Privacy Policy
This policy describes how Provectio collects, uses, stores, and protects personal data. It applies to all users of the Provectio platform at provectio.legal. Provectio measures. It does not advise.
1. Data controller
Provectio
Sole proprietorship (enkeltmandsvirksomhed) registered in Denmark
CVR: [pending registration]
Proprietor: Keith Shepherd
Contact: contact@provectio.legal
Privacy enquiries: contact@provectio.legal
Provectio is registered and operates under Danish law. The supervisory authority with jurisdiction over Provectio's data processing activities is the Danish Data Protection Authority, Datatilsynet (datatilsynet.dk).
2. Data we collect
We collect the following categories of personal data:
- Account data: full name, email address, organisation name (optional), account creation date.
- Authentication data: password hash (stored using PBKDF2-HMAC-SHA256 with a random salt; the plaintext password is never stored).
- Consent records: timestamps and records of consents given or withdrawn, as required by GDPR Article 7.
- Usage data: the analysis requests you submit, including submitted text and analysis results. This data is processed to deliver the service and is not retained on Provectio servers after analysis, subject to the exceptions in Section 5.
- Session data: a session token stored in an HTTP-only, secure cookie, used solely to authenticate your session.
We do not collect payment card numbers directly. Payment processing, if introduced, will be handled by a PCI-DSS-compliant third-party processor.
3. Legal basis for processing
We process your personal data on the following legal bases under GDPR Article 6:
- Consent (Article 6(1)(a)): account creation, email verification, and optional marketing communications. You may withdraw consent at any time.
- Legitimate interests (Article 6(1)(f)): fraud prevention, system security, and the integrity of the governed analysis service. These interests do not override your rights.
- Legal obligation (Article 6(1)(c)): where we are required to retain records by applicable law.
4. Third-party processors
Provectio uses the following third-party processors to deliver the service:
- Anthropic API — analysis text is sent to the Anthropic API for semantic classification. Anthropic does not use API inputs or outputs for model training under its default API terms. Retention terms applicable to Provectio's usage are confirmed in the Data Processing Agreement for each engagement. See Anthropic's privacy policy.
- Cloudflare — Cloudflare provides DDoS protection, TLS termination, and the Turnstile CAPTCHA widget used on registration and login forms. Cloudflare processes IP addresses and request metadata as part of its service. See Cloudflare's privacy policy.
We do not use Google Analytics, Facebook Pixel, or any third-party advertising or tracking technologies.
5. Data retention
- Account data is retained for as long as your account remains active. When you delete your account, all associated personal data is erased immediately.
- Analysis receipts (cryptographic integrity records containing the analysis output and metadata, but not the raw input text) are retained for two years for audit verification purposes. These records do not contain personal data beyond the account identifier.
- Consent logs are retained for the duration required to demonstrate compliance with GDPR Article 7, typically five years, unless you exercise your right to erasure.
- Submitted analysis text is not stored on Provectio servers after the analysis is complete.
- Billing and payment data (transaction records, invoice references) is retained for seven years as required by Danish bookkeeping legislation (bogforingsloven). Payment card details are held by Stripe, not by Provectio.
- Email captures from downloads (email address, name, organisation submitted via the download gate) are retained until you request deletion. The lawful basis for this processing is consent (Article 6(1)(a)), given at the point of submission. If you opted in to marketing communications, that consent is recorded separately and may be withdrawn at any time.
6. Cookies
Provectio uses a single session cookie:
-
Name:
provectio_session
Purpose: authenticates your session after sign-in.
Duration: 24 hours.
Flags: HTTP-only, Secure, SameSite=Lax. The cookie cannot be read by client-side JavaScript and is not transmitted over unencrypted connections.
We do not use tracking cookies, analytics cookies, or advertising cookies. No cookie banner is displayed because no consent-requiring cookies are set.
7. Your rights under GDPR
As a data subject in the European Economic Area, you have the following rights. To exercise any of them, contact contact@provectio.legal or use the automated tools listed below.
| Right | Article | How to exercise |
|---|---|---|
| Right of access — obtain a copy of all data we hold about you | Art. 15 |
Sign in and call GET /auth/export-data, or email
contact@provectio.legal
|
| Right to rectification — correct inaccurate personal data | Art. 16 | Email contact@provectio.legal |
| Right to erasure — delete your account and all associated data | Art. 17 |
Sign in and call DELETE /auth/delete-account, or email
contact@provectio.legal
|
| Right to restriction of processing | Art. 18 | Email contact@provectio.legal |
| Right to data portability — receive your data in a structured, machine-readable format | Art. 20 |
The GET /auth/export-data endpoint returns JSON. Email us if you require
another format.
|
| Right to withdraw consent at any time, without affecting lawfulness of prior processing | Art. 7(3) | Email contact@provectio.legal |
| Right to object to processing | Art. 21 | Email contact@provectio.legal |
We respond to data subject requests within 30 days. There is no charge for requests unless they are manifestly unfounded or excessive.
8. Supervisory authority
If you believe your rights have not been respected, you have the right to lodge a complaint with the Danish Data Protection Authority:
Datatilsynet
Carl Jacobsens Vej 35
2500 Valby, Denmark
datatilsynet.dk
dt@datatilsynet.dk
9. Data security
Provectio operates exclusively over HTTPS. Session tokens are signed JWTs transmitted via HTTP-only secure cookies. Passwords are stored as PBKDF2-HMAC-SHA256 hashes with unique per-user salts using 260,000 iterations. The plaintext password is never stored or logged. Database access is restricted to the application process.
10. International transfers
Provectio's primary infrastructure is hosted by Hetzner Online GmbH in Helsinki, Finland, within the European Economic Area. No personal data is stored outside the EEA.
Two processors involve transient data transfers to the United States:
- Anthropic, PBC (San Francisco, USA) processes analysis text via its API. Anthropic does not use API inputs or outputs for model training under its default API terms. Retention terms applicable to Provectio's usage are confirmed in the Data Processing Agreement for each engagement. Anthropic participates in the EU-US Data Privacy Framework. Where that framework does not apply, Standard Contractual Clauses (SCCs) under GDPR Article 46(2)(c) govern the transfer.
- Stripe, Inc. (San Francisco, USA) processes payment data. Stripe is certified under the EU-US Data Privacy Framework and maintains Standard Contractual Clauses for transfers outside the framework's scope.
Cloudflare, Inc. may route traffic through non-EEA points of presence as part of its CDN and DDoS protection services. Cloudflare operates under Standard Contractual Clauses and is certified under the EU-US Data Privacy Framework.
11. Changes to this policy
We may update this policy when the service changes. Material changes will be communicated by email to registered users. The effective date at the top of this page shows when the current version came into force.
12. Contact
Questions about this policy or about how Provectio handles personal data should be directed to contact@provectio.legal.