Legal
How Vithril, Inc. collects, uses, discloses, and protects personal information in connection with the Vithril AI-powered spreadsheet workspace.
Last updated · June 23, 2026
This Privacy Policy describes how Vithril, Inc. ("Vithril", "we", "us", or "our"), a Delaware corporation, collects, uses, discloses, and otherwise processes personal information in connection with our AI-powered spreadsheet workspace product ("Vithril" or the "Service"), including our web application, desktop application, application programming interfaces ("APIs"), and related websites, documentation, and support channels. This Privacy Policy is effective, and was last updated, as of the date shown above. We maintain prior versions and will make superseded versions reasonably available on request to privacy@vithril.com so that you can identify the terms in effect at any given time.
1.1 Acceptance. By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. Your use of the Service is also governed by our Terms of Use, which is incorporated by reference. If you do not agree with this Privacy Policy, you must not access or use the Service.
1.2 Scope. This Privacy Policy applies to personal information we process across the web application, the desktop application, our APIs, our marketing and informational websites, and our communications with you. It does not apply to third-party products, services, or websites that we do not own or control, including Connected Services and third-party AI providers, except as expressly described in this Privacy Policy.
1.3 Personal information inside Customer Content. The Service is designed to host spreadsheets, workbooks, reference documents, and related materials that you and your organization create, import, or upload (collectively, "Customer Content"). Customer Content may itself contain personal information about you or third parties. For Customer Content submitted to a workspace, Vithril acts as a service provider or processor, processing such personal information solely on the documented instructions of, and on behalf of, the customer that controls the relevant workspace and as necessary to provide the Service, as further described in Section 21.
1.4 Controller and processor roles. For account registration data, billing data, security data, and product analytics, Vithril acts as a "controller" (or "business" under U.S. state law), meaning we determine the purposes and means of processing. For Customer Content submitted to a workspace, Vithril acts as a "processor" (or "service provider") and processes that information only on the documented instructions of the customer that acts as controller and to provide the Service. We use "generally" only for genuinely mixed-role data; Section 21 explains how these roles allocate responsibility.
1.5 Organization-controlled workspaces. When you access the Service through an account container, team, or workspace administered by an organization (for example, your employer or another entity that has provisioned the Service), that organization controls the workspace, its membership, its configuration, and the Customer Content within it. The organization's own privacy practices, not this Privacy Policy, govern its independent collection and use of your information. Questions about an organization's data practices should be directed to that organization.
The following capitalized terms have the meanings set out below. Other terms are defined inline where first used.
2.1 Personal Information / Personal Data. "Personal Information" (also referred to as "Personal Data") means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, as those concepts are defined under applicable data protection laws. It does not include de-identified, aggregated, or anonymized information that cannot reasonably be associated with an individual.
2.2 De-identified information. Where we maintain de-identified, aggregated, or anonymized information, we will take reasonable measures to ensure it cannot be associated with an individual or household, will maintain and use it only in de-identified form, will not attempt to reidentify it except as permitted by law (for example, to test that de-identification is effective), and will contractually obligate any recipients to comply with the same restrictions.
2.3 Customer Content. Customer Content means the spreadsheets, workbooks, cell data, formulas, folders, data rooms, uploaded reference documents (such as PDF, CSV, and Excel files), AI prompts and messages, AI-generated outputs, and other materials that you or your organization create, import, upload, transmit, or store within the Service.
2.4 Processing. "Processing" means any operation performed on Personal Information, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, retrieval, use, disclosure, transmission, combination, restriction, erasure, or destruction.
2.5 Service Provider; Subprocessor. A "Service Provider" (or "processor") is a third party that processes Personal Information on our behalf and under our instructions. A "Subprocessor" is a Service Provider engaged to process Customer Content in connection with our provision of the Service.
2.6 Controller; Business. A "controller" (or "business") is the entity that determines the purposes and means of processing Personal Information.
2.7 Sensitive Information. "Sensitive Information" means categories of Personal Information that applicable law affords heightened protection, such as government identifiers, financial account credentials, precise geolocation, racial or ethnic origin, religious or philosophical beliefs, health information, biometric data, and similar categories. The term includes "Sensitive Personal Information" as defined under the CCPA/CPRA (defined in Section 14) and "special categories" of personal data under the GDPR, and is used interchangeably with those statutory terms in this Privacy Policy.
2.8 Connected Services. "Connected Services" means third-party cloud file and data services that you choose to link to the Service, such as Google Drive, Microsoft OneDrive, and Microsoft SharePoint (via Microsoft Graph).
