects on individuals, as defined in GDPR Art. 22.

6.5 Your Responsibility for Uploaded Content

By submitting content to VEKZT, you confirm that you hold the necessary rights (copyright, trademark, right of publicity) to all materials. You must not use VEKZT to generate content that infringes third-party intellectual property rights or creates unauthorized depictions of identifiable individuals.

7. Data Sharing and Sub-Processors

We do not sell personal data. We share data only with sub-processors necessary to deliver the Services, and only under binding data processing agreements.

All sub-processors are bound by contracts requiring them to process data only in accordance with our instructions and applicable data protection law. We will provide notice of material sub-processor changes and, where required by applicable DPA, allow an opportunity to object.

We may also disclose personal data to law enforcement, regulators, or courts where required by law. See Section 16.

In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the successor entity. We will notify you of any change in data controller and your rights in that context.

8. International Data Transfers

Several of our sub-processors are based in or process data in the United States or other jurisdictions outside the EEA. Where personal data is transferred outside the EEA or UK, we protect such transfers through legally recognized mechanisms including:

• EU Standard Contractual Clauses (SCCs): Module 2 (Controller-to-Processor), per Commission Decision 2021/914, incorporated into our DPAs with each relevant sub-processor.
• EU–US Data Privacy Framework (DPF): Where sub-processors hold current DPF certification, including its UK and Swiss extensions.
• UK International Data Transfer Addendum: Version B1.0, issued by the UK ICO under s119A of the UK Data Protection Act 2018.

We strive to minimize transfers outside the EEA and select sub-processors that maintain equivalent levels of data protection. Current sub-processor locations are listed in Section 7.

9. Log Data

When you use our Services, VEKZT automatically collects operational telemetry to secure and improve the platform (“Log Data”). Log Data may include:

• IP address and approximate location
• Browser type and version
• Pages, features, or APIs accessed within the Services
• Timestamps and session duration
• Unique session or device identifiers
• Error and debugging codes
• Other usage statistics

Log data is retained for up to 90 days unless required to be retained longer by applicable law. It is used exclusively for platform security, performance monitoring, and troubleshooting, and is not used for profiling or marketing purposes.

10. Cookies and Tracking Technologies

VEKZT and selected third-party partners use cookies and similar technologies (“Cookies”) to operate, secure, and analyze our Services.

10.1 Types of Cookies We Use

Strictly Necessary Cookies:Required for core platform functions such as user authentication, session management, fraud prevention, and consent storage. These are set on the basis of contract performance or legitimate interests and do not require consent.

Functional Cookies:Remember your preferences (language, layout, theme) to improve your experience. Deployed on the basis of consent.

Marketing and Conversion Tracking Cookies: Enable us to measure the effectiveness of our own advertising campaigns via Meta Pixel and Google Ads tags. These are deployed on the basis of consent in the EEA/UK and honor CCPA opt-out rights in California.

10.2 Managing Your Cookie Preferences

You can manage cookie settings via the cookie banner on vekzt.com or through your browser settings. Withdrawing consent for non-essential cookies does not affect core platform functionality.

10.3 What We Do Not Do

We do not sell or share personal data for cross-context behavioral advertising as defined under CCPA/CPRA or equivalent laws. Our use of marketing cookies is limited to measuring the performance of our own campaigns.

11. Data Retention and Security

11.1 Retention Periods

You may request deletion of your data at any time under Section 13. Some data may be retained longer where required by applicable law.

11.2 Security Measures

We implement technical and organizational security measures in accordance with GDPR Art. 32, including:

• Encryption of data in transit (TLS 1.2 or higher)
• Encryption of data at rest
• Role-based access controls with least-privilege principles
• Secure credential management
• Regular security monitoring and alerting
• Incident response procedures, including breach notification obligations under GDPR Art. 33–34

No system is completely secure. If you become aware of a security vulnerability or incident involving our Services, please report it to contact@vekzt.com.

12. Minors

VEKZT is a B2B platform and our Services are not directed at individuals under 18 years of age. We do not knowingly collect personal data from minors. By using our Services, you represent that you are at least 18 years old or the age of majority in your jurisdiction.

If we discover that we have received personal data from a person under 18 without verifiable parental or guardian consent, we will promptly delete it. If you believe we may have collected such data, please contact us at contact@vekzt.com.

