Legal
Legal
Section 1
This Privacy Policy describes how Vodr collects, uses, discloses, and protects personal data when you use VODR Nexus, including the Nexus CLI, the VODR API, the GitHub Action, and the vodr.ai website. This Policy applies to all users, including free and paid tier customers.
We process personal data in accordance with the GDPR, CCPA/CPRA, the Colorado Privacy Act, the Virginia Consumer Data Protection Act, and other applicable privacy laws.
Section 2
Data Controller: Vodr · Data Protection Contact: privacy@vodr.ai · vodr.ai
For GDPR data subject requests, privacy inquiries, DPA questions, and breach notifications, contact privacy@vodr.ai. Response time: 30 days for data subject requests per GDPR Article 12.
Section 3
3.1 Account Data
When you run nexus init, we collect: email address (for key recovery, billing, and notifications) and API key (stored in hashed form). Legal basis: performance of contract (GDPR Art. 6(1)(b)).
3.2 System Descriptions
Text you provide describing your AI system when you run nexus register. Legal basis: performance of contract (GDPR Art. 6(1)(b)).
3.3 Repository Metadata
When you run nexus connect, we extract: package names and versions, database schema field names and table names (for PII pattern detection), AI/ML library import statements and component types, deployment configuration region identifiers, and model file metadata.
What this is NOT: Source code. We do not retain function implementations, variable names, class definitions, comments, test file contents, git commit history, environment variables, secrets, credentials, or any complete file contents. Snapshot files are deleted immediately after metadata extraction.
3.4 Compliance Progress Data
Control statuses and evidence records, compliance scores and coverage indices, governance trigger history, and action plan progress.
3.5 API Call Logs
For every API call: endpoint accessed, timestamp, API key hash, IP address, response status code. Legal basis: legitimate interest (GDPR Art. 6(1)(f)) — security monitoring and abuse prevention.
3.6 Payment Data
Payment is processed entirely by Stripe. We store only the Stripe customer ID and subscription status — never credit card numbers, CVVs, or bank account details.
Section 4
Our customers connect their code repositories. You need to know exactly what we keep and what we don't.
For nexus scan-local, repository analysis runs entirely on your machine. Only a package name list is transmitted to the VODR API. No source code, file contents, or schema data leaves your machine.
Section 5
| Purpose | Legal Basis | Data Used |
|---|---|---|
| System classification and compliance tracking | Contract (Art. 6(1)(b)) | System descriptions, repository metadata, compliance data |
| Account management and authentication | Contract (Art. 6(1)(b)) | Account data, API key |
| Billing and subscription management | Contract (Art. 6(1)(b)) | Stripe customer ID, subscription status |
| Vulnerability scanning | Contract (Art. 6(1)(b)) | Package names and versions |
| PII pattern detection | Contract (Art. 6(1)(b)) | Database field names and table names |
| AI-BOM generation | Contract (Art. 6(1)(b)) | AI/ML library names and types, model metadata |
| Security monitoring and abuse prevention | Legitimate interest (Art. 6(1)(f)) | API call logs, IP addresses |
| Legal compliance | Legal obligation (Art. 6(1)(c)) | As required by applicable law |
We do NOT: sell your personal data; use your data for advertising; share your data with data brokers; use your repository data or system descriptions to train AI models; share your data with other customers; profile you for purposes unrelated to the Service; or make automated decisions with legal effects based on your personal data.
Section 6
When your repository metadata contains references to personal data fields (database column names like "email," "phone," "date_of_birth"), Vodr processes that metadata as a data processor under GDPR. You are the data controller. We process this data solely on your instructions — to provide the classification, PII detection, and compliance tracking service.
Vodr does not process the actual personal data in your database — only the field names and table names from the schema. The VODR Data Processing Agreement governs this processing relationship. Team customers requiring a countersigned DPA may request one at privacy@vodr.ai.