We collect Personal Information in the categories described below. The specific information we collect depends on how you interact with the Service and on the configuration chosen by you or your organization.
3.1 Account and profile information. When you register for or are provisioned access to the Service, we collect identifiers and profile information, which may include:
3.2 Workspace and Customer Content. We process the Customer Content that you or your organization create, import, upload, or store, including spreadsheets, workbooks, cell values, formulas, folders, data rooms, share configurations, version history, and uploaded reference documents. Customer Content may contain Personal Information that you choose to include. You are responsible for the Personal Information you include in Customer Content and for ensuring you have the necessary rights and lawful basis to provide it.
3.3 AI prompts, messages, and outputs. When you use AI chat or AI agent features, we process the prompts and messages you submit, the selected workbook and file context you direct the AI to use, the instructions you give, and the outputs generated, including suggested or applied spreadsheet actions, formulas, summaries, and search results. We may also process derived data such as embeddings (vector representations used for semantic search and retrieval) and conversational context retained to enable continuity within a session or feature, as further described and bounded in Section 6.3.
3.4 Files and Connected Services. If you connect a Connected Service, we process the files, metadata, and content you authorize us to access in order to import, reference, or export materials. The scope of access is governed by the permissions you grant during authorization and by the access controls of the Connected Service. We access only what is necessary to perform the actions you request, and we use such data only as described in Section 17.
3.5 Desktop application and local files. The desktop application provides scoped local-file access. Files on your device are not automatically uploaded or transmitted to us merely because they exist on the device. The desktop application accesses local files only within the scope you grant and only to perform actions you direct, such as opening, importing, or saving a file. When you direct the desktop application to import or sync a file into the Service, the relevant content is then processed as Customer Content.
3.6 Billing and transaction information. For paid plans, we and our payment processors, Stripe and Autumn, collect billing and transaction information, which may include plan and subscription details, billing contact information, billing address, the last four digits and type of payment card, transaction history, and AI usage metering data used to calculate usage-based charges. Full payment card numbers are processed by our PCI-DSS-compliant payment processors and are not stored by Vithril.
3.7 Usage, analytics, logs, and diagnostics. We automatically collect technical and usage information when you access the Service, which may include:
3.8 Communications. When you contact us for support, sales, security disclosure, or other purposes, we collect the content of your communications and related metadata, such as your contact details and the nature of your request.
3.9 Cookies and similar technologies. We and our providers use cookies and similar technologies (defined as Cookies in Section 7) as described in Section 7.
We obtain Personal Information from the following sources.
4.1 Directly from you. Information you provide when you register, configure your account, create or upload Customer Content, use AI features, communicate with us, or make a purchase.
4.2 From your organization. Where your access is provisioned by an organization, we receive account, role, and provisioning information from that organization and its administrators, including through SSO and SCIM directory synchronization.
4.3 Automatically from your use. Usage, analytics, log, diagnostic, and device information collected automatically as described in Section 3.7 and Section 7.
4.4 From Connected Services. Files, content, and metadata you authorize us to access from Connected Services such as Google Drive, OneDrive, and SharePoint.
4.5 From service providers and integrations. Information from our Service Providers, including authentication providers, payment processors, analytics providers, and AI providers, in connection with their performance of services for us.
4.6 From public and licensed sources. When you direct AI features to search connected or public sources, we may retrieve information from sources such as web search results, SEC/EDGAR filings, and publicly available datasets in order to fulfill your request.
We use Personal Information for the purposes described below. Where we act as a processor on behalf of a customer, we use Customer Content only to provide and support the Service in accordance with the customer's instructions and our agreement with the customer.
5.1 Provide and operate the Service. To create and administer accounts and workspaces; authenticate users; store, process, render, and export Customer Content; run AI chat and agent features; maintain version history and restore; enable collaboration, sharing, and share links; and otherwise deliver the features you request.
5.2 Maintain, secure, and improve the Service. To monitor, troubleshoot, debug, and secure the Service; detect, prevent, and respond to fraud, abuse, and security incidents; conduct analytics about feature usage and performance; and develop and improve features, reliability, and usability. Except as necessary to provide the Service to you or as instructed by the controlling customer, our product-improvement, analytics, and research activities use only de-identified or aggregated data and service telemetry, and not Customer Content. We do not use Customer Content to train, develop, or improve any artificial-intelligence model, as further described in Sections 5.7 and 6.
