Privacy Policy

Version 1.0 | Last Updated: March 6, 2026

1. Introduction

This Privacy Policy explains how Valtrics collects, uses, stores, and protects your data when you use our product portfolio management platform.

Scope: This policy applies to all Valtrics services, including app.valtrics.io and docs.valtrics.io.

Companion Document: This Privacy Policy works together with our Terms & Conditions (Version 1.0, effective February 28, 2026). Together, these documents constitute the entire agreement between you and Valtrics regarding the Service. The definitions used in this Privacy Policy (Service, User, Content, Beta Period) have the same meaning as defined in our Terms & Conditions.

Contact: For any privacy-related questions, please contact us at privacy@valtrics.io.

Effective Date: March 6, 2026

2. Data Controller

Valtrics B.V. is the data controller responsible for your personal data.

Entity: Valtrics B.V.
Jurisdiction: Incorporated in the Netherlands
Registered Address: [To be finalized]
Privacy Contact: privacy@valtrics.io
General Support: support@valtrics.io
Legal Contact: legal@valtrics.io

Data Protection Officer: Valtrics has not appointed a Data Protection Officer (DPO) as we are not required to do so under GDPR Article 37(1). Our company has fewer than 250 employees, our core activities do not consist of processing operations that require regular and systematic monitoring of data subjects on a large scale, and we do not process special categories of data as our main activity. For all privacy inquiries, please contact privacy@valtrics.io.

3. What Data We Collect

3.1 Account Data (Personal Data)

We collect the following when you create an account:

Email address — required for account creation and authentication
Password — hashed and encrypted using bcrypt, never stored in plain text
Full name — optional, used for workspace collaboration
Organization/workspace name — required for multi-tenant scoping
Role within organization — assigned by workspace administrators (e.g., Admin, Member)

Legal basis: Contract performance (GDPR Article 6(1)(b)) Retention: Retained while your account is active, permanently deleted within 30 days after account termination.

3.2 Product Data (User Content)

You may create and store the following data within the Service:

Product portfolio information (product names, descriptions, lifecycle stages)
KPI trees (metric definitions, hierarchies, target values)
Metric values (actual values, targets, time periods)
Feature definitions
Profit & Loss (P&L) data
Dependencies between products
Tags and categories
Health scores

You own all Product Data. Per our Terms & Conditions Section 4, Valtrics has only a limited, non-exclusive license to process, store, and display this data solely for the purpose of providing the Service to you. This license terminates when you delete your Content or terminate your account. We do not use your Content for AI training, marketing, product development, or any purpose other than providing the Service to you.

Legal basis: Contract performance (GDPR Article 6(1)(b)) Retention: Retained while your account is active, permanently deleted within 30 days after account termination.

3.3 Technical and Operational Data

We collect the following for security and service operation:

IP address — collected during Terms & Conditions and Privacy Policy acceptance for audit trail and fraud prevention
User agent strings — collected during acceptance for the same purposes
Session data — authentication tokens managed by Supabase Auth
Preference data — theme selection (light/dark mode), view preferences, dashboard layout

Legal basis: Legitimate interest (GDPR Article 6(1)(f)) for security, fraud prevention, and service operation Retention: IP addresses and user agents are retained for legal compliance and dispute resolution. Session data is retained for the duration of the session plus 30 days. Preference data is retained while your account is active.

3.4 Email Communication Data

We collect the following for transactional email delivery:

Email addresses — same as Account Data
Email delivery status — sent, delivered, bounced
Email log entries — timestamp, recipient, subject, delivery status

Legal basis: Contract performance (GDPR Article 6(1)(b)) for transactional emails; legitimate interest (GDPR Article 6(1)(f)) for email deliverability monitoring Retention: Email logs are retained for 90 days for deliverability troubleshooting, then automatically purged.

