Legal
Vettory · Last updated: 7 July 2026
This policy explains how Vettory Ltd ("Vettory", "we", "us") collects, uses, and protects personal data when you use vettory.co and the Vettory platform (together, the "Service"). Vettory is a UK-based company. We comply with the UK GDPR and the Data Protection Act 2018, and with the EU GDPR where it applies.
Contact: privacy@vettory.co · Vettory Ltd (trading name; registered as KSRED LTD, company number 12527377), Kemp House, 152–160 City Road, London, England, EC1V 2NX, United Kingdom.
Vettory processes personal data in two distinct capacities, and your rights differ depending on which applies:
As a controller, for data about our customers and website visitors: account registration details, billing information, support correspondence, and website analytics. This policy governs that processing.
As a processor, for data our customers put into the platform: skill definitions, organisational structures, team hierarchies, user directories synced via SSO/SCIM, and audit logs recording the actions of a customer's users. For this data, our customer is the controller and our processing is governed by the Data Processing Agreement forming part of our customer contracts. If you are an employee of a Vettory customer and want to exercise rights over this data, contact your employer, and we will support their response.
We use personal data to provide and secure the Service (performance of contract); to detect abuse, investigate incidents, and maintain audit integrity (legitimate interests); to bill and account (legal obligation and contract); to send service announcements (contract) and, with your consent or under legitimate interest with an opt-out, occasional product updates; and to improve the product using aggregated, de-identified usage data.
We do not sell personal data. We do not use customer content — including skill definitions — to train machine-learning models.
We share data only with: subprocessors who host and support the Service (cloud infrastructure, payment processing, email delivery, error monitoring), each bound by data processing terms — a current list is available on request at privacy@vettory.co; professional advisers where necessary; and authorities where legally required. If Vettory is involved in a merger or acquisition, data may transfer to the successor entity under the same protections, and we will notify affected users.
The Service is hosted in the United Kingdom. Where a subprocessor processes data outside the UK/EEA, we rely on adequacy regulations or the UK International Data Transfer Agreement / EU Standard Contractual Clauses.
We apply industry-standard measures including encryption in transit and at rest, role-based access control, audit logging, and least-privilege access for staff. Enterprise customers may request our security documentation under NDA.
Account data is retained for the life of your account plus 90 days. Audit logs processed on behalf of customers are retained according to the customer's configuration and contract. Billing records are kept for 7 years as required by UK tax law. Backups are retained on a rolling cycle in line with our current backup policy.
Under UK/EU data protection law you may request access to, correction of, deletion of, or a portable copy of your personal data; object to or restrict certain processing; and withdraw consent where processing is based on consent. Contact privacy@vettory.co and we will respond within one month. You may also complain to the Information Commissioner's Office (ico.org.uk) or your local supervisory authority.
We use strictly necessary cookies for authentication and session management, and minimal analytics cookies. We do not use third-party advertising cookies.
We will post updates to this policy here and, for material changes, notify account holders by email at least 14 days before they take effect.