5.3 Billing and account management. To process payments through our PCI-DSS-compliant payment processors (Stripe and Autumn), calculate usage-based AI charges, manage subscriptions and renewals, prevent payment fraud, and maintain financial records.
5.4 Communications. To send transactional and administrative messages (such as service, security, billing, and policy notices), respond to your inquiries, and, where permitted, send marketing communications you may opt out of.
5.5 Human review. We do not routinely access or review the contents of Customer Content or your AI prompts and outputs. Limited access by authorized personnel or trusted Service Providers may occur only (a) at your or the controlling customer's request or instruction; (b) where reasonably necessary to provide, secure, or troubleshoot the Service; (c) to detect, prevent, or respond to fraud, abuse, safety, or security incidents; or (d) where required by law. Any such access is subject to least-privilege controls, confidentiality obligations, and logging as described in Section 11.
5.6 Legal and compliance. To comply with legal obligations, enforce our Terms of Use and other agreements, establish, exercise, or defend legal claims, and protect the rights, property, and safety of Vithril, our users, and the public.
5.7 Legal bases (EEA, UK, Switzerland). Where data protection law requires a legal basis, we rely on the following:
5.8 No use of Customer Content to train foundation models. We do not use Customer Content to train our own or general-purpose foundation models, as further described in Section 6.
The Service includes AI chat and AI agent features that read the workbook and file context you select, perform spreadsheet actions, generate formulas, summarize data, search connected or public sources, and suggest or apply edits at your direction. This Section explains how those features process information.
6.1 What is sent to AI providers. To fulfill an AI request, we transmit the relevant prompt, instructions, and selected context (which may include portions of Customer Content) to our third-party AI model providers, currently Anthropic and OpenAI. We send only the context reasonably necessary to perform the requested action.
6.2 No training on Customer Content. We do not use Customer Content to train, fine-tune, or develop our own models or any general-purpose foundation models. We contract with our AI model providers under API terms that, as of the effective date of this Privacy Policy, prohibit those providers from using data submitted through our API to train their models and provide for zero or limited data retention. We do not control these providers, and their terms may change; if they do, we will update this Privacy Policy and our practices accordingly. This is Vithril's commitment together with an accurate description of our providers' current contractual terms, and not an unconditional guarantee of third-party conduct.
6.3 AI provider and Vithril retention. Under the applicable API terms, our AI model providers retain prompts and context only transiently to fulfill a request, or for a limited period for abuse-monitoring purposes where such retention applies, after which the data is deleted in accordance with those terms; where zero-retention arrangements are available and enabled, providers do not retain the data after the request is served. Vithril logs and retains AI interaction metadata (such as usage metering and diagnostic events) and limited content needed to operate the feature, in each case subject to the retention practices in Section 10.
6.4 Embeddings, derived data, and memory. To enable semantic search, retrieval, and continuity within AI features, we may generate and store derived data such as embeddings and limited conversational context. Such derived data is used only to operate and improve the retrieval quality and functioning of the features for the customer to whom it belongs, and not to train, fine-tune, or improve any foundation model and not to develop features for other customers. We do not use embeddings or other derived data to train foundation models. Derived data is subject to this Privacy Policy and our retention practices in Section 10.
6.5 Document parsing and external sources. When you upload reference documents, we may use a document parsing and extraction provider (Reducto) to convert and extract content for use as AI context. When you direct AI features to search external sources, we may retrieve results from web search, SEC/EDGAR, and dataset sources (including via Hugging Face) to fulfill your request.
6.6 Assistive nature of AI features. AI features are assistive and operate at your direction, as further described in Section 18.1. The AI suggests or applies edits that you initiate, and you remain responsible for reviewing and validating AI outputs before relying on them. AI outputs may be inaccurate, incomplete, or unsuitable for a given purpose, and should not be treated as professional advice. The warranty disclaimers and limitations of liability in the Terms of Use, including any AI-specific accuracy and no-professional-advice disclaimers, apply to AI outputs as described in Section 22.
6.7 Caution regarding sensitive data. You should exercise caution before submitting Sensitive Information into AI prompts or context. You are responsible for ensuring that your use of AI features with any Customer Content, including any Sensitive Information, complies with applicable law and with your own obligations to third parties.
We disclose Personal Information only as described in this Privacy Policy and as directed by you or your organization. We do not sell Personal Information, we do not share it for cross-context behavioral advertising, and we do not engage in targeted advertising.
8.1 Workspace members and share recipients. When you collaborate, share Customer Content, or create share links, the relevant Customer Content and associated information (such as your name or email) are accessible to other members of the workspace and to the recipients you choose, subject to the access controls and permissions configured by you or your organization.
