Vexrail LogoVexrail

Privacy Policy

Introduction

Vexrail Pte. Ltd. ("Vexrail," "we," "us," or "our") is a Singapore-based software company (UEN: 202543343R) that operates a contextual analytics and adtech platform for AI applications, including large language model (LLM) platforms. This Privacy Policy describes how we collect, use, disclose, and protect information when you use our website and services (collectively, the "Services"). We are committed to user privacy and have designed our platform with privacy-preserving techniques (context-only data processing, no personal data collection, hashed sessions, etc.) to comply with applicable privacy laws in Singapore and internationally, including the Singapore Personal Data Protection Act (PDPA), the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA).

By using Vexrail's Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our Services.

Information We Collect

We do not directly collect personal data such as names, email addresses, or contact details from end users of LLM applications. Our platform is built on contextual data collection, focusing on AI interaction context rather than personal identifiers. The types of information we may collect are:

  • Publisher/Advertiser Account Information: If you are a publisher or advertiser partner, we may collect limited business contact information (e.g., name, business email, company name, job title) when you sign up for or communicate with our Services. This information is used to create and manage your account, provide access to the Vexrail dashboard, and communicate with you.
  • Website Usage Data: When you visit our website, we may automatically collect technical information such as your IP address (which we may anonymize or truncate), browser type, device information, and browsing actions. We do not use this information to identify you; it is collected for security logging and to analyze website traffic and performance.
  • SDK Event Data (Contextual Analytics): When end users interact with an LLM application that has integrated the Vexrail SDK, we collect event data from those interactions. This data is contextual and anonymized:
    • Prompt Data: A portion of the user's prompt or query may be captured in a truncated form for context. We may generate a semantic embedding (a numeric vector representation) of the prompt and infer intent labels or keywords (via our PromptGraph™ technology) for analytics. We deliberately avoid capturing personally identifiable information (PII) in prompts by truncating or filtering out any sensitive data.
    • Response Data: We log metadata about the AI's response, such as the response length (e.g., token count), response time (latency), and possibly a high-level category or summary of the response content (without storing full response text). This helps compute metrics like IntentScore™ (predictive engagement scores) and does not include user-specific identifiers.
    • Interaction/Ad Event Data: If our platform delivers a contextual advertisement or affiliate suggestion (e.g., via BrandGuard or related features) within the AI application, we track non-personal interaction events. These include ad impressions (when an ad is shown), clicks on ads, and conversion events (e.g., if an affiliate link leads to a sign-up or purchase) via anonymized postback URLs. This data is tied only to an anonymized session or context, not to a real identity.
  • Derived and Aggregated Data: From the above events, we generate aggregated analytics, such as trends in user intents, content category popularity, and performance metrics (CTR, conversion rates, etc.). These insights (including IntentScore™ analytics, PromptGraph™ mappings, and BrandGuard safety analytics) contain no personal data and cannot be linked back to any specific individual. They may be shared with our publisher and advertiser clients to help them understand usage patterns and ad performance.

Importantly, we do not collect or store any PII from end users. All user sessions in our analytics are identified only by random or hashed identifiers, ensuring users remain anonymous. We do not collect direct identifiers (such as name, email, phone number) or sensitive personal data (such as health, financial, or biometric data) from end users through our SDK. Our platform is cookie-free for end user tracking and does not create cross-site profiles, relying solely on context (prompt and response data) to deliver relevant analytics and ads.

How We Use Information

We use the information we collect for the following purposes:

  • To Provide and Maintain the Services: We process contextual prompt and response data to provide analytics and monetization features to our publisher and advertiser clients. For example, we use PromptGraph™ to cluster prompts by intent, and IntentScore™ to predict engagement value. This allows us to deliver relevant insights, such as which topics are trending in an AI application, or to serve context-appropriate advertisements to end users without using personal data.
  • To Improve Our Platform: We analyze aggregated data and usage patterns to improve Vexrail's platform performance, features, and algorithms. For instance, aggregated prompt data helps us refine our contextual targeting models and ensure our ad placements (via BrandGuard) are effective and brand-safe.
  • To Communicate with Partners: If you are a publisher or advertiser, we use your contact information to send service-related communications (such as account notices, product updates, or security alerts) and to respond to inquiries or support requests. We may also send occasional marketing communications about new features or offerings, but you can opt out of such marketing at any time.
  • Compliance and Protection: We may use data as necessary to comply with applicable laws and regulations, and to enforce our Terms of Service. This includes using information to detect, investigate, and prevent fraudulent or illegal activities or security issues. For example, IP addresses in web logs might be reviewed to prevent abuse of our website. We also ensure that our data processing practices align with privacy regulations like GDPR and CCPA (e.g., adhering to data minimization and purpose limitation principles).
  • Aggregated Insights and Benchmarks: We may compile aggregated, anonymized statistics (for example, industry-wide benchmarks of AI prompt performance) and share these with our community of publishers and advertisers or in marketing materials. These compilations will never identify any individual and are used to highlight trends (e.g., showing a publisher how their metrics compare to an industry average).

We do not use personal data for any purposes that are incompatible with the above. In particular, we do not sell personal information to data brokers or other third parties, and we do not use data to identify or profile individual consumers outside the context of the Services.

Legal Bases for Processing (GDPR)

If the GDPR applies to the data we process (for example, if some data is considered personal data relating to individuals in the European Economic Area), we ensure that we have a valid legal basis for such processing. Given our privacy-centric design, personal data processing is minimal, but when it occurs, it is based on one of the following legal grounds:

  • Legitimate Interests: We process contextual event data and business contact information as necessary for our legitimate interests in providing an analytics and monetization service to our clients, improving our platform, and securing our services. We have weighed these interests against individuals' privacy rights and have implemented extensive privacy safeguards (e.g., anonymization and no PII collection) to mitigate risks. We believe our processing for contextual analytics and non-personalized advertising is less intrusive than traditional tracking-based advertising, and it aligns with industry trends moving away from personal data profiling.
  • Consent (if applicable): In general, we do not rely on end user consent for processing their data, because we avoid collecting personal data and our processing is non-intrusive. However, if in certain cases consent is required by law (for instance, if a publisher integrates our technology in a jurisdiction that requires consent for analytics cookies or similar tracking), we require that the publisher obtain valid consent from the end user on our behalf before using our Services. For any direct marketing communications we send to our business contacts, we will obtain your consent where required by law.
  • Performance of a Contract: For our registered publisher/advertiser partners, we process your account information to fulfill our obligations under the service agreement (Terms of Service) with you.
  • Legal Obligation: If we are subject to any legal requirements to retain or disclose certain data (for example, for tax or accounting records, or upon lawful requests by authorities), we will process personal data as needed to comply.

If you have questions about the legal basis of how we process personal data, you can contact us at the information provided in the "Contact Us" section.

Cookies and Similar Technologies

Vexrail's platform is designed to operate without reliance on cookies for end user tracking. We do not use cookies or browser local storage in our SDK to collect analytics on end users, as our approach is purely context-based and does not require identifying a user across sessions or sites. This means we do not drop advertising cookies or track users across different websites for behavioral advertising purposes (our targeting is confined to the context of the AI conversation itself).

Our corporate website may use a very limited number of cookies:

  • Necessary Cookies: If you log in to our dashboard as a publisher or advertiser, a session cookie may be used to maintain your login and preferences. These cookies are essential for the website to function (for example, to keep you logged in as you navigate the dashboard). We do not use these cookies to track you beyond our site.
  • Analytics Cookies: If we use any analytics on our website, we strive to use privacy-friendly methods (possibly without cookies or with anonymized data). Any analytics cookie, if present, will only collect aggregate information about website usage (such as pages visited, time spent) and will not collect personal identities.
  • No Advertising Cookies: We do not use any advertising or targeting cookies on our website. There are no third-party ad networks collecting data about you through cookies on vexrail.com.

For more details on our cookie practices, please review our separate Cookie Policy. You can control or delete cookies through your browser settings at any time. However, note that if you disable strictly necessary cookies (such as the login session cookie), parts of our site may not function properly for you.