13. Your Privacy Rights

Depending on your location, you have the following rights with respect to your personal data:

13.1 Rights Under GDPR (EEA and UK Users)

• Right of Access (Art. 15): Request confirmation of whether we process personal data about you, and receive a copy of that data.
• Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data.
• Right to Erasure (Art. 17): Request deletion of your personal data (“right to be forgotten”), subject to certain legal exceptions.
• Right to Restriction of Processing (Art. 18): Request that we limit processing of your data in certain circumstances.
• Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format and have it transmitted to another controller where technically feasible.
• Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing purposes. Where you object to direct marketing, we will stop processing immediately.
• Right to Withdraw Consent (Art. 7): Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing.
• Rights Related to Automated Decision-Making (Art. 22): Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects. We do not engage in such processing.

To exercise any of these rights, contact us at contact@vekzt.com. We will respond within 30 days (extendable by a further 60 days for complex or numerous requests, with notice). We may request identity verification before fulfilling a request.

You also have the right to lodge a complaint with your national supervisory authority:

• Norway: Datatilsynet (datatilsynet.no)
• EU: Your local data protection authority
• UK: The Information Commissioner’s Office (ICO) at ico.org.uk

13.2 Rights Under US State Law

See Section 15.

14. Do-Not-Track and Global Privacy Control

Do-Not-Track (DNT): VEKZT does not currently respond to browser DNT signals due to the absence of a uniform industry standard for their interpretation.

Global Privacy Control (GPC): For users in California and other jurisdictions where GPC is legally recognized, VEKZT honors GPC signals as an opt-out of the sale or sharing of personal data for targeted advertising. We do not sell or share personal data for cross-context behavioral advertising purposes.

15. Jurisdictional Rights

15.1 EEA and UK: GDPR / UK GDPR

Users in the European Economic Area are protected by Regulation (EU) 2016/679 (GDPR). UK users are protected by UK GDPR. All rights described in Section 13.1 apply in full. International transfers are governed by Section 8.

15.2 United States: State Privacy Laws

We comply with applicable US state privacy laws. Depending on your state of residence, you may have the following rights:

California (CCPA/CPRA)

• Know what personal data we collect, use, disclose, and sell (we do not sell personal data)
• Delete personal data we hold about you, subject to exceptions
• Correct inaccurate personal data
• Opt out of the sale or sharing of personal data for targeted advertising (we do not engage in this)
• Limit use and disclosure of sensitive personal information
• Non-discrimination for exercising your rights

Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Utah (UCPA): Residents of these states have rights to access, correct, delete, and port personal data; to opt out of targeted advertising, profiling for significant decisions, and the sale of personal data. We do not sell personal data or use it for targeted advertising.

To submit a privacy rights request under any applicable US state law, contact us at contact@vekzt.com. We will respond within the timeframe required by applicable law (typically 30–45 days, with a possible extension of up to 45 additional days with notice). We will not discriminate against you for exercising any privacy rights.

16. Investigations and Legal Disclosures

VEKZT may disclose personal data where we believe in good faith that such disclosure is:

• Required by a valid legal process, court order, subpoena, or binding governmental request. Unless legally prohibited, we will endeavor to notify affected users before producing data, consistent with applicable law and our DPA obligations.
• Necessary to prevent, investigate, or respond to fraud, security incidents, or other unlawful activity involving our Services.
• Necessary to protect the rights, reputation, property, or safety of VEKZT, our users, sub-processors, or the public.

All disclosures will be limited to what is strictly necessary and will comply with applicable privacy law.

17. Updates to This Policy

We may update this Policy from time to time to reflect changes in our Services, sub-processors, or applicable legal requirements. We will notify you of material changes by:

• Sending an email to the address associated with your account, and/or
• Displaying a prominent notice within the VEKZT platform

at least 14 days before changes take effect. The date of the most recent update is shown at the top of this Policy. Continued use of the Services after changes take effect constitutes your acceptance of the revised Policy. If you do not agree with the changes, you may close your account before they take effect.

18. How to Contact Us

For privacy-related questions, rights requests, Data Processing Agreement inquiries, or any other concerns regarding this Policy:

Email: contact@vekzt.com
Website: vekzt.com

We aim to acknowledge all inquiries within 2 business days and to fully respond within the timeframe required by applicable law, or within 30 days where no specific deadline applies.