Privacy Policy

This Privacy Notice explains how Vancap Technologies Ltd (doing business as Vancap) (‘we’, ‘us’, or ‘our’) collects, uses, and protects personal information. It applies when you:

• Visit our marketing website at https://www.vancap.ai;
• Use our application at https://portal.vancap.app (the ‘Platform’); or
• Otherwise engage with us, including for support, sales, or events

(together, the ‘Services’).

Vancap is a business-to-business software platform for technical consultants and surveyors, and for the clients who commission their surveys. Access to the Platform is by invitation only — accounts are created by an administrator at your organisation, and there is no public self-service sign-up.

Questions about this notice, or about your personal information, can be sent to support@vancap.ai.

The two roles we play

This is the most important thing to understand about how we handle data, so we explain it up front.

1. As a controller — for limited account and website data. For a small amount of personal information — your account details, and basic technical data when you visit our website or use the Platform — we decide how and why it is processed. This notice describes that processing in full.

2. As a processor — for the content your organisation puts into the Platform. When your organisation uses Vancap to manage inspection jobs, it uploads notes, media, documents, and other content, and generates reports from them. That content often contains personal information about other people (for example, individuals in site photographs, or names and addresses inside uploaded documents). We process that content only on your organisation’s instructions, to provide the Services. For that content, your organisation is the controller and we are its processor, and we handle it under our agreement with your organisation, not under this notice. See ‘How we handle the content your organisation uploads’ below.

Summary of key points

What information do we process? As a controller, very little: your name, email address, an optional phone number, and technical data such as IP address. As a processor, we handle the content your organisation uploads to the Platform on its behalf.

Do we process sensitive personal information? We do not ask for or require special-category data. Content your organisation uploads could contain it; that content is handled on your organisation’s instructions, under our agreement with it.

Do we sell your information or use it for advertising? No. We do not sell personal information, and we do not use it for advertising or behavioural tracking.

Do we use your data to train AI models? No. We do not use your content to train AI models. See ‘How AI features use your data’ below.

Who do we share information with? A limited set of service providers (sub-processors) that help us run the Services — for example, hosting, storage, and our AI provider. See ‘Who we share information with’ below.

What are your rights? Depending on where you live, you have rights over your personal information, including access, correction, and erasure. See ‘Your privacy rights’ below.

Table of contents

1. What information we collect
2. How we use information, and our legal bases
3. How we handle the content your organisation uploads
4. How AI features use your data
5. Who we share information with
6. International transfers
7. How long we keep information
8. How we keep information safe
9. Your privacy rights
10. Cookies and similar technologies
11. Information from children
12. Updates to this notice
13. How to contact us

1. What information we collect

Information you provide as an account holder

Because the Platform is invitation-only, the personal information we hold about you as a user is deliberately minimal:

• Name — set when you are invited, editable by you;
• Email address — used to identify you and sign you in;
• Phone number — optional, only if you choose to add one to link a messaging integration (such as WhatsApp);
• Organisation role — whether you are an administrator or a standard user, used to control access.

We do not collect a billing or postal address from you, a job title, or a profile photograph, and we do not store your password — see ‘Sign-in information’ below.

Sign-in information

You sign in using your organisation’s Google or Microsoft account (single sign-on). When you do, we receive basic identity information from that provider — your email address and the identifiers needed to link your account. We do not see or store your Google or Microsoft password.

Information collected automatically

When you use the Services, we automatically collect some technical information:

• IP address — recorded in our security audit and access logs to help protect the Platform and detect misuse;
• Session and preference data — cookies and local storage used to keep you signed in and remember interface preferences (see ‘Cookies and similar technologies’).

On our marketing website only, with your consent, we use Google Analytics to understand how the site is used. No analytics or advertising cookies are set unless you accept them, and none are used inside the Platform.

Information we receive through integrations

If your organisation enables messaging or email integrations (such as WhatsApp, Telegram, or email-to-job capture), we receive the messages, media, sender details, and any location data sent through those channels into your organisation’s jobs. This is content processed on your organisation’s behalf — see section 3.

2. How we use information, and our legal bases

As a controller, we use the limited personal information described above to:

• Provide and operate the Services — create and maintain your account, authenticate you, and deliver the Platform’s features. Legal basis: performance of a contract, and our legitimate interests in running the Services.
• Keep the Services secure — monitor for, prevent, and investigate misuse, including through audit and access logs. Legal basis: legitimate interests in security and, where applicable, legal obligation.
• Provide support and communicate with you — respond to requests and send service-related messages about your account or material changes to our terms or policies. Legal basis: performance of a contract and legitimate interests.
• Understand and improve our marketing website — through analytics, where you have consented. Legal basis: consent.
• Comply with law — meet our legal and regulatory obligations and exercise or defend legal claims. Legal basis: legal obligation and legitimate interests.

We do not use your personal information for advertising, and we do not sell it.

3. How we handle the content your organisation uploads

When your organisation uses the Platform, it creates and uploads content — inspection jobs, field notes, photographs, audio and video, documents, observations, and the reports generated from them. This content frequently includes personal information about people who are not Vancap users, such as occupants or individuals visible in site media, or names, addresses, and contact details inside uploaded documents and messages.

For this content:

• Your organisation is the controller and we are its processor. We process it only to provide the Services and only on your organisation’s documented instructions.
• We do not use it for our own purposes, we do not sell it, and we do not use it to train AI models.
• It is isolated per organisation. Access is restricted to your organisation by enforced database-level controls, and files are stored under per-organisation paths.
• A written agreement governs this relationship. We process your organisation’s content under our agreement with it. Where data protection law requires a data processing agreement, we will put one in place with your organisation, setting out the nature of the processing, our obligations, and the sub-processors we use.

