Privacy Policy
Effective date: 2026-06-21
This Privacy Policy explains how Sitoraweb LLC ("Company", "we", "us", or "our") collects, uses, discloses, and protects information in connection with Vyom, our websites, applications, APIs, and related services (collectively, the "Services").
This service is provided by Sitoraweb LLC under the Vyom brand.
Vyom is a professional content workflow product for businesses, creators, and teams. It is not directed to children.
1. Scope
This Privacy Policy applies to information we collect when you:
- create or use a Vyom account;
- access our websites, applications, and APIs;
- submit source material for content generation, review, scheduling, or publishing;
- connect third-party platforms or payment services;
- communicate with us for support, updates, or account-related matters.
This Privacy Policy does not apply to third-party websites, social platforms, payment processors, or other services that we do not control, even if they are linked to or integrated with the Services.
2. Who We Are
The Services are provided by:
- Sitoraweb LLC
- United States company
- Privacy and general contact: [email protected]
Vyom is operated from the United States and is designed primarily for U.S.-based professional users. Depending on where you are located and how you use the Services, Sitoraweb LLC may act as the controller, business, or comparable primary decision-maker for personal data processed through the Services.
3. Information We Collect
We collect the information needed to operate, secure, improve, and support the Services.
A. Account and Workspace Data
We collect information such as:
- name and display name;
- email address;
- encrypted or vendor-managed authentication credentials;
- workspace name and related account configuration;
- role, permissions, and membership information within a workspace.
B. Content Inputs, Outputs, and Edits
We collect information you provide to use the Services, such as:
- text, URLs, uploaded files, and other source materials submitted for analysis or content generation;
- generated drafts, revisions, edits, approvals, rejections, and workflow actions taken inside the Services;
- content preferences, brand voice settings, audience descriptions, tone keywords, and similar workspace instructions;
- platform account identifiers and publishing configuration for connected services.
C. Billing and Subscription Data
If you purchase a paid subscription or other paid Services, payments are processed by Stripe or another disclosed payment processor. We do not store full payment card numbers. We may receive and store limited billing and subscription information such as:
- customer, invoice, and subscription identifiers;
- billing contact details;
- payment status;
- invoice and transaction metadata;
- plan, renewal, cancellation, and delinquency status.
D. Security, Device, and Audit Data
We automatically collect certain technical and security-related information, such as:
- IP address or a hashed or truncated derivative used for security and abuse prevention;
- browser type, device information, operating system, and request metadata;
- log data, timestamps, authentication events, and security events;
- audit trail information for important account and workspace actions.
E. Communications and Support Data
If you contact us or receive account-related communications from us, we may collect:
- your email address;
- the contents of your communications with us;
- account and support history;
- preferences regarding non-essential product or marketing communications.
4. How We Use Information
We use information for the following purposes:
- to provide, maintain, and secure the Services;
- to create and administer accounts, workspaces, and permissions;
- to analyze submitted source materials and generate, review, schedule, and publish content at your direction;
- to remember workspace-specific content preferences and operating instructions;
- to process payments, subscriptions, invoices, renewals, cancellations, and billing support;
- to send transactional emails, verification emails, billing notices, service notices, and support responses;
- to detect, investigate, prevent, and respond to fraud, abuse, security incidents, and other harmful activity;
- to monitor system performance, debug issues, and maintain service reliability;
- to improve the Services using aggregated or de-identified usage patterns and structural performance trends where reasonably possible;
- to comply with law, enforce our agreements, and protect our rights, users, and the public.
5. AI Processing, Workspace Learning, and Service Improvement
Vyom uses customer-provided inputs and workspace preferences to provide the Services requested by that customer or workspace.
We may use edit patterns, approvals, rejections, packaging structure, performance signals, and similar workflow data to improve how the Services operate for that same customer or workspace.
We may use aggregated or de-identified service data to improve product performance, reliability, safety, and quality across the Services.
We do not sell customer content or personal data to data brokers or advertisers.
We do not use customer content to train third-party foundation models unless we expressly disclose that practice and obtain any consent required by applicable law.
Some Services let you choose among AI models offered by different providers, including providers located outside the United States. Where you select such a model, your inputs for that generation are processed by that provider under its own terms, which for some providers may include retaining those inputs or using them to operate or improve their models. We apply data-minimization measures in some provider flows, such as avoiding account identifiers in prompts and callback data, but some media-generation paths may still require us to send the raw files you upload, including embedded metadata where stripping is not yet implemented. The [Terms of Use](terms-of-use.md) describe this, and the providers we use are listed on the [Subprocessors](subprocessors.md) page.
Where a feature requires a person's face or voice — such as lip-sync, which turns a portrait image and a voice recording into a generated video — that information is biometric data. Our [Biometric Data Notice](biometric-consent.md) explains what we collect, the consent we obtain before collecting it, how long we keep it, and the limits on deleting copies held by a model provider you select.