8.2 Service Providers and Subprocessors. We disclose Personal Information to the Service Providers and Subprocessors that help us operate the Service, as described in Section 9, under contracts that require them to protect the information and use it only to provide services to us.
8.3 Connected Services. When you authorize a Connected Service, we exchange information with that service as needed to perform the actions you request, in accordance with the platform-policy commitments in Section 17. Your use of a Connected Service is governed by its own terms and privacy notice.
8.4 AI and data providers. We disclose prompts and selected context to AI model providers and related providers to fulfill AI requests, as described in Section 6.
8.5 Professional advisers. We may disclose information to our auditors, lawyers, accountants, insurers, and other professional advisers where necessary in the course of the professional services they render to us.
8.6 Legal, safety, and authorities. We may disclose information where we believe in good faith that disclosure is necessary to comply with applicable law, legal process, or governmental request; to enforce our agreements; to detect, prevent, or address fraud, security, or technical issues; or to protect the rights, property, or safety of Vithril, our users, or the public.
8.7 Corporate transactions. If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, Personal Information may be transferred as part of that transaction. Any successor in interest will be bound to honor the commitments in this Privacy Policy with respect to such Personal Information unless and until we provide you with notice of, and where required by law obtain your consent to, any materially different use.
8.8 No sale; no cross-context behavioral advertising; no targeted advertising. We do not sell Personal Information for monetary or other valuable consideration, we do not share it for cross-context behavioral advertising, and we do not engage in targeted advertising, as those terms are defined under applicable U.S. state privacy laws.
We engage the Service Providers and Subprocessors below to help us provide the Service. Each is bound by contractual obligations to protect Personal Information and to process it only as needed to provide services to us. We conduct security and privacy due diligence on our Service Providers before engagement and flow down equivalent data-protection obligations as described in Section 11. This list is current as of the "Last updated" date above and may change over time.
9.1 Current providers. Our principal Service Providers and Subprocessors and their purposes are:
9.2 Changes, advance notice, and right to object. We may add, remove, or replace Service Providers and Subprocessors as our Service evolves. We maintain the list above with a "last updated" reference and will provide business customers with advance notice of any new Subprocessor that will process Customer Content, together with a mechanism to subscribe to updates. Business customers may object on reasonable, good-faith data-protection grounds within the notice period, and we will work in good faith to resolve the objection or, failing resolution, the customer may exercise the remedies set out in the applicable data processing agreement (DPA). We flow down data-protection obligations equivalent to our own to each Subprocessor. The DPA may supplement these baseline commitments.
10.1 Retention principles. We retain Personal Information for as long as necessary to provide the Service, fulfill the purposes described in this Privacy Policy, comply with our legal obligations, resolve disputes, and enforce our agreements. Retention periods vary based on the type of information, the purpose of processing, and applicable legal requirements. The baseline durations below apply unless a longer period is required by law or a different period is agreed with a controlling customer in a DPA.
10.2 Retention periods by category. Subject to Section 10.1, our baseline retention periods are:
10.3 Criteria where a fixed period does not apply. Where we cannot state a fixed retention period, we determine the appropriate period by reference to the criteria in Section 10.1, including the nature and sensitivity of the information, the purpose for which it is processed, the potential risk of harm from unauthorized use or disclosure, and applicable legal, accounting, or reporting requirements.
10.4 Deletion and export mechanics. You may delete Customer Content through the Service. Upon deletion or upon account or workspace termination, we initiate removal from active systems within the periods stated above and schedule removal from backups in the ordinary course. Before deletion following termination, you or the controlling customer may export Customer Content using the export features of the Service during the applicable window. Some information may be retained where required by law or for legitimate business purposes such as security, fraud prevention, and recordkeeping.
10.5 Organization-directed deletion. Where an organization controls a workspace, deletion and retention of Customer Content are subject to that organization's instructions and configuration, which may vary the baseline periods above through a DPA. We will give effect to a controlling customer's documented deletion instructions in accordance with our agreement.
11.1 Technical and organizational measures. We maintain administrative, technical, and physical safeguards designed to protect Personal Information, including:
11.2 Certifications in progress. We are pursuing SOC 2 Type 1 and Type 2 examinations. These efforts are in progress and not yet complete; we do not claim to hold a completed certification. We will update our communications as our compliance posture matures.
