Privacy Policy

This Privacy Policy explains how [Entity Name], a sole proprietorship registered in India, operating as "Vessel" ("we," "us," or "our") at vesselofone.com, collects, uses, and protects your information when you use our managed AI agent hosting platform.

Information We Collect

We collect the following information when you use Vessel:

• Account information — your email address and authentication credentials, collected during sign-up.
• Billing information — collected by our payment processor (Razorpay) when you subscribe. We do not store credit card numbers or payment credentials on our servers.
• Workspace and vessel metadata — names, configuration, status, and usage logs associated with your managed AI agent instances.
• Machine-level telemetry — CPU usage, memory usage, disk usage, health status, tunnel connectivity, gateway version, and channel connection state (booleans only). This data is collected automatically from your vessel for platform operations. See "Machine-Level vs Agent-Level Data" below.
• Technical data — IP address, browser type, and access timestamps generated when you interact with our platform.
• Product analytics — page views, feature usage, and interaction events collected via PostHog to improve the platform. PostHog session replay records anonymized interactions with all form inputs masked. No agent-level data is included. Subject to your consent (see Cookies below).
• Web analytics — aggregate traffic data (page views, referral sources, geographic region) collected via Google Analytics to understand site usage. Subject to your consent (see Cookies below).

Machine-Level vs Agent-Level Data

Vessel distinguishes between two tiers of data, enforced in our codebase:

• Machine-level data (always collected) — health status, system resources (CPU, memory, disk), tunnel connectivity, gateway version, channel connection state (booleans), LLM key validity (boolean), and skill eligibility counts. This data consists of booleans, counts, and version strings only. It never includes credential values, file paths, or message content.
• Agent-level data (opt-in only) — agent conversations, logs, configuration details, API keys, and session data. This data is never collected by default. It is only accessible when you explicitly enable support access (see below), and is read-through only — we never store agent-level data on Vessel infrastructure.

How We Use Your Information

• Authenticate your identity and manage your account.
• Provision, operate, and monitor your managed AI agent instances.
• Process payments and manage your subscription.
• Improve our platform based on aggregated usage patterns.
• Communicate with you about your account or service changes.
• Detect and prevent abuse, fraud, and security incidents.

Support Access

When you need help troubleshooting your vessel, you can enable support access from your dashboard. When enabled:

• Our team can view limited diagnostic data on your vessel (agent logs, configuration) to help resolve issues.
• Access is read-only and scoped to the specific debugging task.
• Support access automatically expires after 72 hours.
• You can revoke it at any time from your dashboard.
• Every support access session is logged: who accessed, when, which endpoint, and why.
• Logs viewed under support access have API keys and LLM response content redacted.

Support access is off by default. We never access agent-level data without your explicit consent.

Third-Party Services and Subprocessors

We rely on the following third-party providers to deliver our services. Each processes data in accordance with their own privacy policies:

• Google Cloud Platform — compute infrastructure for your AI agent instances (US).
• Cloudflare — network security, tunnel connectivity, and DNS (global).
• Supabase — authentication and database hosting (US).
• Razorpay — payment processing. Razorpay handles all payment card data directly; we do not store card numbers (India).
• PostHog — product analytics and session replay. Used to understand feature usage and improve the platform. Session replay records anonymized interactions with all form inputs masked. No agent-level data is sent to PostHog. Subject to your consent (US/EU).
• Google Analytics — web analytics. Collects aggregate traffic data (page views, referral sources, geographic region). Subject to your consent (US).
• Resend — transactional email (e.g., account notifications, alerts). Receives only your email address and message content necessary for delivery (US).

We do not sell your data to any third party.

Cookies

We use cookies for the following purposes:

• Authentication — Supabase sets session cookies to keep you signed in. These are essential for the service to function.
• Product analytics — PostHog sets a cookie to understand how the platform is used and to improve the experience. This cookie is used for product improvement only, not for advertising or cross-site tracking. Subject to your consent.
• Web analytics — Google Analytics sets cookies for aggregate traffic analysis. Subject to your consent.

We do not use advertising or behavioral tracking cookies.

Managing Your Preferences

When you first visit Vessel, a consent banner appears at the bottom of the page. You can accept or decline analytics cookies at that point. Your choice is remembered for future visits.

• If you accept — PostHog and Google Analytics cookies are set, and we can identify your account for product improvement purposes.
• If you decline — no analytics cookies are set. PostHog falls back to cookieless, hash-based tracking that does not identify you personally. Google Analytics is not loaded.
• To change your preference — clear your browser's site data (cookies and storage) for vesselofone.com and the consent banner will reappear on your next visit.

Data Retention

We retain your account data for as long as your account is active. When you destroy an AI agent instance, the associated virtual machine and its data are permanently deleted. If you delete your account, we remove your personal data within 30 days, except where retention is required by law.

Your Rights

You have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate data.
• Request deletion of your account and associated data.
• Export your data in a portable format.

To exercise any of these rights, contact us at the address below.

GDPR (EU Users)

If you are located in the European Economic Area (EEA), the following applies:

• Data controller — Vessel ([Entity Name]) is the data controller for your personal data.
• Lawful basis — we process account and billing data under contract performance (necessary to provide the service). We process machine-level telemetry under legitimate interest (platform operations). We process product analytics and web analytics under consent.
• Data subject rights — in addition to the rights listed above, you may request restriction of processing, object to processing based on legitimate interest, or lodge a complaint with your local supervisory authority.
• International transfers — your data may be transferred to and processed in the United States and India. Our subprocessors (GCP, Cloudflare, Supabase) include Standard Contractual Clauses (SCCs) in their data processing agreements to ensure adequate protection.

CCPA (California Users)

If you are a California resident, the following applies under the California Consumer Privacy Act:

• We do not sell your personal information.
• We do not use your personal information for cross-context behavioral advertising.
• You have the right to know what personal information we collect, request its deletion, and opt out of any future sale (though we do not sell data).

To exercise your CCPA rights, contact us at privacy@vesselofone.com.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised "Last updated" date.

Contact

If you have questions about this Privacy Policy, contact us at privacy@vesselofone.com.