6. How We Share Information
We may share information:
- with infrastructure, authentication, hosting, queueing, storage, and security providers that help us operate the Services;
- with AI providers when needed to process prompts, generate drafts, evaluate content, or produce images, video, or audio you ask us to create — including, for media-generation models you select, AI providers operated outside the United States;
- with payment processors when needed to bill, renew, refund, or manage subscriptions;
- with email delivery providers when needed to send account, billing, security, or support messages;
- with publishing and integration providers when needed to perform actions you request;
- within your workspace according to your role and permission settings;
- in connection with a merger, financing, acquisition, reorganization, sale of assets, or similar transaction;
- to comply with law, legal process, or valid governmental request;
- to protect the rights, property, safety, and security of the Company, our users, or others;
- with your direction or consent.
Major service-provider categories used in the product may include Supabase, Stripe, Anthropic, OpenAI, Google, Upstash, Cloudflare, an AI media-generation aggregator (Evolink) and the upstream model providers it routes to, fal.ai, email delivery providers, and hosting or infrastructure vendors, as applicable to the deployed environment. The current list is maintained on the [Subprocessors](subprocessors.md) page.
7. International Transfers
We may process and store information in the United States and other countries where we or our service providers operate.
If you access the Services from outside the United States, your information may be transferred to and processed in countries that may not provide the same level of data protection as your home jurisdiction.
In addition, certain media-generation models you can choose are operated by providers outside the United States; where you select such a model, the inputs for that generation are processed in that provider's region. Depending on the feature and provider path, those inputs may include the raw files you upload, including embedded metadata where stripping is not yet implemented. The countries involved and the providers we use are recorded in our [Subprocessors](subprocessors.md) page.
Where required, we will implement appropriate safeguards for cross-border transfers.
8. Retention
We retain information for as long as reasonably necessary for the purposes described in this Privacy Policy, including to provide the Services, comply with legal obligations, resolve disputes, enforce agreements, and maintain security records.
Current operational defaults in the product include:
- raw source inputs and uploaded source files: generally retained for up to 30 days unless deleted earlier or a longer period is needed for security, legal, or operational reasons;
- prompt packet summaries: generally retained for up to 30 days;
- security event records: generally retained for up to 90 days;
- audit logs: generally retained for up to 180 days;
- workspace memory or preference data: retained while needed to operate the relevant workspace or until deleted, expired, or no longer necessary.
The defaults above describe retention within our own systems. Where you select a third-party model provider to generate content, the inputs you submit for that generation are also processed and retained by that provider under its own schedule, which we do not control. We cannot recall or delete those provider-held copies on request; for some providers they expire automatically after a fixed period, while others may retain them longer under their own terms.
Retention periods may change as the product matures, legal obligations apply, or operational needs evolve. If we materially change retention practices, we will update this Privacy Policy or other applicable notices.
9. Cookies and Similar Technologies
We and our service providers may use cookies, local storage, and similar technologies necessary to authenticate users, maintain sessions, remember preferences, protect security, and operate the Services.
On our public marketing website, we also use Google Analytics, a non-essential website-analytics service provided by Google LLC, configured with IP anonymization and with Google Signals and advertising personalization disabled. Where applicable law requires consent, these analytics cookies are set only after you opt in, and you may accept, decline, or change your choice using the cookie control on our website. Our [Cookie Notice](cookie-notice.md) describes these technologies and your choices in more detail.
If we use further non-essential cookies or similar technologies in a jurisdiction that requires additional notice or consent, we will provide the relevant notice and choices at that time.
10. Your Choices and Privacy Requests
Depending on your location and applicable law, you may have rights to:
- access personal data we hold about you;
- correct inaccurate personal data;
- delete certain personal data;
- obtain a copy of certain personal data in a portable format;
- object to or restrict certain processing;
- withdraw consent where processing is based on consent;
- opt out of non-essential product or marketing emails.
We may need to verify your identity and authority before acting on a request. We may also deny or limit requests where permitted by law.
A deletion request can reach the personal data within our own systems. It cannot retrieve or delete inputs you have already submitted to a third-party model provider you selected; those copies are governed by that provider's own retention and deletion practices, as described in Sections 6 and 8 and in our [Terms of Use](terms-of-use.md).
To make a privacy request, contact us at [email protected].
11. U.S. State Privacy Disclosures
If you are protected by California or similar U.S. state privacy laws, you may have additional rights, subject to statutory exceptions and eligibility thresholds.
Subject to applicable law, we do not sell personal information and do not share personal information for cross-context behavioral advertising as those terms are defined under California law.
Authorized agents may submit requests on your behalf where permitted by law, subject to verification requirements.
12. Children's Privacy
The Services are intended for professional and business use only and are not directed to children.
You may not create an account or use the Services if you are below our stated minimum age requirement.
If we learn that we have collected personal information from a person below that minimum age in violation of our policies or applicable law, we may suspend the account and delete the information as required or appropriate.
13. Security
We use administrative, technical, and physical safeguards designed to protect information from unauthorized access, disclosure, alteration, and destruction. These measures include role-based access controls, logged administrative actions, vendor-managed authentication controls, retention limits, and environment-specific security safeguards.
No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. If we make material changes, we will post the updated version and update the effective date. Where required by law, we will provide additional notice.
15. Contact Us
For privacy questions or requests, contact:
- Sitoraweb LLC
- [email protected]