Privacy Policy

Last updated March 30, 2026

Vext as controller

For the marketing site, account creation, authentication, billing, security, support, and analytics on public pages, Vext generally acts as the data controller.

Vext as processor

When customers use Vext to import contacts, connect CRMs, automate messages, or process conversations, Vext generally acts as a processor or service provider on the customer's instructions.

This Privacy Policy explains how Vext Chat ("we", "us", "our") collects, uses, stores, and protects personal data when you visit vext.chat, create an account, or use our Services. By using our Services, you acknowledge that you have read and understood this Privacy Policy.

1. Who This Policy Covers

This policy applies to:

  • Visitors of vext.chat who browse our public marketing pages.
  • Users who create accounts, sign in, or access the Vext platform.
  • Customers who connect third-party services, import contacts, or configure messaging workflows.
  • End-users whose data is processed by our customers through the Vext platform.

If you are an end-user of a customer using Vext, that customer is responsible for providing you with privacy notices about their use of Vext to process your data.

2. Personal Data We Process

We may collect and process the following categories of personal data:

  • Account and Profile Data: name, email address, password (hashed), profile photo, locale preferences, timezone settings, and account preferences.
  • Authentication and Integration Data: OAuth tokens, refresh tokens, profile identifiers, and metadata from connected accounts including Google, HubSpot, Zoho, GoHighLevel, and other third-party services you choose to integrate.
  • Contact and Messaging Data: names, phone numbers, email addresses, company information, CRM records, conversation history, message content, workflow triggers, delivery status, timestamps, and automation logs that you import or generate through the platform.
  • Usage and Technical Data: IP address, browser type and version, operating system, device information, pages visited, features used, session duration, referral source, and click patterns.
  • Operational and Security Data: system logs, audit trails, error reports, rate-limiting events, abuse prevention signals, authentication events, and security incident data.
  • Billing and Commercial Data: payment method details (processed by our payment providers), billing address, transaction history, subscription status, plan tier, credit usage, and VAT/invoicing information.
  • Cookie and Consent Data: cookie consent choices, analytics preferences, and session identifiers necessary for platform functionality.

3. Why We Use Personal Data

We process personal data for the following purposes:

  • Service Provision: To create and manage user accounts, authenticate users, and provide the Vext messaging automation platform.
  • Platform Operations: To import, sync, and manage customer contact data; send, receive, schedule, and track messages; operate AI agents, workflows, and delivery monitoring.
  • Integrations: To connect with third-party services (CRM, Google, messaging channels) as configured by users.
  • Billing and Payments: To process payments, manage subscriptions, handle credits and top-ups, and maintain financial records.
  • Security and Compliance: To detect and prevent abuse, unauthorized access, fraud, and violations of our Terms; to comply with legal obligations; to maintain audit trails.
  • Product Improvement: To analyze usage patterns, troubleshoot issues, and improve platform reliability and performance (using aggregated/anonymized data where possible).
  • Communication: To send service-related notifications, security alerts, billing information, and support responses. With consent, we may also send product updates and marketing communications.
  • Analytics: To understand traffic on public marketing pages using Google Analytics, but only with your explicit consent.

4. Legal Bases Under GDPR

We process personal data based on one or more of the following legal grounds:

  • Contract: Processing necessary to fulfill our contract with you, including providing the Vext service, managing your account, performing integrations, and handling billing.
  • Legitimate Interests: Processing for our legitimate business interests, including fraud prevention, service security, internal analytics, product improvement, and network/computer security.
  • Consent: Processing based on your explicit consent, such as for non-essential cookies, Google Analytics, and marketing communications. You can withdraw consent at any time.
  • Legal Obligation: Processing necessary to comply with applicable law, including tax regulations, data protection laws, and lawful requests from authorities.
  • Vital Interests: Processing necessary to protect someone's life in emergency situations.

5. International Data Transfers and Data Privacy Framework

5.1 Data Privacy Framework Compliance

Vext complies with the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.

We have certified to the U.S. Department of Commerce that we adhere to the EU-U.S. DPF Principles with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. We also adhere to the Swiss-U.S. DPF Principles for data received from Switzerland.

If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework program, and to view our certification, please visit https://www.dataprivacyframework.gov.

5.2 International Transfers

We may transfer personal data to countries outside the European Economic Area (EEA), including the United States. When we do, we ensure appropriate safeguards are in place through:

  • The EU-U.S. Data Privacy Framework and UK Extension to the EU-U.S. DPF.
  • Standard Contractual Clauses (SCCs) approved by the European Commission.
  • Adequacy decisions where the destination country has been recognized as providing adequate protection.

For personal data stored with our third-party providers in the US, we ensure they comply with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, or have appropriate alternative safeguards in place.

5.3 Onward Transfers

Our accountability for personal data that we receive under the Data Privacy Frameworks and subsequently transfer to a third party is described in the Data Privacy Framework Principles. In particular, we remain responsible and liable under the Principles if third-party agents that we engage to process personal data on our behalf do so in a manner inconsistent with the Principles, unless we prove that we are not responsible for the event giving rise to the damage.

