Privacy Policy
This Privacy Policy explains how we collect, use, share and protect personal data when you use our websites and Services (Vector56, Sustate, TrueTrack, Hive56, Lite56, Axis56, continue.fit, QuietShift, Suggistit, MyCookingMyRules and any other product operated by 98M7 Group OÜ).
1. Data Controller
The Controller of your personal data is 98M7 Group OÜ, a company registered in Estonia (registry code 16752935), with registered office at Tallinn, Estonia. You can contact us about privacy matters via the contact page. We have not appointed a Data Protection Officer because we are not legally required to do so (our processing does not meet the GDPR Article 37 thresholds).
2. Scope
This policy covers personal data we process as Controller — typically about visitors to our websites, account holders, customers, prospects, and people who contact us. Where we process personal data on behalf of a business customer (for example, personal data the customer uploads into the Services), we act as Processor and our Data Processing Agreement applies.
3. What data we collect
Account data. Name, email address, password hash, organisation name, role, country, language preference.
Billing data. Billing name and address, VAT number, last four digits and brand of payment card, transaction history. Full card details are handled by Stripe and never reach our servers.
Service usage data. Pages visited, features used, credits consumed, time-stamped event logs, error reports, performance metrics, IP address, browser and device information.
Content data. Anything you upload, type, draw or otherwise submit into the Services.
Support data. Any information you provide when you contact us, including the contents of emails and any attachments.
Marketing data. Email subscription state, click and open events on emails we send you, and any information you provide on forms.
4. Why we process it and on what legal basis
We rely on the following legal bases under GDPR Article 6:
Performance of a contract (Art. 6(1)(b)) — to operate the Services, manage your account, process payments, deliver support, and meet our contractual obligations to you.
Legitimate interests (Art. 6(1)(f)) — to keep the Services secure, prevent fraud and abuse, debug and improve the product, manage our business, and contact existing customers about features and updates relevant to their use. We have assessed that these interests do not override your rights and freedoms.
Legal obligation (Art. 6(1)(c)) — to keep accounting records (Estonian accounting law requires us to retain invoices for 7 years), to respond to lawful requests from authorities, and to comply with tax and consumer-protection regulations.
Consent (Art. 6(1)(a)) — for marketing emails to non-customers, for non-essential cookies, and for any optional processing we describe to you separately. You can withdraw consent at any time without affecting the lawfulness of earlier processing.
5. Retention
We keep personal data only as long as needed for the purposes above.
Account and content data — for the lifetime of the account, then deleted or anonymised within 90 days of account closure.
Billing data — 7 years from the invoice date (Estonian accounting law).
Usage logs — 13 months rolling, then aggregated or deleted.
Support tickets — 3 years from the date of resolution.
Marketing data — until you unsubscribe, then suppressed on a permanent do-not-contact list.
Backups — up to 35 days, after which deleted data is no longer recoverable from backup.
6. Who we share data with
We do not sell personal data. We share it only with the categories of recipient below, all of whom are bound by written agreements requiring them to protect the data and use it only on our instructions:
Subprocessors — third-party service providers who process personal data on our behalf to help us deliver the Services. Our current subprocessors are listed at vector56.com/subprocessors and include Cloudflare (hosting and infrastructure), Stripe (payments), Anthropic and OpenAI (AI inference where applicable), and Resend (transactional email).
Professional advisers — accountants, auditors and lawyers, where reasonably necessary.
Authorities — where we are legally required to disclose data, or where disclosure is necessary to protect our rights, our users' rights, or public safety.
Successors — in connection with a merger, acquisition or sale of assets, where the recipient agrees to the same protections set out in this policy.
7. International transfers
Some of our subprocessors are based outside the European Economic Area, including in the United States. Where personal data is transferred outside the EEA, we rely on one of the following safeguards: an adequacy decision of the European Commission (for example, the EU-US Data Privacy Framework where the recipient is DPF-certified); the European Commission's Standard Contractual Clauses (2021 modules); or the UK International Data Transfer Addendum where UK data is involved. We carry out a Transfer Impact Assessment for material transfers and prefer EU-region infrastructure where it is reasonably available. You can request a copy of the relevant safeguards by contacting us.
8. How we protect data
We use industry-standard technical and organisational measures: encryption in transit (TLS 1.2+), encryption at rest for production data stores, least-privilege access controls, multi-factor authentication on administrative accounts, time-bound credentials, regular dependency patching, separation of production and non-production environments, and logged access to sensitive systems. We test our security through periodic reviews and we maintain an incident-response plan. No system is perfectly secure; we cannot guarantee absolute security, but we work to make a breach unlikely and a breach without containment unlikelier.
9. Data-breach notification
If we suffer a personal-data breach that is likely to result in a risk to the rights and freedoms of affected individuals, we will notify the Estonian Data Protection Inspectorate within 72 hours of becoming aware of the breach, as required by GDPR Article 33, and we will notify affected individuals without undue delay where the breach is likely to result in a high risk to them.
10. Your rights
Subject to the conditions set out in GDPR Articles 15 to 22 (and equivalent UK GDPR provisions), you have the right to: access your personal data; have inaccurate data corrected; have your data erased (the "right to be forgotten"); restrict our processing of your data; object to processing based on legitimate interests or for direct marketing; receive your data in a portable format and transmit it to another controller; and not be subject to a decision based solely on automated processing that produces legal or similarly significant effects on you (we do not currently operate such processing).
To exercise any of these rights, contact us via the contact page. We respond within 30 days; we may extend this by a further two months for complex requests, and we will tell you if we do. We do not charge for these requests unless they are manifestly unfounded or excessive.
11. Complaints
You can complain to a supervisory authority if you believe our processing breaches data-protection law. Our lead supervisory authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) — aki.ee/en. EU and UK residents may also complain to the supervisory authority in their country of residence (in the UK, the Information Commissioner's Office at ico.org.uk).
12. California residents
If you are a California resident, you have additional rights under the California Consumer Privacy Act / California Privacy Rights Act: the right to know what personal information we have about you; the right to delete; the right to correct; the right to opt out of "sale" or "sharing" of personal information (we do not sell or share personal information as those terms are defined under CCPA/CPRA); and the right to non-discrimination for exercising these rights. To exercise these rights, contact us via the contact page. The categories of personal information described in section 3 above apply equally to California residents.
13. UK residents
The UK GDPR and the Data Protection Act 2018 give UK residents substantially the same rights as EU residents under the GDPR. Our UK Article 27 representative (if appointed) is identified at the foot of this page; otherwise you can contact us directly. Complaints to the UK Information Commissioner's Office at ico.org.uk.
14. Children
The Services are not directed to children under 16, and we do not knowingly collect personal data from anyone under that age. If you believe a child has provided us with personal data, contact us and we will delete it.
15. Automated decisions and AI
Some of our Services use third-party AI models (currently Anthropic and OpenAI) to generate text or analytical outputs from inputs you provide. These outputs are informational and we do not use them to make decisions that produce legal or similarly significant effects on you. We do not use your Content to train AI models. The AI provider's processing of your inputs is governed by its own terms; we choose providers that contractually agree not to retain your inputs beyond what's needed to produce the response, and we pass through your data deletion requests to those providers.
16. Cookies
We use a small number of cookies and similar technologies. Details and your choices are in our Cookie Policy.
17. Changes
We update this policy from time to time. Material changes will be notified by email or in-product banner 30 days before they take effect. The version number and effective date at the top of the page tell you which version is current. Previous versions are archived; you can request a copy.
18. Contact
98M7 Group OÜ — Tallinn, Estonia. Privacy queries: contact us.