Privacy Policy

Vectis is a unified workspace for Managed Service Providers (MSPs), operated at mspvectis.com. For the purposes of applicable data-protection law, we act as a data controller for data about our own customers and visitors to our marketing site, and as a data processor for data you route through the Service about your own end customers and employees.

We collect anonymous product usage telemetry — which routes you visit, which buttons you click, how long you spend on each page — to improve Vectis. This data is keyed to your user account so we can measure per-user engagement, but it is not joined to any personal identifier outside our own systems and is not shared with third parties.

You can turn off collection at any time from Account → Privacy inside the signed-in product. The toggle takes effect immediately on every subsequent action.

Account data. When you sign up we collect your name, work email address, workspace name, chosen subdomain, and billing information. Billing information is handled by Stripe; we never see or store your full card details.

Integration credentials. When you connect a third-party system (ConnectWise, NinjaOne, and others), we collect the credentials you provide so we can authenticate against that system on your behalf. Credentials are encrypted at rest using AES-256 with a key held outside the database.

Customer data (yours). The Service synchronises data from the systems you connect — for example tickets, devices, alerts, contracts, and invoices. Some of this data may include personal data about your end customers or employees (names, email addresses, device identifiers). We process this data on your instructions as a processor.

Usage and diagnostic data. We collect logs about how the Service is used, including IP addresses, browser user agents, request timestamps, error traces, and feature interactions. We use this to operate, secure, and improve the Service.

Mobile app data. If you use the Vectis mobile app, we collect a device push token and device identifiers (platform, OS version, app version, device model) so we can deliver notifications and secure your sessions. Push notifications are relayed through Expo’s push service and delivered by the Apple Push Notification service (iOS) or Firebase Cloud Messaging (Android). Crash diagnostics from the app are sent to our error-tracking provider with personal data scrubbed. You can delete your account and associated personal data at any time from Settings → Account in the app (or Account on the web) — see Section 7.

Support communications. When you email support or submit in-app feedback, we retain the contents and associated metadata to resolve your request and improve the product.

We process data to:

• provide and maintain the Service, including authentication, sync, and write-back actions you authorise;
• bill for the Service and prevent fraud;
• secure the Service, investigate incidents, and enforce our terms;
• diagnose errors and improve reliability and performance;
• send transactional communications (receipts, security alerts, incident notifications, trial reminders);
• respond to support requests and in-app feedback;
• comply with applicable law.

We do not sell personal data. We do not use Customer Data to train general-purpose AI models.

Where the GDPR or UK GDPR applies, we rely on one or more of the following legal bases: (a) contract — to deliver the Service you subscribed to; (b) legitimate interest — for security, analytics, improving the product, and running our business, balanced against your rights; (c) legal obligation; and (d) consent — for optional cookies and marketing communications, where required.

We share data only as needed to operate the Service. Categories of recipients include:

• Infrastructure providers — our cloud host and content-delivery providers that power the Service.
• Payment processor — Stripe, which handles card data and subscription billing.
• Email delivery — SendGrid, for transactional emails (signup confirmations, invoices, alerts you opt into).
• Error monitoring — a commercial error-tracking service (e.g. Sentry) receives scrubbed stack traces and operational metadata to help us diagnose bugs.
• Push notification delivery — Expo, Apple (APNs), and Google (Firebase Cloud Messaging) relay mobile notifications to your device; app distribution is handled by the Apple App Store and Google Play.
• Third-party systems you connect — data flows to and from those systems at your direction. They are independent controllers of the data they process.
• Legal and safety — when required by law, court order, or to protect rights, property, or safety.
• Business transfers — in connection with a merger, acquisition, or asset sale, with contractual commitments to preserve the protections of this policy.

We keep account data for as long as your subscription is active and for a reasonable period after cancellation to handle wind-down, billing, and legal obligations (typically 90 days for operational data, longer for invoices/tax records where the law requires). Customer Data is available for export for 30 days after termination, after which we delete it from active systems. Backups are purged on a rolling retention schedule (typically 30 days).

Support communications and usage logs are retained for operational and security purposes for up to 24 months unless a longer period is needed for an open investigation.

Account deletion. You can delete your own Vectis user account at any time from Account on the web or Settings → Account in the mobile app (step-by-step: Deleting your Vectis account). We deactivate the account immediately and permanently erase your personal data (name, email, credentials) after a 7-day recovery window. Audit-log entries are retained as required for security and compliance. Deleting your user account does not delete your organisation’s workspace or the data it stores about its own customers — that data is owned by the organisation.

We protect the Service with technical and organisational measures including: TLS in transit, encrypted integration credentials, bcrypt-hashed passwords, strict server-side role-based access control, rate limiting, audit logging of admin actions and write-backs, isolated per-Customer databases, and pinned dependencies. Our team follows a least-privilege access model to production systems. We document our incident response plan internally and review it regularly.

No system can guarantee absolute security. If we learn of a breach that compromises your data, we will notify you without undue delay and, where required, the relevant supervisory authority.

The Service is operated from the United States. Our infrastructure and subprocessors may be located in the United States, the European Union, or other jurisdictions. Where required, we rely on appropriate transfer mechanisms such as the EU Standard Contractual Clauses or the UK International Data Transfer Addendum.

Depending on where you live, you may have rights to access, correct, delete, port, restrict, or object to the processing of your personal data, and to withdraw consent. You also have the right to lodge a complaint with a data-protection authority.

If you are an end customer or employee of an MSP using Vectis (not our direct subscriber), your primary point of contact for these rights is the MSP. We will work with the MSP to fulfil valid requests routed through them.

To exercise your rights as a direct customer or visitor, email privacy@mspvectis.com.

Our marketing site uses a small number of essential cookies for session management and fraud prevention, plus a preference cookie to remember that you dismissed our cookie banner. We do not deploy advertising cookies or sell browsing data to third parties. The signed-in product uses session and CSRF cookies required for authentication.

You can disable cookies in your browser; doing so may impair the functionality of the Service.

The Service is not directed at children under 16 and we do not knowingly collect personal data from them. If you believe a child has provided us personal data, email privacy@mspvectis.com and we will delete it.

We may update this policy from time to time. Material changes will be announced on the marketing site and, for active subscribers, by email. The “Last updated” date at the top reflects the current revision.

For privacy questions or to exercise your rights, email privacy@mspvectis.com.