3.5 Data We Do NOT Collect

Payment or financial information (beta is free, no payment processing)
Biometric data
Special categories of personal data (racial/ethnic origin, political opinions, religious beliefs, health data, etc.)
Data about children under 16 (B2B product not directed at children)
Location data beyond IP-based country detection
Browsing history or behavioral tracking data
Social media profile data
Analytics or usage tracking data (no analytics tools are currently deployed)

4. How We Use Your Data

4.1 To Provide the Service (Legal Basis: Contract Performance)

Authenticate your account and manage access
Store and display your product portfolio data
Enable KPI tree creation and visualization
Track metrics and calculate health scores
Generate reports and dashboards
Enable collaboration within your organization
Provide customer support

4.2 To Communicate with You (Legal Basis: Contract Performance and Legitimate Interest)

Send transactional emails (account verification, password resets, important service updates)
Respond to support inquiries
Notify you of material changes to our Terms & Conditions or Privacy Policy (with 30 days' advance notice)
Send security alerts (e.g., suspicious login attempts)

4.3 To Secure and Improve the Service (Legal Basis: Legitimate Interest)

Detect and prevent fraud, abuse, and security threats
Troubleshoot technical issues
Monitor service performance and uptime
Comply with legal obligations (e.g., data retention for disputes)

4.4 What We Do NOT Do with Your Data

We do not use your Content for AI training or model development
We do not sell or rent your personal data to third parties
We do not use your data for marketing or advertising
We do not share your data with third parties except as disclosed in Section 5
We do not use your data for automated decision-making or profiling

5.1 Sub-Processors

We use the following third-party service providers to operate the Service:

Supabase (Supabase Inc.)

Purpose: Database hosting, authentication, and data storage
Data types: All data categories (Account, Product, Technical, Email)
Data location: EU data centers (Frankfurt, Germany)
GDPR compliance: Provides Standard Contractual Clauses (SCCs) and Data Processing Agreement (DPA)
Privacy policy: https://supabase.com/privacy

Vercel (Vercel Inc.)

Purpose: Application hosting and content delivery
Data types: Technical data (IP addresses, user agents during page requests)
Data location: Global edge network with EU and US nodes
GDPR compliance: Provides Standard Contractual Clauses (SCCs) and Data Processing Agreement (DPA)
Privacy policy: https://vercel.com/legal/privacy-policy

Resend (Resend Labs Inc.)

Purpose: Transactional email delivery
Data types: Email addresses, email content, delivery logs
Data location: Email delivery may route through US and EU infrastructure
GDPR compliance: Provides Standard Contractual Clauses (SCCs) and Data Processing Agreement (DPA)
Privacy policy: https://resend.com/legal/privacy-policy

5.2 Legal Disclosures

We may disclose your data if required by law, court order, or government regulation. We may disclose your data to enforce our Terms & Conditions or protect our rights. We will notify you of legal requests for your data unless prohibited by law from doing so.

5.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity. We will notify you via email and in-app notice 30 days before any such transfer. The acquiring entity must honor the commitments in this Privacy Policy.

We do not share your data with advertisers, marketers, or data brokers. We do not sell your personal data.

6. International Data Transfers

6.1 Primary Data Location: EU Only

All primary data storage is located in the European Union (Supabase Frankfurt region). Valtrics B.V. is based in the Netherlands, within the EU jurisdiction.

6.2 Sub-Processor Routing

While your data is stored in the EU, our sub-processors (Vercel, Resend) may route requests through US infrastructure for performance and reliability. All sub-processors provide Standard Contractual Clauses (SCCs) and GDPR-compliant Data Processing Agreements approved by the EU Commission.

6.3 No Intentional Non-EU Storage

We do not store your data in non-EU regions. We do not intentionally transfer your data to countries without adequate data protection as determined under GDPR Article 45.

7. How Long We Keep Your Data

7.1 Active Account Data

All data is retained for the duration of your active account.

7.2 Post-Termination (30-Day Deletion)

Per our Terms & Conditions Section 7, all your Content is permanently deleted within 30 days after account termination. This deletion is irreversible. It is your responsibility to export your data before terminating your account.

7.3 Legal Hold Exceptions

Data may be retained beyond 30 days if required for:

Legal obligations (e.g., tax records, audit requirements)
Pending disputes or litigation
Enforcing our Terms & Conditions
Fraud prevention and security investigations

Retained data is kept confidential and used only for the specified purpose.

7.4 IP Address and User Agent Logs

IP addresses and user agent strings collected during legal agreement acceptance are retained for legal compliance and dispute resolution, as stored in our agreement tracking system.

7.5 Email Logs

Transactional email logs (delivery status, timestamps) are retained for 90 days for deliverability troubleshooting. Logs are automatically purged after 90 days.