11.3 Incident notification. In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Information (a "Security Incident") affecting Personal Information for which Vithril is the controller, we will notify affected individuals and the relevant supervisory authorities or regulators as and to the extent required by applicable law and without undue delay. Where Vithril acts as a processor for a controlling customer, we will notify that customer without undue delay after becoming aware of a Security Incident affecting their Customer Content, and will reasonably cooperate with the customer's notification obligations, in each case as further specified in the applicable DPA. Notifications will include the information required by applicable law to the extent then known.
11.4 No guarantee. No method of transmission or storage is completely secure. While we work to protect Personal Information, we cannot guarantee absolute security, and you provide information at your own risk.
11.5 Your responsibilities. You are responsible for maintaining the confidentiality of your credentials, configuring access controls and sharing settings appropriately, managing the membership and permissions of workspaces you control, and promptly notifying us of any suspected unauthorized access or use.
11.6 Vulnerability disclosure and safe harbor. We welcome reports of suspected security vulnerabilities. Please report them to security@vithril.com. We aim to acknowledge such reports within one business day. We ask that you act in good faith, avoid privacy violations, degradation, or disruption of the Service, refrain from accessing or modifying data that is not your own, and give us a reasonable opportunity to remediate before any public disclosure. Activities such as denial-of-service attacks, social engineering of our personnel or users, physical attacks, and accessing or exfiltrating data beyond the minimum necessary to demonstrate a vulnerability are out of scope. Security research conducted in good-faith compliance with these guidelines is authorized, and we will not pursue or support legal action against researchers for such research.
12.1 Processing locations. We are based in the United States, and our hosting and processing primarily occur in the United States. Depending on the Service Provider involved (for example, AI model providers, analytics, and email delivery), Personal Information may also be processed in other countries where we or our Service Providers operate. EU data residency is available for Enterprise customers as described in Section 12.4. When you use the Service, your information may therefore be transferred to, stored in, and processed in the United States and other countries that may have data protection laws that differ from those in your jurisdiction. The processing locations of our Subprocessors are described in our Subprocessor list referenced in Section 9, available on request to privacy@vithril.com.
12.2 Transfer mechanisms. Where we transfer Personal Information from the EEA, the United Kingdom, or Switzerland to a country that has not been deemed to provide an adequate level of protection, we rely on the European Commission's Standard Contractual Clauses (SCCs) as our primary transfer mechanism, together with the UK International Data Transfer Addendum and Swiss-specific provisions, as applicable, supplemented by additional safeguards where appropriate.
12.3 EU-U.S. Data Privacy Framework. Vithril is not currently certified under the EU-U.S. Data Privacy Framework or its UK and Swiss extensions, and relies on the Standard Contractual Clauses described in Section 12.2 as its primary transfer mechanism. We will update this Privacy Policy if our position changes.
12.4 EU data residency for Enterprise. EU data residency is available for Enterprise customers. Customers who require EU data residency should contact us to discuss eligibility and configuration.
Depending on your jurisdiction, you may have certain rights regarding your Personal Information. The specific rights available to residents of particular U.S. states and of the EEA, UK, and Switzerland are described in Sections 14 through 16.
13.1 Available rights. Subject to applicable law, you may have the right to:
13.2 How to exercise. You may exercise these rights by contacting us at privacy@vithril.com or by postal mail at the address in Section 24.2. Where your Personal Information is contained in a workspace controlled by an organization, we may refer your request to that organization or act on its instructions; please direct such requests to the relevant organization where appropriate.
13.3 Verification. To protect your information, we will take reasonable steps to verify your identity before responding to a request, which may require you to provide information sufficient to confirm your identity. We will not respond to a request we cannot reasonably verify.
13.4 Response times and fees. We respond to verifiable requests within the timeframes required by applicable law. For requests under U.S. state privacy laws, we generally acknowledge receipt within ten (10) business days and respond within forty-five (45) days, with one extension of up to an additional forty-five (45) days where reasonably necessary and with notice to you. For requests under the GDPR and UK GDPR, we respond within one (1) month, extendable by up to two (2) further months for complex or numerous requests with notice to you. We do not charge a fee to respond unless your request is manifestly unfounded, excessive, or repetitive, in which case we may charge a reasonable fee or decline to act, as permitted by law.
13.5 Internal escalation and complaints. If you have a concern about how we handle your Personal Information, we encourage you to contact us first at privacy@vithril.com so we can try to resolve it. We will acknowledge and address your concern in accordance with Section 13.4. This is in addition to, and does not limit, any right you may have to lodge a complaint with a regulator, including as described in Section 16.4.