Section 7
| Sub-Processor | Location | Function | Data Received |
|---|---|---|---|
| Hetzner Online GmbH | Falkenstein, Germany (EU) | Cloud hosting | All customer data stored on their infrastructure |
| Stripe, Inc. | United States | Payment processing | Customer email, subscription tier, payment method |
| Anthropic PBC | United States | AI inference for classification (paid tiers only) | System descriptions when classification confidence is low |
| GitHub / GitLab / Bitbucket | Various | Repository access | Repository contents via customer's OAuth grant |
Anthropic's API does not retain input data for model training per their commercial API terms. Google LLC (OSV API) receives only package names, ecosystem identifiers, and version strings — no customer-identifying information.
We notify customers of sub-processor changes 30 days before they take effect. You may object to a new sub-processor within 14 days of notification. A current list is maintained at vodr.ai/sub-processors.
We do NOT sell customer data. We do NOT share customer data with any other third parties. We do NOT use customer data for advertising.
Section 8
All customer data resides in the European Union on Hetzner cloud servers in Falkenstein, Germany. Data does not leave the EU except when transferred to Stripe (US, EU-US Data Privacy Framework), Anthropic (US, Standard Contractual Clauses), GitHub/GitLab/Bitbucket (via the Controller's OAuth grant), or Google's OSV API (package names only, no personal data).
For all EU-US transfers, appropriate safeguards are in place including Standard Contractual Clauses approved by the European Commission and, where applicable, the EU-US Data Privacy Framework.
Section 9
| Data Category | Retention Period |
|---|---|
| Account data (email, API key hash) | Duration of account + 90 days |
| System descriptions | Duration of subscription + 90 days |
| Repository metadata (signals) | Duration of subscription + 90 days |
| Compliance progress data | Duration of subscription + 90 days |
| High-risk system audit trails | 3 years per EU AI Act Article 12 |
| API call logs | 90 days |
| Stripe customer ID | Duration of subscription + per tax law |
| OSV vulnerability cache | 24-hour rolling window |
| Snapshot upload files | Deleted immediately after extraction |
Upon cancellation, you have 90 days to export data via nexus export. After 90 days, all data is permanently deleted except high-risk audit trails. You may request immediate deletion at any time via nexus delete (GDPR Article 17 erasure). Vodr provides written confirmation of deletion upon request.
Section 10
Rights Under GDPR (EEA, UK, Switzerland)
nexus export provides a complete export of all your data in JSON formatnexus delete triggers permanent deletion of all data for a systemnexus export provides machine-readable JSONnexus disconnect stops repository analysis while retaining compliance dataRights Under CCPA/CPRA (California)
Right to know what personal information we collect. Right to delete. Right to correct. Right to opt-out of sale — we do NOT sell personal information. Right to non-discrimination.
To exercise your rights: privacy@vodr.ai. We respond within 30 days (GDPR) or 45 days (CCPA/CPRA). Identity verification may be required.
Section 11
For responsible disclosure of security vulnerabilities, contact privacy@vodr.ai.
Section 12
In the event of a data breach affecting customer personal data, Vodr will notify affected customers and the relevant supervisory authority within 72 hours per GDPR Article 33.
Section 13
The vodr.ai website uses zero non-essential cookies. No analytics cookies. No tracking cookies. No advertising cookies. No third-party cookies. The only cookies used are essential session cookies if a web-based authentication flow is initiated (GitHub OAuth redirect). No cookie consent banner is required.
Section 14
VODR Nexus is not directed at individuals under 16. We do not knowingly collect data from minors. If we learn we have collected data from a child, we will delete it promptly. Contact privacy@vodr.ai if you believe a minor has provided us with personal data.
Section 15
The Service may link to third-party websites. We are not responsible for their privacy practices.
Section 16
The Service uses automated processing — including rule-based analysis, pattern matching, semantic analysis, and LLM-backed classification — to classify systems, map obligations, detect PII patterns, identify vulnerabilities, and generate AI-BOMs. The Service does NOT make automated decisions that produce legal effects or significantly affect you as an individual. All outputs are regulatory intelligence intended for review by qualified human professionals. You are not subject to automated decision-making as defined by GDPR Article 22.
Section 17
Material changes communicated via email at least 30 days before taking effect. Date of last update displayed at the top of this document.
Section 18
Privacy and data protection: privacy@vodr.ai
General support: privacy@vodr.ai
Web: vodr.ai