8. Cookies and Tracking

8.1 Cookies We Use

Essential Cookies (No Consent Required)

Supabase Auth Cookies (sb-access-token, sb-refresh-token): Required for login and secure access to your account. Session cookies are deleted when you close your browser; refresh tokens last 7 days.

Preference Cookies (No Consent Required)

Theme Cookie: Stores your theme preference (light/dark mode). Duration: 1 year.
View Preferences Cookie: Stores your dashboard layout and view preferences. Duration: 1 year.

8.2 Cookies We Do NOT Use

No marketing or advertising cookies
No third-party tracking cookies
No analytics cookies (no analytics tools are currently deployed)
No A/B testing or experimentation cookies
No social media cookies

Because we only use essential and preference cookies, no cookie consent banner is required under current EU ePrivacy regulations. If we add analytics or marketing cookies in the future, we will implement a cookie consent mechanism and update this Privacy Policy with 30 days' advance notice.

9. Your Rights (Data Subject Rights)

Under GDPR, you have the following rights regarding your personal data:

You have the right to request a copy of all personal data we hold about you.

How to exercise: Email privacy@valtrics.io with the subject line "Data Access Request"
Response time: Within 30 days of a verified request
Format: JSON export of all data associated with your account

You have the right to correct inaccurate or incomplete personal data.

How to exercise: Update your profile directly in-app (Settings > Profile) or email privacy@valtrics.io
Response time: Immediate for in-app updates; within 30 days for email requests

You have the right to request deletion of your personal data.

How to exercise: Delete your account in-app (Settings > Account > Delete Account) or email privacy@valtrics.io
Response time: Permanent deletion within 30 days, per our Terms & Conditions Section 7
Limitations: We may retain data if required by law, for pending disputes, or to enforce our Terms

You have the right to receive your data in a structured, commonly used, machine-readable format.

How to exercise: Email privacy@valtrics.io with the subject line "Data Portability Request"
Response time: Within 30 days of a verified request
Format: JSON

You have the right to object to processing based on legitimate interest.

How to exercise: Email privacy@valtrics.io with the subject line "Objection to Processing"
Response time: Within 30 days. We will cease processing unless we have compelling legitimate grounds that override your interests

You have the right to request restricted processing in certain circumstances (e.g., while we verify the accuracy of data you have contested).

How to exercise: Email privacy@valtrics.io with the subject line "Restriction Request"
Response time: Within 30 days

If we process your data based on consent (currently we do not rely on consent as a legal basis), you have the right to withdraw consent at any time. Withdrawing consent does not affect the lawfulness of processing before the withdrawal.

9.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority if you believe your data protection rights have been violated.

Netherlands Data Protection Authority: Autoriteit Persoonsgegevens (https://autoriteitpersoonsgegevens.nl)
You may also contact the Data Protection Authority in your EU member state of residence

9.9 Verification Process

To prevent unauthorized access to your data, we require verification for all data subject requests. You must submit requests from your registered email address. If we cannot verify your identity through your email, we may request additional verification. We will acknowledge your request within 72 hours and fulfill it within 30 days.

10. How We Protect Your Data

10.1 Technical Safeguards

Encryption in transit: All data is encrypted using TLS 1.3
Encryption at rest: All stored data is encrypted using AES-256
Row-Level Security (RLS): Supabase RLS policies ensure users can only access data belonging to their own organization
Password security: Passwords are hashed using bcrypt with salts and are never stored in plain text
Multi-tenant isolation: Database-level isolation prevents cross-organization data access
Secure authentication: Supabase Auth with industry-standard OAuth 2.0 protocols

10.2 Organizational Safeguards

Access controls: Internal access to production data is restricted to authorized personnel only
Principle of least privilege: Team members have access only to data necessary for their role
Audit logging: Access to production databases is logged for security monitoring

10.3 Infrastructure Security

EU data centers: Primary data is hosted in EU-based data centers (Supabase Frankfurt)
Regular backups: Automated daily backups with encryption
Dependency management: Regular updates to address security vulnerabilities

10.4 Breach Notification

We will notify you within 72 hours of discovering any data breach that affects your personal data, as required by GDPR Articles 33 and 34. We will also notify the Netherlands Data Protection Authority (Autoriteit Persoonsgegevens) within the same timeframe.

Beta Disclaimer: Per our Terms & Conditions Section 3, the Service is provided "as-is" during the Beta Period. While we implement industry-standard security measures, no system is 100% secure. You use the Service at your own risk during the Beta Period.

