Privacy Policy
Last updated: February 2026
1. Data Controller
Vysion BV, a company incorporated in Belgium, is the data controller for the personal data processed through the Vysion platform.
- Company: Vysion BV
- Location: Belgium
- Contact: info@vysion.be
- Privacy inquiries: privacy@vysion.be
2. Information We Collect
2.1 Account Information
When you create an account, we collect:
- Your name and email address (via Microsoft Entra ID or Google OAuth)
- Organization/company name
- Payment information (processed securely via Stripe — we never store card numbers)
2.2 Email Data
To provide our email security service, we access your Microsoft 365 or Gmail mailbox via OAuth authentication. We process:
- Email metadata (sender, recipient, subject, timestamps)
- Email body content for real-time threat analysis
- Attachment metadata (filenames, types, sizes) and PDF content for threat scanning
- IBAN numbers found in email bodies for fraud-baseline tracking
Important: We do NOT permanently store your email content. Emails are analyzed in real-time and only security-relevant metadata (sender addresses, detected IBANs, threat classifications) is retained. The full email body is discarded immediately after analysis.
2.3 IBAN Baseline Data
We maintain a per-organization baseline of known sender IBAN numbers. This allows us to detect IBAN change fraud. Stored data includes:
- Sender email address (normalized)
- IBAN values associated with that sender
- Verification status (pending/verified)
2.4 Usage & Technical Data
We automatically collect:
- Log data (IP address, browser type, pages visited)
- Device information
- Actions taken within the platform (audit log)
3. Legal Basis for Processing
We process your personal data based on the following legal grounds under GDPR Article 6:
- Performance of a contract (Art. 6(1)(b)): Processing account data, email data and payment data is necessary to provide the Vysion security service you subscribe to.
- Legitimate interest (Art. 6(1)(f)): Analyzing email content for threat detection, maintaining the IBAN baseline, improving our detection algorithms, and ensuring the security of our platform.
- Consent (Art. 6(1)(a)): Where we use non-essential cookies (analytics, functional) or process data for optional features, we obtain your explicit consent.
- Legal obligation (Art. 6(1)(c)): Where required by applicable law (e.g., tax record keeping for billing data).
4. Data Processors & Sub-processors
We do NOT sell your data. We share information with the following processors:
| Processor | Purpose | Location |
|---|---|---|
| Stripe, Inc. | Payment processing & subscription management | USA (EU SCCs) |
| Microsoft Corporation | OAuth authentication, Graph API mailbox access | EU / USA (EU SCCs) |
| Google LLC | OAuth authentication, Gmail API mailbox access | EU / USA (EU SCCs) |
| Vercel Inc. | Application hosting & CDN | EU (Frankfurt region) |
| Have I Been Pwned | Breach monitoring (email/domain checks) | Australia |
All sub-processors are bound by data processing agreements with appropriate safeguards, including Standard Contractual Clauses (SCCs) for transfers outside the EEA.
5. How We Use Your Information
We use your information to:
- Provide and maintain our email security service
- Detect and alert you to potential security threats (phishing, BEC, IBAN fraud)
- Build and maintain your trusted sender & IBAN baseline
- Process payments and manage your subscription via Stripe
- Monitor for data breaches affecting your organization
- Send service-related communications
- Improve our detection algorithms and service quality
- Comply with legal obligations
6. Data Security
We implement appropriate technical and organizational measures including:
- Encryption in transit (TLS 1.2+) and at rest
- Secure OAuth 2.0 authentication (we never see your email password)
- Role-based access control within organizations (Owner/Admin/Member)
- Audit logging of sensitive actions
- Rate limiting and abuse prevention
- Regular security reviews
7. Data Retention
- Account data: Retained for the duration of your active account.
- Security event data: Retained for 12 months, then automatically deleted.
- IBAN baseline data: Retained for the duration of your organization's subscription.
- Audit logs: Retained for 12 months.
- Billing data: Retained as required by Belgian tax law (7 years).
Upon account deletion or subscription termination, we delete or anonymize your personal data within 30 days, except where retention is required by law.
8. Your Rights Under GDPR
Under the General Data Protection Regulation, you have the right to:
- Access (Art. 15): Request a copy of your personal data
- Rectification (Art. 16): Correct inaccurate or incomplete data
- Erasure (Art. 17): Request deletion of your data ("right to be forgotten")
- Restriction (Art. 18): Request restriction of processing
- Portability (Art. 20): Receive your data in a structured, machine-readable format
- Object (Art. 21): Object to processing based on legitimate interest
- Withdraw Consent (Art. 7(3)): Withdraw consent at any time where processing is consent-based
To exercise these rights, contact us at privacy@vysion.be. We will respond within 30 days as required by GDPR.
You can also delete your data directly from Settings > Danger Zone within the Vysion platform.
9. Cookies
We use the following categories of cookies:
- Necessary cookies: Required for authentication, session management, and locale preferences. These cannot be disabled.
- Functional cookies: Remember your preferences and settings (e.g., sidebar state, dismissed banners). Require your consent.
- Analytics cookies: Help us understand how users interact with our platform to improve the service. Require your consent.
We do not use advertising or tracking cookies. You can manage your cookie preferences at any time via the "Cookie Settings" link in the footer.
10. International Data Transfers
Your data is primarily processed within the European Economic Area (EEA). Where data is transferred outside the EEA (e.g., to US-based sub-processors), we ensure appropriate safeguards are in place through:
- EU Standard Contractual Clauses (SCCs)
- Adequacy decisions by the European Commission
- EU-US Data Privacy Framework certifications (where applicable)
11. Children's Privacy
Our service is a B2B platform not intended for individuals under 16 years of age. We do not knowingly collect data from children.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by email or through the platform at least 30 days before the changes take effect. Continued use after notification constitutes acceptance.
13. Supervisory Authority
You have the right to lodge a complaint with the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit / GBA):
- Website: www.gegevensbeschermingsautoriteit.be
- Address: Drukpersstraat 35, 1000 Brussels, Belgium
- Email: contact@apd-gba.be
You may also lodge a complaint with your local supervisory authority if you are located in another EU/EEA member state.
14. Contact Us
If you have questions about this Privacy Policy or our data practices, contact us at:
- Email: privacy@vysion.be
- General inquiries: info@vysion.be
- Company: Vysion BV, Belgium