Disclosure of Information

We do not sell or rent any personal information to third parties. Because we do not collect end user personal data, there is no personal data to sell or share for advertising. We may disclose the information we do collect in the following circumstances:

  • Service Providers: We may share data with trusted third-party service providers who process data on our behalf to help us operate and improve the Services. For example, we might use cloud hosting providers, data storage services, or analytics tools that assist in processing the contextual data. These providers are bound by confidentiality and data protection obligations and are not permitted to use the data for any purpose other than providing services to Vexrail.
  • Publisher/Advertiser Clients: If you are an end user of an AI application, the data about your prompts and interactions (in anonymized form) will be shared with the publisher of that application via our analytics dashboard. Similarly, aggregated campaign performance data might be shared with advertisers (e.g., an advertiser might receive a report that their ads had X impressions and Y clicks in a certain context). These disclosures contain no personal identifiers, only context and performance metrics.
  • Aggregated Insights: As noted, we may publicly disclose aggregated, non-identifiable information about trends in AI usage or advertising performance (for example, publishing a report on industry trends). This information will never identify individuals or reveal any personal data.
  • Business Transfers: In the event that Vexrail is involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to another provider, your information (including any data in our possession, which in our case is primarily business contact information and anonymized analytics data) may be transferred to a successor or affiliate as part of that transaction. In such cases, we will ensure the recipient is bound to respect this Privacy Policy or provide notice and obtain consent if required by law.
  • Legal Requirements: We may disclose information if required to do so by law or in the good-faith belief that such action is necessary to (i) comply with a legal obligation, lawful request, or legal process (e.g., a court order or subpoena), (ii) protect and defend the rights or property of Vexrail, (iii) prevent or investigate possible wrongdoing in connection with the Services (such as fraud or security incidents), (iv) protect the personal safety of users of the Services or the public, or (v) protect against legal liability.

In all cases, we limit disclosures to what is necessary and ensure no unwarranted sharing of data. Because our data is largely non-personal, disclosures typically relate to business information or anonymized analytics.

International Data Transfers

Vexrail is based in Singapore, and our infrastructure may be located in or accessible from other countries. If you are accessing our Services from outside of Singapore, be aware that information collected (including any personal data) may be transferred to and stored on servers in Singapore or other jurisdictions that may not have the same level of data protection laws as your home country. However, we will take all necessary measures to ensure that such transfers comply with applicable data protection law and that your data remains protected.

For example, if we transfer personal data from the European Economic Area (EEA) or UK to outside these regions (including to Singapore or the United States), we will rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms as approved under GDPR. We also ensure that our service providers adhere to equivalent protections by contract.

By using our Services or providing us with information, you consent to the transfer of your information to Singapore and any other jurisdiction where we or our service providers operate. We ensure these recipients of the information are obligated to protect it in accordance with this Privacy Policy and applicable data protection law.

Data Security

We take data security seriously and implement reasonable and appropriate technical and organizational measures to protect the information we process from unauthorized access, alteration, disclosure, or destruction. These measures include, but are not limited to:

  • Encryption: We use encryption and secure protocols to protect data in transit. Any data exchanged between the SDK and our servers is transmitted over HTTPS or equivalent secure channels.
  • Access Controls: Access to our systems and data (including any personal or sensitive contextual data) is restricted to authorized personnel with a valid business need. We employ authentication, access logs, and, where appropriate, multi-factor authentication for administrative access.
  • Anonymization & Pseudonymization: As described, we anonymize data at collection by hashing session identifiers and stripping out PII. This significantly reduces the risk that any collected data could be used to identify an individual.
  • Data Minimization: We collect only the minimum data necessary for the stated purposes. For instance, we do not collect full text of prompts longer than needed for context, and we avoid collecting any direct identifiers.
  • Monitoring and Testing: We regularly monitor our systems for possible vulnerabilities and attacks, and periodically review our security practices. We may also engage in penetration testing and security audits to strengthen our defenses.
  • Breach Response: In the unlikely event of a data breach or security incident affecting personal data, we have procedures in place to notify affected parties and regulators as required by law.

