Privacy Policy
Effective Date: October 10, 2025
Last Updated: October 10, 2025
Version: 1.0
Summary
At Vortex Files, we believe privacy is a fundamental right. This policy explains in plain language what data we collect, why we need it, how we protect it, and your rights to control it. We never sell your data, and we only collect what's necessary to deliver our service.
1. About Us
Company: QVXX Ltd.
Company Number: 16612070
Registered: England and Wales
Address: Flat 3 Misterton Court, Westbridge Road, London, SW11 3NL
Product: Vortex Files - Project-based client delivery platform
Contact: support_vortexfiles@qvxx.ai
Privacy Officer: compliance_vortexfiles@qvxx.ai
2. What Data We Collect
2.1 Information You Provide
- Account Information: Name, email address, company name, phone number
- Project Data: Project names, descriptions, status, deadlines
- File Content: Files you upload, file names, file metadata
- Communications: Comments, messages, support tickets
- Payment Information: Processed securely through Wix Payments (we don't store card details)
2.2 Data from Wix Integration
When you connect Vortex Files to your Wix site, we receive:
- Site Information: Site ID, domain name, business name
- User Information: Name, email, role (owner/contributor)
- OAuth Tokens: Encrypted access tokens for API integration
- Billing Data: Subscription status, plan level, payment events
2.3 Automatically Collected Data
- Technical Data: IP address, browser type, device type, operating system
- Usage Data: Features used, pages viewed, time spent, actions taken
- Performance Data: Load times, errors, crash reports
- Cookies: Session management, preferences, security (see Cookie Policy)
Client Portal Privacy Addendum (Clients)
This addendum explains how we handle data for invited clients who access the Vortex Files portal via magic links. It supplements the main Privacy Policy and focuses on the data we process when you review deliverables from your agency.
- What we collect: Your email, project assignment, login events, file views/downloads, comments, IP address, and device/user agent (for security and audit).
- Why: To verify access, show your agency what has been delivered or viewed, prevent fraud, and keep an immutable consent record.
- Who sees it: Only your agency and Vortex Files operations staff under strict access controls. We never sell or share this data for advertising.
- How long: Consent and audit logs are kept as long as the project is active or needed for legal defense; file access telemetry aligns with the agency's retention policy.
You can export your portal data or request deletion at any time from Portal Settings → Legal (or by emailing compliance_vortexfiles@qvxx.ai). When you ask us to delete your account, we deactivate access, delete non-essential personal data, and retain only what is required for legal, billing, or security purposes.
Consent is required before you enter the portal. If terms change materially, we will request re-consent and show what changed. If you decline, your agency can still share deliverables by other means, but portal access will remain blocked until consent is provided.
3. How We Use Your Data
3.1 Service Delivery (Contractual Necessity)
- Provide and maintain the Vortex Files platform
- Process and store your files securely in Cloudflare R2
- Enable project collaboration and client portal access
- Process payments and manage subscriptions through Wix
- Send transactional emails (magic links, notifications, receipts)
3.2 Platform Improvement (Legitimate Interest)
- Analyze usage patterns to improve features
- Monitor performance and fix bugs
- Conduct user research and testing
- Develop new features based on user needs
3.3 Security & Compliance (Legal Obligation)
- Detect and prevent fraud, abuse, and security threats
- Maintain audit logs for security investigations
- Comply with legal obligations and regulatory requirements
- Respond to valid legal requests from authorities
3.4 Marketing Communications (Consent-Based)
- Send product updates and feature announcements (opt-in)
- Share educational content and best practices (opt-in)
- Promotional offers and discounts (opt-in)
- You can opt out anytime via unsubscribe links
Client Portal Privacy
This section applies to clients using the Vortex Files portal to access project files.