13.6 Marketing choices. You may opt out of marketing communications at any time by using the unsubscribe mechanism in those messages or by contacting us. Even if you opt out of marketing, we may continue to send you transactional and administrative communications about your account and the Service.
13.7 No discrimination. We will not discriminate against you for exercising any of your privacy rights.
This Section provides additional disclosures for California residents under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA/CPRA"). Terms used in this Section, including "sell," "share," and "Sensitive Personal Information" (which has the meaning given under the CCPA/CPRA and corresponds to the Sensitive Information defined in Section 2.7), have the meanings given under the CCPA/CPRA.
14.1 Categories of Personal Information collected. In the preceding twelve months, we have collected the following categories: identifiers (such as name, email, and IP address); customer records and commercial information (such as billing and transaction data); internet and electronic network activity (such as usage, analytics, and log data); geolocation (approximate, derived from IP); professional or employment-related information (such as organization and role); and other information you include within Customer Content, which may span additional categories.
14.2 Sources. We collect these categories from the sources described in Section 4.
14.3 Business and commercial purposes. We use these categories for the purposes described in Section 5.
14.4 Categories disclosed. We disclose the categories above to the recipients described in Section 8, including Service Providers and Subprocessors, Connected Services and AI providers (as directed), professional advisers, and authorities as required by law.
14.5 No sale or sharing. We do not sell Personal Information, do not share it for cross-context behavioral advertising, and do not engage in targeted advertising. We have not done so in the preceding twelve months.
14.6 Sensitive Personal Information. We do not use or disclose Sensitive Personal Information for purposes beyond those permitted under the CCPA/CPRA that would give rise to a right to limit its use. To the extent you include Sensitive Information within Customer Content, it is processed only to provide the Service.
14.7 Retention by category. We retain each category of Personal Information for the periods, or according to the criteria, set out in Section 10.2 and Section 10.3. In summary: identifiers and professional information associated with an account are retained for the life of the account and deleted within approximately ninety (90) days after closure; commercial and billing records are retained for up to approximately seven (7) years to meet legal obligations; internet and network activity (logs) is retained for up to approximately ninety (90) days; analytics events are retained for up to approximately twenty-four (24) months in identifiable form; geolocation derived from IP is retained as part of the foregoing log and analytics data; and Personal Information contained within Customer Content is retained for the duration of the account or workspace and then deleted as described in Section 10.2(b).
14.8 Your California rights. Subject to verification and legal limits, you have the right to know and access the Personal Information we collect; to know the categories of sources, purposes, and recipients; to correct inaccurate Personal Information; to delete Personal Information; to obtain a portable copy; to opt out of any sale or sharing (which we do not engage in); to limit the use of Sensitive Personal Information; and to be free from discrimination for exercising these rights.
14.9 Notice at collection. This Privacy Policy, including Sections 3 through 5 and Section 10, serves as our notice at collection describing the categories collected, the purposes of use, and our retention practices.
14.10 Authorized agents. You may use an authorized agent to submit a request on your behalf. We may require the agent to provide proof of authorization and may require you to verify your identity directly.
14.11 Appeals. If we deny your request, you may appeal by contacting privacy@vithril.com. We will respond to your appeal as required by law.
14.12 Minors. The Service is available to users who are at least 13 years of age, and minors between 13 and the age of majority may use it only with the consent and supervision of a parent or legal guardian, as described in Section 19 and our Terms of Use. It is not directed to children under 13, and we do not knowingly collect, sell, or share the Personal Information of children under 13. As a statutory matter under the CCPA/CPRA, we do not sell or share the Personal Information of consumers under 16 years of age.
14.13 Submitting requests and methods. California residents may submit requests by contacting privacy@vithril.com or by postal mail at the address in Section 24.2. Vithril operates exclusively online and has a direct relationship with the consumers from whom it collects Personal Information; accordingly, email is our designated method for submitting requests, as permitted under the CCPA/CPRA. We do not use an interactive webform or toll-free number for this purpose.
14.14 Request metrics. If and when Vithril meets the threshold that requires disclosure of annual consumer-request metrics under the CCPA/CPRA, we will publish those metrics in or alongside this Section.
This Section provides disclosures for residents of U.S. states with comprehensive privacy laws, including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and other states with similar laws, to the extent they apply to you.
15.1 Your rights. Subject to applicable law and verification, you may have the right to confirm whether we process your Personal Information and to access it; to correct inaccuracies; to delete Personal Information; to obtain a portable copy of Personal Information you provided; and to opt out of targeted advertising, the sale of Personal Information, and certain profiling. As described in Section 8, we do not sell Personal Information, engage in targeted advertising, or share Personal Information for cross-context behavioral advertising.
