Privacy Policy

Last updated: April 7, 2026

Vorantiq is committed to protecting your privacy and processing your personal data with responsibility and transparency. This Policy is applied in accordance with the Saudi Personal Data Protection Law (PDPL), the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable international data protection legislation.

1. Data Controller Identity

Vorantiq is the data controller responsible for processing your personal data. For all privacy-related matters:

Data Protection Email: privacy@vorantiq.dev

Website: vorantiq.dev

2. Data We Collect

We collect the following categories of personal data:

Account Data

Full name and email address
Password (bcrypt-hashed — never stored in plaintext)
Registration date and last login timestamp
Two-factor authentication settings (TOTP)

Usage and Performance Data

API usage logs, call counts, and response times
AI agent configurations and workflow definitions
Error logs and technical diagnostics
Device fingerprint (derived from IP + User-Agent via SHA-256)

Billing and Payment Data

Subscription plan and renewal history
Billing details (processed by Paddle — we do not store card data)
Transaction history and invoices

Communication and Support Data

Email correspondence with our support team
Support tickets and their history
Feedback and ratings you provide voluntarily

3. Legal Basis for Processing

We process your personal data on the following legal bases:

Purpose	Legal Basis
Service delivery and payment processing	Contract performance (GDPR Art. 6(1)(b))
Security and fraud prevention	Legitimate interests (GDPR Art. 6(1)(f))
Technical notices and service updates	Contract performance / Legitimate interests
Marketing and promotional communications	Explicit consent (withdrawable at any time)
Compliance with legal obligations	Legal obligation (GDPR Art. 6(1)(c))

4. Data Retention Periods

We retain your data only for as long as necessary to fulfil the stated purposes:

Data Type	Retention Period
Active account data	Duration of subscription
Account data after cancellation	30 days then permanently deleted
Audit and security logs	90 days (configurable for Enterprise plans)
Billing and transaction records	7 years (tax and accounting obligation)
Support ticket history	2 years after ticket closure
Marketing data (with consent)	Until consent is withdrawn

5. Third-Party Data Sharing

We do not sell your personal data to any third party. We share data only with the following service providers strictly for operational purposes:

PaddlePrivacy Policy ↗

Purpose: Payment processing, subscription management, and tax collection

Data shared: Email, billing address, transaction history

Anthropic / OpenAI / Google

Purpose: Processing LLM inference requests via API

Data shared: Agent prompt content (what you send to models)

SentryPrivacy Policy ↗

Purpose: Error monitoring and exception tracking

Data shared: Error logs and technical traces (anonymised)

6. International Data Transfers

Your data may be processed in countries outside the Kingdom of Saudi Arabia or the European Economic Area. In all cases, we ensure appropriate safeguards are in place in accordance with recognised legal frameworks, including Standard Contractual Clauses (SCCs) for EU data transfers.

7. Technical and Organisational Security

We implement multilayered security safeguards to protect your data:

Authentication

JWT + HttpOnly cookies + token rotation with reuse detection

Encryption

TLS 1.3 in transit, bcrypt for passwords

Two-factor auth

TOTP with 10 backup codes, 5-attempt rate limit

Access control

RBAC with 3 levels (admin / developer / user)

CSRF protection

Double-submit cookie pattern

Rate limiting

Redis-backed per-endpoint limits

Security headers

HSTS, CSP, X-Frame-Options, X-Content-Type-Options

Audit logs

Immutable logs with 90-day default retention

8. Your Rights Under Saudi PDPL

Under the Saudi Personal Data Protection Law (PDPL), you have the right to:

Access the personal data we hold about you
Correct inaccurate or misleading data
Request deletion of your data ("right to be forgotten") where legally permissible
Object to processing your data for direct marketing purposes
Receive a copy of your data in a machine-readable format (portability)
File a complaint with the Saudi Data and AI Authority (SDAIA)

9. Additional Rights Under GDPR (EU Users)

Users in the European Union have additional rights under the GDPR:

Right to restriction of processing in certain circumstances
Right to withdraw consent at any time without affecting the lawfulness of prior processing
Right not to be subject to solely automated decisions with significant legal effects
Right to lodge a complaint with your EU member state data protection authority
Right to compensation for damages resulting from unlawful data processing

To exercise any of these rights, contact us at: privacy@vorantiq.dev. We will respond to all legitimate requests within 30 days.

10. CCPA Rights (California Users)

California residents have the right to know what personal data we collect and how it is used, request deletion of their personal data, and not face discrimination for exercising their rights. We do not sell personal data to any third party. To submit a request, contact privacy@vorantiq.dev with subject line "CCPA Request".

11. Cookies and Tracking Technologies

We use the following types of cookies:

Essential cookies: required for service operation (auth session, CSRF protection)
Analytics cookies: to understand how the service is used (anonymised)
Preference cookies: to remember your settings such as language and theme

You can manage cookie preferences through your browser settings. Note that disabling essential cookies may impair core service functionality.

12. Children's Data Protection

The Service is not directed to individuals under the age of 18. If we discover that we have collected personal data from a person under the required age without parental consent, we will immediately delete that data. If you believe a minor has submitted data to us, please contact privacy@vorantiq.dev.

13. Updates to This Privacy Policy

We may update this Policy from time to time. We will notify you of material changes via email and/or a prominent in-platform notice. Your continued use of the Service after the update constitutes your acceptance of the revised Policy.

14. Contact Us

For any privacy inquiries or to exercise your rights:

Privacy Email: privacy@vorantiq.dev

Website: vorantiq.dev

We are committed to the principles of transparency, purpose limitation, accuracy, and data integrity in accordance with all applicable regulatory frameworks. Your privacy is not just a legal obligation — it is a core value.