What we collect
- Downloads, views, and comments to keep agencies informed
- Login timestamps and IP addresses for security
- Files you access within invited projects
How it’s used
- Agencies see your portal activity to coordinate work
- Other clients cannot see your activity
- No sharing with third parties for advertising
Your rights
You may request a copy of your portal data, request deletion (subject to legal obligations), and export activity history. Contact compliance_vortexfiles@qvxx.ai or your agency.
4. Legal Basis for Processing (GDPR)
| Data Type | Legal Basis |
|---|---|
| Account & project data | Contract performance |
| Payment processing | Contract performance |
| Analytics & improvements | Legitimate interest |
| Security & fraud prevention | Legitimate interest + Legal obligation |
| Marketing communications | Consent (opt-in) |
| Legal compliance | Legal obligation |
5. How We Share Your Data
5.1 Third-Party Service Providers
We share data only with trusted partners who help us deliver our service:
| Provider | Purpose | Location |
|---|---|---|
| Cloudflare R2 | File storage & CDN | Global (EU options) |
| Supabase | Database hosting | US (AWS) |
| Vercel | Application hosting | Global |
| Wix | OAuth, billing, integration | Global |
| Email providers | Transactional emails | US/EU |
All providers are bound by Data Processing Agreements (DPAs) and contractually required to protect your data in accordance with GDPR and CCPA.
5.2 Your Authorized Users
Data is shared with:
- Project collaborators you invite
- Clients with portal access to their projects
- Team members within your organization
5.3 Legal Requirements
We may disclose data if required by:
- Valid legal processes (subpoena, court order)
- Law enforcement requests with proper authority
- Protection of our rights, property, or safety
- Prevention of fraud or criminal activity
5.4 What We Never Do
- ✗ Sell your personal information
- ✗ Share data with advertisers
- ✗ Use your files for AI training
- ✗ Rent or trade user lists
- ✗ Access your files without permission (except for abuse investigation)
6. Data Storage & Security
6.1 Where We Store Data
- Files: Cloudflare R2 (global CDN with EU data residency options)
- Database: Supabase (US - AWS)
- Application: Vercel (global edge network)
- Backups: Encrypted, geographically distributed
6.2 Security Measures
- Encryption in Transit: TLS 1.3 for all data transfers
- Encryption at Rest: AES-256 for all stored data
- Access Controls: Role-based permissions, 2FA available
- Authentication: Magic link flow + OAuth (Wix)
- Infrastructure: SOC 2 Type II compliant hosting
- Monitoring: 24/7 security monitoring and alerts
- Audits: Regular security assessments and penetration testing
6.3 Data Breach Protocol
In the unlikely event of a data breach:
- Immediate containment and investigation
- Notification within 72 hours (GDPR requirement)
- Detailed report of impact and affected data
- Remediation measures and prevention steps
- Support for affected users (credit monitoring if needed)
7. Data Retention
| Data Type | Retention Period | Reason |
|---|---|---|
| Account data | Active + 2 years | Service continuity |
| Project files | Active + 1 year | Client access needs |
| Deleted files | 30 days (soft delete) | Recovery option |
| Analytics (detailed) | 6 months | Service improvement |
| Analytics (aggregated) | 2 years | Trend analysis |
| Security logs | 1 year | Security audits |
| Access logs | 90 days | Debugging, support |
| Legal/tax records | 7 years | UK legal requirements |
You can request early deletion of your data at any time by contacting compliance_vortexfiles@qvxx.ai
8. Your Rights
8.1 GDPR Rights (EU/UK Users)
- Right to Access: Request a copy of all your personal data
- Right to Rectification: Correct inaccurate or incomplete data
- Right to Erasure: "Right to be forgotten" - delete your data
- Right to Portability: Receive data in machine-readable format (JSON/CSV)
- Right to Restriction: Limit how we process your data
- Right to Object: Object to processing based on legitimate interest
- Right to Withdraw Consent: Remove consent for marketing
- Right to Lodge a Complaint: File complaint with ICO (UK) or local authority
8.2 CCPA Rights (California Users)
- Right to Know: What personal information we collect and how we use it
- Right to Delete: Request deletion of your personal information
- Right to Opt-Out: Opt out of sale of personal information (we don't sell)
- Right to Non-Discrimination: Equal service regardless of privacy choices
8.3 How to Exercise Your Rights
Email: compliance_vortexfiles@qvxx.ai
Portal: Account Settings → Privacy & Data Management
Response Time: Within 30 days (GDPR) or 45 days (CCPA)
Verification: We may ask for verification to protect your security
9. Cookies & Tracking
9.1 Essential Cookies (Required)
- Session management and authentication
- Security tokens and CSRF protection
- User preferences and settings
9.2 Analytics Cookies (Opt-In)
- First-party analytics only (no third-party trackers)
- Usage patterns and feature adoption
- Performance monitoring
9.3 Managing Cookies
You can control cookies through:
- Our cookie consent banner (shown on first visit)
- Account settings → Privacy preferences
- Browser settings (may affect functionality)
See our full Cookie Policy for details.
