Legal

GDPR Compliance

Our commitment to protecting your data.

Our Commitment

Vectail is committed to complying with the General Data Protection Regulation (GDPR - EU Regulation 2016/679) across all of its activities. Protecting the personal data of our Users and their customers is a priority.

As a provider of a search service for e-commerce, Vectail acts:

  • As data controller for the data of its own Users (accounts, billing, browsing on vectail.com)
  • As data processor for the search data of visitors to Users' e-commerce websites (search queries)

Technical and Organisational Measures

Vectail implements the following measures to ensure data security:

  • Encryption in transit: all communications are encrypted via HTTPS
  • Encryption at rest: stored data is encrypted using Google Cloud's native mechanisms
  • Secure authentication: hashed passwords, protection against brute-force attacks
  • Access control: principle of least privilege, restricted access to production data
  • Logging: audit trail of data access and operations
  • Backups: automated encrypted backups with a defined retention policy
  • Updates: regular application of security patches

Sub-processors

Vectail uses the following sub-processors for data processing:

Google Cloud Platform / Cloud Run / Firestore Application hosting and database. Servers in Europe (europe-west1 region). GDPR compliant, ISO 27001 and SOC 2 certified.
Google Vertex AI Search for Retail AI search engine. Product data and queries are processed to deliver results. Processed in the "global" region (may include servers outside the EU). Google does not reuse the data for other purposes.
Firebase Authentication / Hosting User authentication and showcase site hosting. Google LLC, GDPR compliant.
LemonSqueezy (Lemon Squeezy LLC) Payment provider and subscription management. Secure processing of billing data (card details not stored by Vectail).
Brevo (formerly Sendinblue) Sending transactional emails (account confirmation, alerts, notifications). French company, data hosted in Europe.

Each sub-processor has its own GDPR-compliant data processing terms (DPA), which Vectail accepts as part of using their services.

Processing Register

Account management Name, email, hashed password - Basis: performance of a contract - Retention: duration of subscription + 3 years
Billing Address, payment data (via provider) - Basis: legal obligation - Retention: 10 years
E-commerce search Search queries - Basis: legitimate interest - Retention: duration of subscription
Dashboard analytics Aggregated search metrics - Basis: legitimate interest - Retention: duration of subscription
Communication Email, messages - Basis: consent / legitimate interest - Retention: 3 years after last contact

To exercise your rights (access, rectification, erasure, portability, objection) and for any request relating to your personal data, please see our Privacy Policy.

Last updated: March 2026