Vessels — Privacy (Pre-launch)

Pre-launch notice. Vessels is still in early access. This is a short, plain-English summary of how we handle data today — not our final privacy policy. A complete, lawyer-reviewed policy will be published before general availability. Until then, here's the honest version.

We don't sell your data

We have never sold personal information and we don't intend to. We don't share your data with advertising networks or data brokers, and we don't run third-party analytics or session-replay trackers in our apps. We rely on a small set of infrastructure providers (Supabase, Vercel, Apple, Google) only to run the service — they process data on our instructions, not for their own purposes.

How encryption works

• In transit: all traffic is encrypted over TLS.
• At rest: message content and structured fields are encrypted with AES-256-GCM using a key unique to each workspace. That per-workspace key is itself wrapped by a master key held outside the database. Deleting a workspace destroys its key, which permanently renders that workspace's content unrecoverable.
• Honest limitation: this is encryption at rest, not end-to-end encryption. We hold the keys, because the service has to read the data to show it to you, notify you, and help you debug. We'd rather say that plainly than claim something we can't keep.

What we collect

Just what's needed to run the service: your account email and login, your workspace settings, the messages and interactions your agent sends through Vessels, and minimal operational logs (timestamps, IP for rate-limiting, device push tokens if you enable notifications). Please don't put secrets or unnecessary personal information into message content or metadata — we store those verbatim.

Your choices

Email privacy@vessels.app to access or delete your data, or with any privacy question. Security reports: security@vessels.app.

This pre-launch note will be replaced by a full privacy policy before launch.