10. International Data Transfers
10.1 Transfer Mechanisms
As a UK-based company serving global users, we may transfer data internationally. We protect these transfers through:
- Standard Contractual Clauses (SCCs): EU-approved transfer agreements
- UK IDTA: UK International Data Transfer Agreement
- Adequacy Decisions: Transfers to approved countries
- Data Localization: EU data residency options for files
10.2 Data Locations
- Primary database: United States (Supabase/AWS)
- File storage: Global CDN with EU options (Cloudflare R2)
- Application hosting: Global edge network (Vercel)
- Backups: Multiple regions for redundancy
11. Children's Privacy
Vortex Files is not directed to children under 16. We do not knowingly collect personal information from children under 16.
If we become aware that we have collected data from a child under 16, we will:
- Delete the information immediately
- Notify the account holder
- Prevent future access until age verification
Parents or guardians concerned about children's data can contact compliance_vortexfiles@qvxx.ai
12. Wix Integration Privacy
12.1 Data from Wix
When you connect Vortex Files through the Wix App Market:
- We only access data you explicitly authorize
- OAuth tokens are encrypted and stored securely
- We use Wix data solely for service provision
- Uninstalling the app triggers automatic data deletion
12.2 Your Responsibilities
- You remain the data controller for your Wix site visitors
- Your site's privacy policy should disclose Vortex Files integration
- We act as a data processor following your instructions
12.3 Wix Privacy Policy
Wix's data handling is governed by their privacy policy: https://www.wix.com/about/privacy
13. Marketing Communications
13.1 Types of Communications
Transactional (Cannot opt out):
- Magic link authentication emails
- Project notifications and alerts
- Payment receipts and billing updates
- Security alerts and account changes
Marketing (Opt-in required):
- Product updates and feature announcements
- Educational content and best practices
- Promotional offers and discounts
- Event invitations and webinars
13.2 Opt-Out Options
- Click "Unsubscribe" link in any marketing email
- Manage preferences in Account Settings
- Email unsubscribe@qvxx.ai
14. Privacy Policy Updates
We may update this Privacy Policy to reflect changes in our practices or for legal reasons.
14.1 Notification of Changes
- Material changes: 30-day advance notice via email
- Minor updates: Notification in-app
- Effective date updated at top of policy
- Previous versions available upon request
14.2 Continued Use
Continued use of Vortex Files after changes constitutes acceptance. If you disagree with changes, you may close your account before the effective date.
15. Contact & Complaints
Privacy Officer
Email: compliance_vortexfiles@qvxx.ai
Address: Flat 3 Misterton Court, Westbridge Road, London, SW11 3NL
Data Protection Authority (UK)
Information Commissioner's Office (ICO)
Website: ico.org.uk
Helpline: 0303 123 1113
16. Additional Resources
- Terms of Service - Legal agreement for using Vortex Files
- Cookie Policy - Detailed information about cookies
- Acceptable Use Policy - Rules for platform usage
- Security Practices - How we protect your data