Please note that while we strive to protect your information, no system can be guaranteed 100% secure. We encourage you to use caution when sharing information online and to notify us immediately if you have reason to believe your interaction with us is no longer secure.

Data Retention

We retain information only for as long as necessary to fulfill the purposes described in this Privacy Policy, or as required by law or our contractual obligations. Due to our data minimization approach, much of our analytics data is stored in aggregate form without personal identifiers.

  • SDK Event Data: The contextual prompt/response and interaction events collected via our SDK are retained for a limited period, primarily to allow analysis of trends over time and to feed into our analytics models. We offer our publisher partners configurable data retention windows -- for example, a publisher may choose to retain detailed event logs for a certain number of days or months, after which the data is automatically deleted or anonymized. By default, we implement retention practices that ensure data is not kept longer than necessary. Aggregated metrics and insights derived from these events may be retained longer since they contain no personal data and are used for benchmarking and historical analysis.
  • Business Contact Information: If you are a publisher or advertiser with an account, we retain your account information for as long as your account is active. If you discontinue use of our Services or request deletion of your information, we will delete or anonymize your personal data within a reasonable time after fulfilling any outstanding obligations (for example, record-keeping required for finance or legal purposes).
  • Website Logs: Basic web server logs and security logs are generally retained for a short period (a few weeks to a few months) for purposes of monitoring and safeguarding our site, unless we need to retain them longer for security investigations or legal reasons.

Once the retention period expires, we will securely delete or irreversibly anonymize the relevant data. If there is any data we cannot fully delete (for instance, data stored in backups), we will ensure it is isolated and protected until deletion is possible.

Your Rights and Choices

Depending on your jurisdiction, you have certain rights regarding your personal data. Because Vexrail largely processes non-personal and anonymized data, these rights may be limited in scope. However, we are committed to respecting the rights of individuals whose personal data we do hold, such as our business contacts or any end-user data that might be considered personal under law.

Rights Under Singapore PDPA:

If you are in Singapore, you have the right to request access to personal data we hold about you and information about how we have used or disclosed that data. You also have the right to request correction of your personal data if it is inaccurate or incomplete. If we do hold any of your personal data, you may contact us to exercise these rights. We may require proof of identity and sufficient details to locate your information. Note that the PDPA does not include a specific right to deletion, but if you withdraw consent for us to use your personal data (where we rely on consent), we will cease such use and/or delete the data unless an exception applies.

Rights Under GDPR (EU/EEA):

If you are located in the EU/EEA (or the UK, which has similar laws), you have the following rights with respect to personal data we hold about you:

  • Access: You can ask for confirmation of whether we are processing your personal data and request a copy of that data.
  • Rectification: You can request that we correct any inaccurate or incomplete personal data.
  • Erasure: You can request that we delete your personal data, under certain conditions (for example, if the data is no longer necessary for the purposes collected, or if you withdraw consent and there's no other legal basis).
  • Restriction: You can ask us to restrict the processing of your personal data under certain scenarios (for instance, while we address a claim that the data is inaccurate or if you object to our processing).
  • Objection: You can object to our processing of your personal data if you believe our legitimate interests in processing no longer outweigh your rights and interests. You also have the right to object if we were to use your personal data for direct marketing (which we do not do).
  • Data Portability: Where processing is based on consent or contract and carried out by automated means, you have the right to request a copy of your personal data in a structured, commonly used, machine-readable format, for transfer to another provider.
  • Withdraw Consent: If we rely on consent for any specific processing, you have the right to withdraw that consent at any time, without affecting the lawfulness of processing before withdrawal.
  • Complaint: You have the right to lodge a complaint with a supervisory authority in the EU if you believe we have infringed your privacy rights.

