Legal

Privacy Policy

Last updated June 30, 2026

§ 1

Who this policy is about

Visionably, Inc. ("Visionably", "we", "us") operates the Visionably.ai platform: a document-accessibility API and embeddable widget that turns customer-supplied PDFs into accessible PDF and HTML artifacts. This policy describes how we collect, use, store, and share personal data across three distinct interactions with the platform:

  • End users of visionably.ai who sign in with Google to try the product.
  • Partner administrators who manage an enterprise workspace in the partner dashboard.
  • Visitors to partner websites who interact with the Visionably accessibility widget embedded by those partners.

For visitor interactions with the widget, the partner who embedded it is the data controller and Visionably acts as a data processor for the email and document data the visitor provides. For all other interactions, Visionably is the data controller.

§ 2

Information we collect

From end users:

  • Name and work email address (via Google OAuth).
  • The PDFs you upload, plus the accessible artifacts we produce from them.
  • Job status, timing, and error metadata used to operate the service.

From partner administrators:

  • Workspace name and contact email.
  • Admin email addresses and (where applicable) bcrypt-hashed passwords. We never store plain-text passwords.
  • An audit log of administrative actions (sign-ins, API-key + webhook changes) including IP address and user-agent. Retained for at least 180 days for security review.
  • Last-used timestamps and originating IP for each API key.

From partner-site visitors (via the widget):

  • The URL of the document you ask to be made accessible. The bytes of that document are fetched server-side and processed.
  • The URL of the page the widget was embedded on (for partner analytics).
  • An email address only if you provide one to receive completion notifications. We never collect or sell this address for marketing.
  • Standard request metadata: IP address, user-agent, and timestamps, used for rate-limiting and abuse prevention.

The widget itself does not set cookies on partner sites. The partner dashboard uses a single session cookie (partner_jwt) and the end-user dashboard uses jwt; both are HTTP-only, SameSite=Lax, and used only for authentication.

§ 3

How we use information

We process your information for the following purposes:

  • To deliver the service. Process submitted PDFs, generate accessible artifacts, send notification emails, and surface the results in the dashboard.
  • To operate and secure the platform. Rate-limiting, audit logging, abuse prevention, and incident investigation.
  • To bill partners based on document usage. Cache hits (documents we have already processed for the same partner) are not billed.
  • To meet legal obligations, e.g. responding to a valid subpoena or data-subject request.

Customer documents are never used to train third-party foundation models. We use third-party AI services (see § 4) to perform structural extraction; their terms with us prohibit retention or training on inputs.

§ 4

Subprocessors

We use the following third-party services to operate the platform. Each is bound by a data processing agreement and processes customer data only as instructed by us.

Vendor Purpose Data location
MongoDB Atlas Primary application database (accounts, jobs, audit log) United States
DigitalOcean Spaces Source PDFs and accessible-artifact storage (S3-compatible) Singapore (SGP1)
Resend Transactional email (completion notifications, invites, password resets) United States
OpenAI Structural extraction from rasterized PDF pages. Inputs are not used to train models per OpenAI's API terms. United States
Google OAuth sign-in for end users (identifier + email only). United States
Sentry Application error reporting. We exclude expected client-side errors and do not transmit document contents. United States

We will notify partners of material additions or replacements to this list at least 30 days before the change takes effect, via the email on file for the workspace.

§ 5

Data retention

  • Source PDFs and remediated artifacts are retained for 90 days by default, after which the source bytes and outputs are deleted from object storage. Partners on enterprise plans may set a shorter retention window via the dashboard.
  • Job metadata (filename, page count, status, conformance report) is retained alongside the artifacts and is deleted at the same time.
  • Audit log entries are retained for at least 180 days for security review, then pruned.
  • Account records (partners, admins, end-users) are retained for the lifetime of the account and deleted within 30 days of account closure, except where legal obligations require longer retention.
  • Backups follow the same retention windows as the primary records, plus a rolling 30-day backup retention period.

§ 6

Data security

We apply industry-standard safeguards to protect personal data:

  • TLS 1.2+ for all transit; HTTP traffic is redirected to HTTPS at the edge.
  • AES-256 encryption at rest for objects in DigitalOcean Spaces.
  • Bcrypt password hashing (cost factor 12) for partner admins.
  • SHA-256 hashing of API secrets at rest; secrets are shown to the customer exactly once at creation.
  • HMAC-SHA256 signing of webhook payloads to let customers verify authenticity.
  • Per-API-key rate limiting; optional IP allowlisting and per-origin restrictions for publishable widget keys.
  • Append-only audit logging of administrative actions, surfaced in the partner dashboard.

We are working toward SOC 2 Type II attestation but have not yet completed the audit. We will update this policy and notify customers in writing when we hold a valid attestation. Until then, we do not represent the platform as SOC 2 compliant.

§ 7

Your rights

Depending on your jurisdiction, you may have the following rights with respect to your personal data:

  • Access — a copy of the personal data we hold about you.
  • Rectification — correction of inaccurate data.
  • Erasure — deletion of your account and associated personal data, subject to retention obligations.
  • Portability — export of your data in a machine-readable format.
  • Objection — to specific processing activities (notably, you may unsubscribe from any optional communications).

To exercise these rights, contact privacy@visionably.ai. We respond within 30 days. For widget visitor data, contact the partner whose site you used — they are the controller.

§ 8

International transfers

Your data may be transferred to and processed in countries other than your own — in particular the United States and Singapore, as detailed in § 4. Where data leaves the European Economic Area or the United Kingdom, we rely on the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum. A Data Processing Agreement incorporating these mechanisms is available to enterprise customers on request.

§ 9

Changes to this policy

We may update this policy from time to time. Material changes (new subprocessors, expanded data collection, changes in retention) will be communicated to partners by email at least 30 days before they take effect. The "Last updated" date at the top of this page always reflects the most recent revision.

§ 10

Contact

For privacy questions or to exercise data-subject rights, email privacy@visionably.ai. For commercial or contractual matters, email legal@visionably.ai.