11. Children's Privacy

Valtrics is a B2B SaaS product intended for business use by adults. Our Service is not directed at children under 16 years of age. We do not knowingly collect personal data from children under 16. If we learn that we have collected data from a child under 16, we will delete it immediately. If you believe a child under 16 has provided data to us, please contact privacy@valtrics.io.

12. Changes to This Privacy Policy

12.1 Material Changes (30-Day Notice)

Per our Terms & Conditions Section 11, we will provide at least 30 days' advance notice before material changes to this Privacy Policy take effect. Notice will be sent via email to your registered email address and through an in-app notification. Material changes include: new categories of data collection, new sub-processors, changes to data retention periods, and changes to data subject rights.

12.2 Non-Material Changes

Minor updates (e.g., clarifications, formatting, typographical corrections) may be made without advance notice. The "Last Updated" date at the top of this policy will reflect the most recent change.

12.3 Continued Use After Changes

Your continued use of the Service after the effective date of an updated Privacy Policy constitutes your acceptance of the changes. If you do not agree to the changes, you must stop using the Service and delete your account before the effective date.

13. Contact Us

If you have questions or concerns about this Privacy Policy or how we handle your data:

Privacy inquiries: privacy@valtrics.io
General support: support@valtrics.io
Legal matters: legal@valtrics.io
Data subject requests: Email privacy@valtrics.io with a clear subject line indicating the type of request (e.g., "Data Access Request", "Data Portability Request")

We aim to respond to all privacy inquiries within 72 hours.

14. Governing Law

This Privacy Policy is governed by the laws of the Netherlands, consistent with our Terms & Conditions Section 10. EU data protection law (GDPR) applies to all processing activities described in this policy.

If you are an individual consumer in the European Union, you retain any mandatory consumer protection rights under the laws of your jurisdiction. Disputes will be resolved per the dispute resolution provisions in our Terms & Conditions.

Effective Date: March 6, 2026

Last Updated: March 6, 2026

Version: 1.0

1. Introduction​

2. Data Controller​

3. What Data We Collect​

3.1 Account Data (Personal Data)​

3.2 Product Data (User Content)​

3.3 Technical and Operational Data​

3.4 Email Communication Data​

3.5 Data We Do NOT Collect​

4. How We Use Your Data​

4.1 To Provide the Service (Legal Basis: Contract Performance)​

4.2 To Communicate with You (Legal Basis: Contract Performance and Legitimate Interest)​

4.3 To Secure and Improve the Service (Legal Basis: Legitimate Interest)​

4.4 What We Do NOT Do with Your Data​

5. Who We Share Your Data With​

5.1 Sub-Processors​

5.2 Legal Disclosures​

5.3 Business Transfers​

5.4 No Other Third-Party Sharing​

6. International Data Transfers​

6.1 Primary Data Location: EU Only​

6.2 Sub-Processor Routing​

6.3 No Intentional Non-EU Storage​

7. How Long We Keep Your Data​

7.1 Active Account Data​

7.2 Post-Termination (30-Day Deletion)​

7.3 Legal Hold Exceptions​

7.4 IP Address and User Agent Logs​

7.5 Email Logs​

8. Cookies and Tracking​

8.1 Cookies We Use​

8.2 Cookies We Do NOT Use​

8.3 Cookie Consent​

9. Your Rights (Data Subject Rights)​

9.1 Right of Access (GDPR Article 15)​

9.2 Right to Rectification (GDPR Article 16)​

9.3 Right to Erasure / "Right to be Forgotten" (GDPR Article 17)​

9.4 Right to Data Portability (GDPR Article 20)​

9.5 Right to Object (GDPR Article 21)​

9.6 Right to Restriction of Processing (GDPR Article 18)​

9.7 Right to Withdraw Consent​

9.8 Right to Lodge a Complaint​

9.9 Verification Process​

10. How We Protect Your Data​

10.1 Technical Safeguards​

10.2 Organizational Safeguards​

10.3 Infrastructure Security​

10.4 Breach Notification​

11. Children's Privacy​

12. Changes to This Privacy Policy​

12.1 Material Changes (30-Day Notice)​

12.2 Non-Material Changes​

12.3 Continued Use After Changes​

13. Contact Us​

14. Governing Law​