6. Sharing and Third-Party Recipients

We may share personal data with the following categories of recipients:

  • Service Providers: Hosting, cloud infrastructure, storage, monitoring, and security providers necessary to operate our platform.
  • Payment Processors: Payment providers such as Stripe or Polar for billing and subscription management.
  • Authentication Providers: OAuth and identity providers for account authentication and integration connections.
  • Messaging and Channel Providers: WhatsApp (Meta), Telegram, and other messaging platforms through which messages are sent and received.
  • Integration Partners: Google, HubSpot, Zoho, GoHighLevel, and other services you choose to connect to Vext.
  • Analytics Providers: Google Analytics, but only with your explicit consent for public marketing pages.
  • Professional Advisers: Legal, accounting, and consulting professionals as necessary for our business operations.
  • Government and Law Enforcement: When required by applicable law, court order, or to protect our rights, property, or safety, or that of our users or others.

We have appropriate contracts in place with our service providers to ensure they process personal data only according to our instructions and in compliance with applicable data protection laws.

7. Data Retention

We retain personal data for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements. Specific retention periods include:

  • Account Data: Retained for the duration of your account plus a reasonable period (typically 7 years) after account closure to comply with legal obligations and for fraud prevention.
  • Messaging and Workflow Data: Retained according to your account settings and applicable legal requirements. You may delete certain data through the platform, subject to legal retention requirements.
  • Billing and Transaction Data: Retained for 7-10 years as required by tax and accounting regulations.
  • Analytics and Cookie Data: Analytics data is retained according to Google Analytics retention settings. Cookie consent data is retained for the duration of the cookie's validity.
  • Security Logs: Retained for a period necessary for security monitoring, investigation, and legal compliance (typically 1-2 years).

Upon account closure, we will delete or anonymize your personal data in accordance with our retention policy, except where we are required to retain it by law or for legitimate business purposes such as fraud prevention.

8. Your Data Protection Rights

Depending on your location and applicable law, you may have the following rights regarding your personal data:

  • Right to Access: You have the right to request access to the personal data we hold about you, including categories of data and how we collect, process, and share it.
  • Right to Rectification: You have the right to request correction of inaccurate personal data and completion of incomplete data.
  • Right to Erasure ("Right to be Forgotten"): You have the right to request deletion of your personal data in certain circumstances, subject to legal retention requirements.
  • Right to Restriction: You have the right to request that we restrict processing of your personal data in certain circumstances.
  • Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
  • Right to Object: You have the right to object to processing based on legitimate interests or for direct marketing purposes.
  • Right to Withdraw Consent: Where processing is based on consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
  • Right to Complain: You have the right to lodge a complaint with a data protection authority about our collection and use of your personal data.

To exercise your rights, please contact us using the details in the Contact section. We will respond to your request within 30 days, or as required by applicable law. We may need to verify your identity before fulfilling your request.

If Vext processes personal data as a processor on behalf of one of our customers, we may need to direct your request to that customer because they control the processing purpose and are the data controller for that data.

9. Automated Decision-Making

We use automated systems to help protect the security and integrity of our platform. These systems may:

  • Monitor for suspicious login patterns or account activity to detect potential fraud or unauthorized access.
  • Analyze message patterns to identify potential spam or abuse.
  • Flag accounts for review based on unusual billing or usage patterns.

When automated systems identify potential issues, trained staff review the findings before taking action that significantly affects users. You have the right to contest decisions made solely by automated means that have legal or similarly significant effects on you.

10. Data Breach Notification

We have implemented processes to detect, respond to, and mitigate personal data breaches. In the event of a breach that affects your personal data and is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay (where legally required).

Notifications will include:

  • The nature of the breach and categories of data affected.
  • Potential consequences and risks to you.
  • Measures taken or proposed to address the breach.
  • Steps you can take to protect yourself.
  • Contact details for more information.

We will also notify applicable data protection authorities of breaches as required by law.

11. Security Measures

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit using TLS 1.2 or higher.
  • Industry-standard encryption for data at rest where applicable.
  • Access controls and authentication mechanisms.
  • Regular security assessments and monitoring.
  • Employee training on data protection and security.
  • Incident response procedures.

While we strive to use commercially acceptable means to protect your personal data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

12. Cookies and Analytics

Public pages use essential cookies and, only with your explicit consent, Google Analytics. See our Cookie Policy for more detail and to understand how to manage your preferences.

13. GDPR Representative (Article 27)

Pursuant to Article 27 of the General Data Protection Regulation (GDPR), Vext has appointed a representative in the European Union for matters related to data protection.

EU GDPR Representative

Email: gdpr@vext.chat
Address: Milan, Italy

For matters pertaining to the GDPR, EU residents may contact our representative directly.

14. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with specific rights regarding your personal information.

Your California privacy rights include:

  • Right to Know: You have the right to request that we disclose what personal information we collect, use, disclose, and sell.
  • Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions.
  • Right to Correct: You have the right to request correction of inaccurate personal information.
  • Right to Opt-Out of Sale/Sharing: We do not sell personal information. We share personal information with service providers only for business purposes.
  • Right to Limit Use of Sensitive Personal Information: You have the right to limit our use of sensitive personal information to certain business purposes.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise your California privacy rights, please contact us using the information below. We will verify your request using information associated with your account.

15. Contact Information and Data Protection Officer

If you have any questions about this Privacy Policy, wish to exercise your data protection rights, or have concerns about how we handle your personal data, please contact us:

Data Protection Officer

Vext Chat
Website: vext.chat
Email: info@vext.chat

We aim to respond to privacy-related inquiries within 30 days. For urgent matters, please indicate "Privacy Request" in the subject line.

You also have the right to lodge a complaint with a data protection authority in your country of residence, place of work, or where an alleged infringement occurs.

Go back home Terms of Service Cookie Policy