Privacy policy

OSVector is operated by Vector Group Charitable Trust (Charities Services registration CC45966), based in New Zealand. We build shared infrastructure for programme stewardship, knowledge, publishing, and operational intelligence — primarily for charitable and community organisations.

This policy applies to:

• The OSVector web application and authenticated workspaces
• Account registration, login, and password reset flows
• API and server-side processing connected to your workspace
• Public pages published through the platform (where content is marked public)

Third-party sites linked from the platform (for example trust websites or Givealittle) have their own policies.

Account data. When you register we collect your email address and authentication credentials (stored as secure hashes via Supabase Auth). We may store your display name if you provide one.

Workspace content. You and your team submit programme data: entities, relationships, knowledge articles, memory records, publishing nodes, tasks, SEO assets, news drafts, audit logs, and related metadata. This is stored to provide the service you request.

Usage and activity data. We record workspace events and audit entries for operational integrity — for example when content is published, an approval is granted, or a sensitive integration action runs.

Technical data. Standard server logs may include IP address, browser type, timestamps, and request paths for security and debugging.

AI inputs and outputs. When you use retrieve, summarise, or draft features, your query and assembled workspace context are sent to our configured model provider (currently OpenAI) solely to generate the response. We do not use your workspace content to train public models.

• Provide, maintain, and improve the platform
• Authenticate users and enforce workspace membership
• Generate AI-assisted summaries and drafts at your direction
• Publish public content you explicitly approve
• Maintain audit trails for sensitive operations
• Respond to support requests and security incidents
• Comply with applicable law

We do not sell personal information.

We process data on the basis of: (a) performance of our service to you and your organisation; (b) legitimate interests in securing and improving the platform; and (c) consent where required (for example optional communications). Charitable programme data is processed as a data processor on your organisation's instructions when you control the workspace.

Application data is stored in Supabase (PostgreSQL) and related Supabase services. Infrastructure regions depend on your project configuration. Authentication sessions use secure HTTP-only cookies. Secrets such as service-role keys and API tokens are kept in server environment variables and are never exposed to the browser.

We share data only when necessary:

• Supabase — database, authentication, storage
• OpenAI — AI generation when you invoke those features
• WordPress or other integrations — when you connect external sites and explicitly apply approved changes
• Infrastructure providers — hosting, logging, and email delivery

We may disclose information if required by law or to protect rights, safety, and security.

We retain account and workspace data while your account or workspace is active and for a reasonable period afterward to allow export and dispute resolution. Audit logs for sensitive actions may be kept longer for accountability. You may request deletion subject to legal and operational constraints (for example charity record-keeping).

We use industry-standard measures: TLS in transit, row-level security in the database, role-based workspace permissions, server-only secrets, and human approval gates before consequential actions (publish, WordPress apply, bulk SEO changes). No system is perfectly secure; report concerns to steve@osvector.ai.

Depending on applicable law (including the New Zealand Privacy Act 2020), you may have rights to access, correct, delete, or restrict certain processing of your personal information, and to lodge a complaint with a supervisory authority. Contact us to exercise these rights. Workspace owners are responsible for content they store about others.

We use essential cookies for authentication sessions. We do not use third-party advertising cookies on the core application. Analytics, if enabled in future, will be disclosed here.

The platform is intended for organisations and authorised adults. It is not directed at children under 16. Programme content about youth initiatives is stewarded by qualified organisations.

If data is processed outside New Zealand, we take steps to ensure appropriate safeguards consistent with applicable privacy law.

We may update this policy. Material changes will be reflected in the "Last updated" date. Continued use after changes constitutes acceptance of the revised policy.

Vector Group Charitable Trust
Email: steve@osvector.ai
Web: https://www.vectorgroup.org.nz/

See also our Terms & conditions.