Vespper Inc. Privacy Policy
Effective Date: October 18, 2025 | Last Updated: October 18, 2025
Welcome
To provide this website and our software products and services (collectively, the "Services"), Vespper Inc. ("Vespper," "we," "us," or "our") collects and processes personal data, including from customers and visitors. By using or accessing our Services in any manner, you acknowledge that you accept the practices and policies outlined below and consent to our collection, use, and sharing of your information as described in this Privacy Policy.
Your privacy and the security of your personal data are important to us. Please read this Privacy Policy carefully.
Your use of the Services is governed by our Terms of Service, which incorporate this Privacy Policy.
What This Privacy Policy Covers
This Privacy Policy explains how we treat Personal Data that we collect when you access or use our Services. "Personal Data" means any information that identifies or relates to a particular individual and includes information defined as "personal data," "personal information," or "personally identifiable information" under applicable data protection laws, including the GDPR, CCPA/CPRA, and relevant U.S. state privacy laws.
This Policy also describes how we handle confidential business information uploaded by enterprise customers ("Customer Content"), which may include non-personal regulatory or technical documentation.
This policy does not apply to the practices of third parties that we do not own or control.
Categories of Personal Data We Collect
| Category | Examples | Categories of Third Parties With Whom We Share Data |
|---|---|---|
| Identity & Profile Information | Name, email, phone number, organization, password, job title | Service providers; authorized partners |
| Documents & Data You Provide | Uploaded regulatory files, internal documents, annotations, metadata, or extracted text | Service providers (including AI infrastructure), parties you authorize |
| Account & Online Identifiers | Login credentials, IP address, device ID, browser type | Hosting and analytics providers |
| Payment Information | Credit card number, billing address (processed by Stripe or similar providers) | Payment processors |
| Usage & Analytics Data | Page interactions, session IDs, referring URLs, error logs | Analytics providers (e.g., PostHog, Google Analytics) |
| Communications | Emails, messages, and support requests | Customer support vendors |
We may also collect limited health or clinical data only when such information is included within regulatory or scientific documentation uploaded by the customer. Vespper is not intended for the storage or processing of Protected Health Information (PHI) unless governed by a separate, executed Business Associate Agreement (BAA).
Sources of Personal Data
We collect Personal Data from:
- You directly: when you create an account, upload documents, communicate with us, or interact with our Services.
- Automatically: via cookies and similar technologies (see Cookies and Tracking Tools).
- Third parties: such as analytics vendors, payment processors, or integration partners.
Purposes for Processing Personal Data
We process Personal Data to:
- Provide and improve the Services — creating accounts, processing payments, supporting collaboration, ensuring functionality.
- Ensure security and compliance — fraud detection, debugging, and preventing unauthorized access.
- Develop and enhance our products — improving AI models, features, and performance using anonymized or synthetic data.
- Communicate with you — responding to inquiries, sending updates, and operational notices.
- Conduct marketing — promoting our Services in accordance with your preferences.
- Fulfill legal obligations — responding to lawful requests and enforcing our rights.
We do not use customer confidential content or uploaded documents to train publicly available or third-party AI models. Any AI-related product development is performed using anonymized, de-identified, or synthetic datasets under strict contractual and technical controls.
How We Share Personal Data
We share Personal Data with:
- Service Providers: hosting, analytics, customer support, and payment vendors.
- Parties You Authorize: collaborators or third-party platforms you connect to our Services.
- Legal and Regulatory Authorities: where required by law or legal process.
- Business Transfers: in the event of a merger, acquisition, or asset sale.
A current list of authorized subprocessors (including cloud infrastructure, analytics, and AI vendors) is available upon request. All subprocessors are bound by written agreements requiring data protection and confidentiality consistent with our obligations to customers.
A Data Processing Addendum (DPA) consistent with GDPR Article 28 and applicable U.S. privacy laws is available upon request or incorporated into enterprise agreements.
We do not sell or share Personal Data as defined under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).
Cookies and Tracking Tools
We use cookies and similar technologies (e.g., web beacons, pixels) to:
- Maintain sessions and authentication
- Measure site performance
- Understand user behavior
You can control cookies through your browser settings. Disabling cookies may limit certain features of the Services.
Data Security and Retention
We apply technical and organizational measures aligned with recognized industry standards to protect data from unauthorized access, disclosure, alteration, or destruction. While no online system is fully secure, we continually assess and improve our safeguards to meet enterprise expectations.
We retain Personal Data for as long as necessary to provide our Services, comply with legal obligations, or as required by our customer contracts. Upon termination of an account, data is deleted or returned within 90 days unless otherwise required by law. Aggregated or de-identified data may be retained indefinitely for research or analytics purposes.
In the event of a data breach affecting your Personal Data, we will notify affected users and relevant authorities as required by applicable law — within 72 hours for GDPR-covered data or within the timeframe required by U.S. state law.
Children's Privacy
We do not knowingly collect Personal Data from children under 16. If we learn that a child has provided us data, we will delete it promptly.
International Data Transfers
Your information may be transferred and processed outside your country of residence, including in the United States.
For EU/UK residents, such transfers rely on the EU–U.S. Data Privacy Framework or Standard Contractual Clauses (SCCs) approved by the European Commission and UK authorities.
We maintain records of cross-border data transfers and ensure adequate protection consistent with applicable data protection laws.
Your Rights
Depending on your location, you may have the right to:
- Access, correct, or delete your Personal Data
- Object to processing or request restriction
- Request data portability
- Withdraw consent
U.S. residents in California, Virginia, Colorado, Connecticut, and Utah may exercise equivalent rights under their respective privacy laws.
To exercise your rights, contact us at privacy@vespper.com.
State and Regional Privacy Rights
Residents of California, Virginia, Colorado, Connecticut, and Utah may request disclosure of categories of Personal Data collected or shared, request correction or deletion, and opt out of targeted advertising or data sharing.
Submit requests to privacy@vespper.com with the subject line "Privacy Request."
We do not sell or share Personal Data as defined under the CCPA/CPRA.
Regulatory Compliance
Vespper is designed and operated with controls intended to support compliance with relevant life-science and data-protection frameworks, including:
- 21 CFR Part 11 — electronic records and signatures, when configured appropriately by the customer.
- GxP principles — quality and audit controls for regulated environments.
- HIPAA — while Vespper is not currently a certified Business Associate, we can enter into Business Associate Agreements (BAAs) with covered entities as needed.
- GDPR / UK GDPR / U.S. State Privacy Laws — lawful processing, data subject rights, and security obligations.
Vespper follows industry-standard security practices and is working toward formal certification as part of our ongoing compliance roadmap.
Changes to This Privacy Policy
We may update this Privacy Policy periodically. The updated version will be posted on vespper.com with a new Effective Date. Continued use of the Services after changes indicates acceptance. Archived versions are available upon request.
Contact Information
Vespper, Inc.
📧 privacy@vespper.com
🏢 548 Market Street, San Francisco, CA 94104, USA
For GDPR-related matters, contact our Data Protection Officer at privacy@vespper.com.