15.2 Sensitive data. Where required, we process Sensitive Information only as necessary to provide the Service and consistent with applicable law, including obtaining consent where required.
15.3 Recognized opt-out signals. We honor recognized universal opt-out preference signals, such as the Global Privacy Control, where required by applicable law.
15.4 Appeals. If we decline to act on your request, you may appeal by contacting privacy@vithril.com. If your appeal is denied, you may contact your state attorney general where applicable law provides for such a complaint.
15.5 Exercising rights. To exercise these rights, contact privacy@vithril.com. We will verify your request and respond within the timeframes set out in Section 13.4.
This Section provides additional disclosures for individuals in the European Economic Area, the United Kingdom, and Switzerland under the EU General Data Protection Regulation, the UK GDPR, and the Swiss Federal Act on Data Protection, as applicable.
16.1 Roles. For account, billing, security, and analytics data, we act as a controller. For Customer Content, we act as a processor on behalf of the controlling customer and process it only on that customer's documented instructions and to provide the Service, as described in Section 21.
16.2 Legal bases. We process Personal Information on the legal bases described in Section 5.7 (performance of a contract, legitimate interests, legal obligation, and consent).
16.3 Your rights. Subject to applicable law, you have the right to access; rectification; erasure; restriction of processing; objection to processing (including processing based on legitimate interests); data portability; and, where processing is based on consent, to withdraw consent at any time without affecting the lawfulness of prior processing. Response timeframes are set out in Section 13.4.
16.4 Right to lodge a complaint. You have the right to lodge a complaint with your local supervisory authority or data protection regulator. We would, however, appreciate the opportunity to address your concerns first, as described in Section 13.5.
16.5 International transfers. Where we transfer Personal Information outside the EEA, UK, or Switzerland, we rely on appropriate safeguards as described in Section 12, including the Standard Contractual Clauses and the UK International Data Transfer Addendum.
16.6 Automated decision-making. We do not use your Personal Information to make decisions producing legal or similarly significant effects about you that are based solely on automated processing, as described in Section 18.
16.7 Representatives and Data Protection Officer. As of the effective date of this Privacy Policy, Vithril has not appointed an Article 27 EU Representative, a UK Representative, or a Data Protection Officer, and is not asserting that any such role is currently filled. To the extent applicable law requires us to appoint a representative or Data Protection Officer, we will do so and will update this Section to name them and provide their contact details. In the meantime, you may contact us regarding this Privacy Policy or our processing by writing to privacy@vithril.com or by postal mail at the address in Section 24.2.
17.1 Google API Services Limited Use. Our use of information received from Google APIs (including the Google Drive API) adheres to the Google API Services User Data Policy, including the Limited Use requirements. Data obtained from Google APIs is used only to provide and improve the user-facing features for which you authorized the connection. We do not transfer or sell such data to third parties except as necessary to provide or improve those user-facing features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice as described in Section 8.7; we do not use such data for serving advertising; and we do not use such data to train, develop, or improve generalized or non-personalized artificial-intelligence or machine-learning models. Any human access to such data occurs only in the limited circumstances described in Section 5.5.
17.2 Microsoft Graph data. Our use of data obtained through the Microsoft Graph APIs (including OneDrive and SharePoint) is similarly limited to providing and improving the user-facing features for which you authorized the connection, in accordance with the permissions you grant and Microsoft's applicable platform terms. We do not use Microsoft Graph data for advertising or to train generalized artificial-intelligence models, and we do not sell it.
17.3 Revoking access. You may revoke our access to a Connected Service at any time through your account settings or through the relevant provider's security or permissions console. Revocation does not affect processing already performed in reliance on your prior authorization.
18.1 Assistive features only. The Service's AI features are assistive and operate at your direction, as described in Section 6.6. They suggest or apply spreadsheet actions, formulas, summaries, and edits that you initiate and control.
18.2 No solely-automated significant decisions by Vithril. Vithril does not use Personal Information to make decisions about you that produce legal or similarly significant effects and that are based solely on automated processing without meaningful human involvement.
18.3 Customer responsibility. If you or your organization use the Service, including its AI features, to make decisions about individuals, you are responsible for ensuring that such use complies with applicable law, including any requirements relating to automated decision-making, profiling, transparency, and human oversight.
