VESTA.
Sign inRequest access
[SYS.LEGAL // PRIVACY]

Privacy Policy

Last updated: 1 July 2026

This Privacy Policy explains how DATAFENIX LTD ("Vesta", "we", "us", "our") collects and uses personal data when you visit https://vesta-analytics.ai (the "Site"), create or hold a Vesta account, or otherwise interact with us.

Important scope note — two different sets of data. Vesta provides analytics for MCP (Model Context Protocol) and other software surfaces. We handle personal data in two distinct roles:

  1. As a controller — for personal data about you as a visitor, prospect, or account holder (for example, your name and email). This Privacy Policy covers that data.
  2. As a processor — for the telemetry/"span" data that our customers send to Vesta from their own software, which may contain personal data about their end users. We process that data only on our customer's documented instructions. That data is governed by our Data Processing Agreement, not this Policy. If you are an end user of a product that uses Vesta and have questions about your data, please contact that product's operator (our customer), who is the controller of it.

1. Who we are

DATAFENIX LTD (trading as Vesta) is a company registered in England and Wales (company number 15487351), registered office Unit 1 The Cam Centre, Wilbury Way, Hitchin, Herts, SG4 0TW, United Kingdom. We are registered with the UK Information Commissioner's Office (registration number ZB769611).

We have not appointed a Data Protection Officer (we are not required to). For any privacy matter, contact us at info@datafenix.ai.

[[EU_REP — If applicable: Our representative in the EU under Article 27 EU GDPR is [name and contact].]]

2. The personal data we collect

We collect and use the following categories of personal data as a controller:

CategoryExamplesSource
Account & identity dataName, email address, authentication identifier (e.g. Firebase UID), the authentication provider you sign in with (email, Google, GitHub), organisation/company nameYou, and your chosen sign-in provider
Account configuration dataProduct and server (surface) names and labels you create, API key metadata (label, creation date, status — never the secret key itself in retrievable form)You
Communications dataMessages you send us (e.g. via email or our contact form), support requests, and our responsesYou
Billing data (where applicable)Billing contact, billing address, and records of fees and payments. Card payments, if any, are handled by our payment processor; we do not store full card numbers.You / payment processor
Site usage & technical dataPages visited, approximate actions on the Site, browser/device type, and data needed to keep your session secureAutomatically, when you use the Site

We do not intentionally collect special category data (e.g. health, biometrics) about you through the Site. Please don't send it to us.

The telemetry/span data our customers send us (which can include user_id, session_id, request/response payload content, and custom dimensions about their end users) is not listed above because we process it as a processor under the DPA, not as a controller under this Policy.

3. How we use your data, and our lawful bases

PurposeLawful basis (UK/EU GDPR)
Create and administer your account; provide the Vesta service; provision API keys and surfacesPerformance of a contract with you (or your organisation)
Authenticate you and keep your account securePerformance of a contract; legitimate interests (securing our service)
Respond to your enquiries and provide supportLegitimate interests (helping users and prospects); performance of a contract
Send service and administrative messages (e.g. security notices, changes to terms)Legitimate interests; legal obligation
Send product or marketing updates (where relevant)Consent, or legitimate interests where permitted, with an opt-out in every message
Take payment and keep financial recordsPerformance of a contract; legal obligation (tax/accounting)
Maintain, secure, debug, and improve the Site and serviceLegitimate interests (operating a safe, working service)
Comply with law and respond to lawful requests; establish, exercise, or defend legal claimsLegal obligation; legitimate interests

Where we rely on legitimate interests, we have considered the impact on you and do not use your data in ways that override your rights. You can ask us about that assessment using the contact details above. (Where the Data (Use and Access) Act 2025 designates a "recognised legitimate interest", we rely on that basis where applicable without a separate balancing test.)

4. Cookies and similar technologies

The Site uses a strictly necessary authentication session cookie (and the cookies your sign-in provider sets) to keep you logged in and to protect your account. These are essential to provide a service you have asked for and do not require consent.

We do not currently use advertising cookies or third-party marketing/analytics trackers on the Site. If that changes, we will update this Policy and, where the law requires, give you clear information and a free way to opt out (and obtain consent where required). Under the Data (Use and Access) Act 2025, certain low-risk analytics cookies are exempt from consent but still require transparency and an opt-out — we will honour that if we ever deploy them.