If you are an individual whose personal data appears in an organisation’s content and you wish to exercise your rights, please contact that organisation (the controller). We will assist them as their processor.

4. How AI features use your data

The Platform uses artificial intelligence to summarise evidence and generate draft reports. Our AI provider is Anthropic.

• Only text is sent to the AI provider. Where AI is used, we send relevant text — such as extracted document text, notes, and captions — to Anthropic’s API to produce a result. This text can contain personal information.
• Images, audio, and video are never sent to the AI provider. Only a text caption associated with media may be used; the underlying photo, audio, or video file is not transmitted to Anthropic.
• Your data is not used to train AI models. We do not train or fine-tune models on your content, and we use Anthropic’s API under commercial terms that do not permit your content to be used to train its models.
• AI output must be reviewed. Generated reports are drafts. They can contain errors and are not a substitute for professional judgement; your organisation is responsible for reviewing and approving them.

5. Who we share information with

We do not sell personal information. We share it only with service providers (‘sub-processors’) that help us deliver the Services, and only as needed. Our key providers are:

• Supabase — authentication and primary database (hosted in the UK);
• Amazon Web Services (S3) — storage of uploaded files and media (hosted in the UK);
• Anthropic — AI processing of text, as described in section 4 (United States);
• Cloudflare — content delivery, security, and traffic protection (global);
• Railway — application hosting (hosted in the EU);
• Google and Microsoft — single sign-on / authentication;
• Microsoft — online document preview rendering and Office add-in;
• Mapbox — map rendering for location data;
• Meta (WhatsApp) and Telegram — where your organisation enables those messaging integrations.

A current, detailed list of sub-processors is maintained for organisations and is available on request. We may also disclose information where required by law, to enforce our terms, or in connection with a business transfer (such as a merger or acquisition), in which case we will require the recipient to protect it consistently with this notice.

6. International transfers

We are based in the United Kingdom, and we store the core of your information in the United Kingdom and the European Union. Some of our sub-processors (including our AI provider and certain authentication, document-preview, and security providers) are located in, or process data in, the United States and other countries.

Where personal information is transferred outside the UK or EEA, we rely on appropriate safeguards — such as the UK International Data Transfer Agreement / Addendum, the European Commission’s Standard Contractual Clauses, or a finding of adequacy — so that it remains protected. Details of the safeguards we use can be requested from support@vancap.ai.

7. How long we keep information

We keep personal information only for as long as we need it for the purposes set out in this notice, unless a longer period is required or permitted by law.

• Account information is kept while your organisation maintains your account.
• Security access logs are retained for a defined period (currently up to 24 months) and then removed.
• Content uploaded by your organisation is retained for as long as your organisation keeps it in the Platform; retention and deletion of that content are controlled by your organisation under our agreement with it.

When we no longer need personal information, we delete it or isolate it from further use until deletion is possible.

8. How we keep information safe

We use appropriate technical and organisational measures to protect personal information, including:

• Strict per-organisation isolation enforced at the database level, so one organisation cannot access another’s data;
• Encryption in transit (HTTPS/TLS) for connections to the Services;
• Access controls and audit logging for sensitive actions; and
• Role-based permissions limiting access within an organisation.

No method of transmission or storage is completely secure, so while we work hard to protect your information we cannot guarantee absolute security. You should keep your sign-in credentials confidential and access the Services from a secure environment.

9. Your privacy rights

Depending on where you live, you may have rights under data protection law, including the right to: request access to your personal information; have it corrected or erased; restrict or object to its processing; obtain a portable copy; and, where we rely on consent, withdraw that consent at any time. Withdrawing consent does not affect processing carried out before the withdrawal.

To exercise any of these rights in respect of information we hold as a controller, contact us at support@vancap.ai. If your request concerns content your organisation uploaded (where we act as a processor), please contact your organisation, and we will support them as needed.

If you are in the UK and believe we have not handled your information properly, you can complain to the Information Commissioner’s Office (ICO) at ico.org.uk. If you are in the EEA, you may complain to your local supervisory authority. We would, however, appreciate the chance to address your concerns first.

10. Cookies and similar technologies

In the Platform, we use only the cookies and local storage needed to make it work — for example, to keep you signed in and to remember interface preferences such as panel sizes. These are essential and are not used for tracking or advertising.

On our marketing website, we use Google Analytics to understand how the site is used, but only if you accept analytics cookies through our cookie banner. If you decline, no analytics cookies are set. You can change your choice at any time by clearing the relevant cookie in your browser.

We do not use advertising cookies or third-party tracking pixels.

11. Information from children

The Services are intended for business use by people aged 18 or over. We do not knowingly collect personal information from anyone under 18. If you believe a child has provided us with personal information, contact us at support@vancap.ai and we will take appropriate steps to delete it.

12. Updates to this notice

We may update this notice from time to time. When we do, we will change the ‘Last updated’ date above, and we will tell you about material changes by posting a notice or contacting you directly. Previous versions are retained as part of our records.

13. How to contact us

Vancap Technologies Ltd (registered in England and Wales, company number 17057839), trading as Vancap, is the controller of the personal information described in this notice (where we act as a controller).

You can reach us at support@vancap.ai, or by post at:

Vancap Technologies Ltd
C/O Roxburgh Milkins Limited
Merchants House North, Wapping Road
Bristol BS1 4RW
United Kingdom