19.1 Minimum age; minors. The Service is intended for a general audience and is available to users who are at least 13 years of age, or any higher minimum age required by the laws of your country or region (for example, the applicable digital-consent age, between 13 and 16, under the GDPR and UK GDPR). The Service is not directed to, and may not be used by, children under 13. If you are between 13 and the age of majority in your jurisdiction, you may use the Service only with the consent and supervision of a parent or legal guardian, as described in our Terms of Use. We do not knowingly collect Personal Information from children under 13 (or under the applicable higher age where local law requires it).
19.2 Deletion on notice. If we learn that we have collected Personal Information from a child under 13 (or under the applicable higher age where local law requires it) without the required parental or guardian consent, we will take reasonable steps to delete it. If you believe a child has provided us with Personal Information without such consent, please contact privacy@vithril.com.
20.1 Third-party content. The Service may contain links to, or integrate with, third-party websites, products, and services, including Connected Services and sources retrieved by AI features. We do not control and are not responsible for the privacy practices of those third parties.
20.2 Review their notices. Your use of third-party websites and services is governed by their own terms and privacy notices, which we encourage you to review.
21.1 Controller and processor allocation. Where Vithril processes Customer Content on behalf of a business customer, the customer is the controller and Vithril is the processor. Vithril processes Customer Content solely on the customer's documented instructions and as necessary to provide the Service. The customer is responsible for the lawfulness of the Personal Information it submits, for providing required notices to and obtaining required consents from individuals, and for responding to data subject requests relating to its Customer Content.
21.2 Vithril as controller. For information where Vithril determines the purposes and means of processing, such as account registration, billing, security, and product analytics, Vithril acts as a controller and is responsible for that processing under this Privacy Policy.
21.3 Data Processing Agreement. A data processing agreement (DPA), incorporating applicable Standard Contractual Clauses and Subprocessor commitments, is available to business customers on request by contacting legal@vithril.com. Where executed, the DPA governs our processing of Customer Content. In the event of a conflict between the DPA and this Privacy Policy with respect to Customer Content, the DPA, and as between them the provision more protective of the individual, governs.
22.1 Incorporation of the Terms of Use. This Privacy Policy is part of, and subject to, our Terms of Use. To the maximum extent permitted by applicable law, the disclaimers of warranties, the limitation and exclusion of liability (including the liability cap and the time limitation for bringing claims), the indemnities, and the governing-law and venue provisions set out in the Terms of Use apply to all claims arising out of or relating to this Privacy Policy and to our collection, use, disclosure, and other processing of Personal Information, including claims relating to data loss, security incidents, AI outputs, and privacy.
22.2 Statutory rights preserved. Nothing in this Privacy Policy or the Terms of Use is intended to limit any liability or waive any right to the extent such limitation or waiver is not permitted by applicable law, including any non-waivable statutory remedy (such as a consumer's statutory right of action for certain data breaches under the CCPA/CPRA). Where applicable law does not permit a limitation, exclusion, or waiver, it does not apply to you to that extent, and the remaining provisions continue in effect.
22.3 AI outputs. Without limiting Section 6.6, the warranty disclaimers and limitations of liability in the Terms of Use apply to AI features and AI outputs, which are assistive, may be inaccurate or incomplete, and are not professional advice.
23.1 Updates. We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes, we will revise the "Last updated" date shown at the top of this Privacy Policy. For material changes that affect your rights or how we use your Personal Information, we will provide reasonable advance notice before they take effect, such as by email or in-product notice, and, where required by law, we will obtain your consent.
23.2 Acknowledgment. For non-material changes, your continued use of the Service after an updated Privacy Policy becomes effective constitutes your acknowledgment of the update. For material changes, and wherever applicable law requires affirmative consent, the change will take effect only after the advance notice described in Section 23.1 and, where required, your consent.
24.1 How to reach us. If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:
24.2 Entity and mailing address. The data controller for the purposes of this Privacy Policy is Vithril, Inc., a Delaware corporation. You may reach us by postal mail at: Vithril, Inc., Attn: Privacy, c/o Corporation Service Company (registered agent), 251 Little Falls Drive, Wilmington, DE 19808, United States. If you are unable to use email to submit a privacy request, you may submit it by postal mail to this address, marked to the attention of "Privacy."
24.3 Accessibility. We are committed to making this Privacy Policy accessible to individuals with disabilities. If you require this Privacy Policy in an alternative format, please contact privacy@vithril.com and we will provide a reasonable accommodation.
24.4 Controlling language. This Privacy Policy is written in English. If we provide a translation, the English-language version controls in the event of any conflict or inconsistency, except where applicable law requires otherwise.