5. Who we share your data with

We do not sell your personal data. We share it only with:

  • Service providers (sub-processors/vendors) who help us run Vesta, under contracts that require them to protect your data and use it only on our instructions:
    • Google LLC / Google Cloud — cloud infrastructure, authentication (Firebase Authentication), database (Firestore), and data warehouse (BigQuery). Primary data location: europe-west2 (London, UK).
    • Google LLC (Firebase Hosting) — hosting of the Site.
    • [[Payment processor, if used]] — payment processing.
  • Professional advisers (lawyers, accountants, auditors) where necessary.
  • Authorities or other parties where required by law, to enforce our terms, or to protect our rights, users, or the public.
  • A successor in connection with a merger, acquisition, or sale of assets, subject to this Policy.

A current list of our sub-processors is available on request and in Annex 3 of our DPA.

6. International transfers

We store the core service data in the UK (europe-west2). Some of our providers (for example, Google for certain authentication functions and support operations) may process limited personal data outside the UK/EEA. Where we transfer personal data to a country without UK or EU "adequacy" status, we rely on appropriate safeguards — the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, and the EU Standard Contractual Clauses for EU data — and we assess that the protection in the destination is not materially lower than under UK law. You can request a copy of the relevant safeguards using the contact details above.

7. How long we keep your data

  • Account & identity data: for as long as your account is active, and then deleted or anonymised within a reasonable period after closure (typically within 30 days), unless we must keep it longer to meet a legal obligation or to resolve disputes.
  • Billing/financial records: as required by tax and accounting law (typically 6 years in the UK).
  • Communications: for as long as needed to handle your query and a reasonable period afterwards.
  • Telemetry/span data (processed under the DPA): retained on a 13-month rolling window and deleted within 30 days of the end of the relevant customer agreement, as set out in the DPA.

8. Your rights

Subject to conditions and exemptions in applicable law, you have the right to:

  • be informed about how we use your data (this Policy);
  • access the personal data we hold about you;
  • rectify inaccurate or incomplete data;
  • erase your data ("right to be forgotten") in certain circumstances;
  • restrict or object to processing in certain circumstances, including objecting to direct marketing at any time;
  • data portability for data you provided to us, where applicable;
  • withdraw consent at any time where we rely on consent; and
  • not be subject to a solely automated decision with legal or similarly significant effects (we do not make such decisions about you).

To exercise any right, contact info@datafenix.ai. We will respond within one month (extendable for complex requests, and we will tell you if so). There is normally no charge.

If you are in the United States (e.g. a California resident), see Section 11 for your specific rights under US state privacy laws.

9. Complaints

If you have a concern about how we handle your personal data, please contact us first at info@datafenix.ai; we can also provide a complaints form on request. In line with the Data (Use and Access) Act 2025, we will acknowledge your complaint within 30 days and respond without undue delay.

You also have the right to complain to a supervisory authority:

  • UK: the Information Commissioner's Office (ICO), https://ico.org.uk, helpline 0303 123 1113.
  • EU/EEA: your local data protection authority.

We'd appreciate the chance to address your concern before you approach a regulator.

10. Security

We take the security of personal data seriously and maintain technical and organisational measures appropriate to the risk, including encryption in transit and at rest, access controls and least-privilege permissions, secret management, and UK data residency for core service data. No system is perfectly secure, but we work to protect your data and to detect and respond to incidents. The security measures applicable to telemetry/span data are set out in Annex 2 of the DPA.

11. United States — additional privacy notice (CCPA/CPRA and similar laws)

This section applies if you are a resident of California or another US state with a comprehensive privacy law, and supplements the rest of this Policy.

  • Categories of personal information we collect: identifiers (name, email, account identifiers), commercial information (billing records), internet/network activity (Site usage), and professional/employment information (your organisation, role) — as described in Section 2.
  • Purposes: as described in Section 3.
  • Sources and disclosures: as described in Sections 2 and 5.
  • No sale or "sharing". We do not sell your personal information and do not "share" it for cross-context behavioural advertising as those terms are defined under California law.
  • Sensitive personal information. We do not collect or use sensitive personal information for purposes that would trigger a right to limit its use.
  • Your rights (subject to the applicable state law): to know/access, to delete, to correct, to opt out of sale/sharing (not applicable, as we do none), and to non-discrimination for exercising your rights.
  • How to exercise: email info@datafenix.ai. You may use an authorised agent. We will verify your request before acting on it.

Note: when we process telemetry/span data for our business customers, we act as a service provider (and processor) under those laws. The relevant terms are in our DPA.

12. Children

Vesta is a business tool and is not directed to children. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact info@datafenix.ai and we will delete it.

13. Changes to this Policy

We may update this Policy from time to time. We will post the updated version here with a new "Last updated" date and, for material changes, take reasonable steps to notify you (for example, by email or a notice on the Site).

14. Contact us

DATAFENIX LTD Unit 1 The Cam Centre, Wilbury Way, Hitchin, Herts, SG4 0TW, United Kingdom Email: info@datafenix.ai