Rights Under CCPA/CPRA (California):

If you are a California resident, you have certain rights under the California Consumer Privacy Act (as amended by the California Privacy Rights Act):

  • Right to Know: You can request information about the categories and specific pieces of personal information we have collected about you, the categories of sources of that information, the business purpose for collection, and the categories of third parties with whom we share personal information. (Note: Given our business model, we generally do not collect personal information about consumers in a way that identifies them, other than business contact data.)
  • Right to Delete: You can request that we delete personal information we have collected from you, subject to certain exceptions (for example, if the information is necessary to complete a transaction, detect security incidents, comply with legal obligations, etc.).
  • Right to Correct: You can request that we correct inaccurate personal information that we hold about you.
  • Right to Opt-Out of Sale/Sharing: CCPA gives you the right to direct a business that sells personal information or shares it for cross-context behavioral advertising to stop doing so. However, Vexrail does not sell personal information, and we do not share personal information for cross-context behavioral advertising purposes. We do not disclose your data to third-party advertisers in a way that would be considered a "sale" or "sharing" under CCPA definitions. Therefore, we do not provide a "Do Not Sell or Share My Personal Information" link, as we do not engage in those practices. If this changes in the future, we will update our policies and provide appropriate notices.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights. For example, we will not deny you our Services or provide a different level of service because you exercised your rights.

If you are a California resident and would like to exercise your CCPA rights, please contact us as described below. We may need to verify your identity (such as by confirming information we may have on file, like your email address) before fulfilling your request. You may designate an authorized agent to make requests on your behalf, but we will require proof of the agent's authorization and verification of your identity.

End Users of Publisher Applications:

If you are an end user of an AI application that uses Vexrail's analytics or ad services (i.e., you have interacted with a chatbot or LLM that showed you an ad or that collects prompt analytics), and you have concerns or inquiries about data related to you, we recommend you first contact the publisher or provider of that application. In many cases, Vexrail acts as a data processor/service provider to the publisher, and the publisher is responsible for handling requests from its users. We will assist our publishers in responding to any legitimate data access or deletion requests as required by law. If you contact us directly with such a request, we may need to ask you for additional information (such as the name of the AI application and details of your interaction) to locate any relevant data, and we may refer your request to the appropriate publisher.

Choices:

Because we do not use personal data for marketing or unrelated purposes, there are limited choices you need to make regarding our use of your data. Nonetheless:

  • You may opt out of receiving marketing emails from us (business communications to publishers/advertisers) by using the unsubscribe link in those emails or contacting us.
  • You can disable cookies on our website through your browser settings (as discussed in the Cookie Policy), though our site uses minimal cookies.
  • If you have an account with us, you may review and update your contact information at any time by logging into the dashboard or contacting support.

Third-Party Links and Services

Our website or communications may contain links to third-party websites or services, such as documentation pages, partner websites, or news articles. This Privacy Policy does not cover how those third parties collect or use your data. If you follow a link to any third-party site, you should review their own privacy policies. Vexrail is not responsible for the privacy practices or content of external sites.

Additionally, if any third-party services are integrated into our platform (for instance, if a publisher uses a third-party AI provider or a payment processor in conjunction with our platform), any data provided to those services is governed by their respective privacy policies and terms.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our business, technology, legal requirements, or for other operational reasons. If we make material changes to this Policy, we will notify our users by posting the updated Policy on our website and updating the "Last Updated" date at the top. In some cases, we may also notify you via email or through the dashboard (for registered partners) if the changes are significant.

We encourage you to review this Policy periodically to stay informed about how we are protecting your information. Continued use of our Services after any update to this Privacy Policy constitutes your acceptance of the changes.

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

VEXRAIL PTE. LTD. (UEN: 202543343R)

Attn: Data Protection Officer / Privacy Team

Email: niko@vexrail.com

Address: 32 Pekin St, Singapore 048762

(Please include "Privacy Inquiry" in the subject line of your email.)

We will respond to your inquiry as soon as reasonably possible, and no later than as required by applicable law. If you are not satisfied with our response and are located in a jurisdiction with a data protection authority, you may have the right to lodge a complaint with that authority (for example, the Personal Data Protection Commission in Singapore or a supervisory authority in the EU).

Thank you for trusting Vexrail. We are dedicated to maintaining your privacy and delivering a secure, privacy-first analytics experience for the AI ecosystem.