Privacy Policy

Vector — Anti-anxiety planning application for solopreneurs
Effective date: May 16, 2026
Last updated: May 16, 2026 · Version: 1.2

1. Introduction

This privacy policy describes how CapitalSoft inc., operating the Vector division (hereinafter "Vector", "we", "our", or "us"), collects, uses, communicates, and protects your personal information when you use the Vector application accessible at vectorplanning.ai and its subdomains (hereinafter the "Application" or the "Service"), or when you interact with our marketing site at vectorplanning.ai.

CapitalSoft inc. is a company established in Quebec (Canada). This policy is set within the framework of the Act respecting the protection of personal information in the private sector (CQLR, c. P-39.1), as amended by the Act to modernize legislative provisions as regards the protection of personal information (Law 25), the Personal Information Protection and Electronic Documents Act (PIPEDA) of Canada, the Canadian Anti-Spam Legislation (CASL) with respect to commercial electronic communications, as well as, when applicable, other foreign laws governing personal information protection, including the General Data Protection Regulation (GDPR) of the European Union.

By using the Application or submitting a form on the marketing site, you acknowledge that you have read this policy. If you do not agree with its contents, we invite you not to use the Service and not to submit any form.

2. Privacy Officer

In accordance with Law 25, we have designated a Privacy Officer responsible for the protection of personal information within Vector. You may contact this person for any question related to this policy, to exercise your rights, or to file a complaint:

For users located in the European Union or the United Kingdom, this same person also acts as the point of contact for GDPR and UK GDPR purposes. Vector has not appointed a representative within the meaning of Article 27 of the GDPR at this time, considering that its processing of data concerning EEA residents remains occasional and not on a large scale; this situation will be reassessed if it evolves.

3. Personal Information We Collect

We collect only the personal information necessary for the purposes described in Section 4. Depending on your use of the Service, this information may include:

3.1 Information you provide directly

• Account information: display name, email address, password (in encrypted form — we never have access to your password in plain text), city and province or country (optional), industry or sector of activity (optional).
• Content created in the Application: projects, tasks, subtasks, deadlines, estimated durations, notes, brainstorming content ("brain dumps"), planning history, custom configurations (for example, the name given to your AI agents).
• Communications: content of exchanges you have with us (emails, contact forms, support requests, exchanges with our support agent Lina).
• Payment information: if you subscribe to a paid plan, your payment provider (Paddle) collects the required payment information. We do not collect or store your credit card numbers or other sensitive financial data. We only receive the information necessary to manage your subscription (subscription status, plan, renewal date, currency, billing country).
• Information submitted via marketing site forms: see Section 6.3.

3.2 Information collected automatically

• Engagement indicators: aggregated counters allowing us to measure whether you are benefiting from the Service (last login date, last meaningful action date, number of logins and actions over the last 30 days, engagement trend). These counters feed our customer support mechanism described in Section 7.2.
• Product telemetry: events related to your interaction with the Application (project creation, feature triggering, integration of an AI agent suggestion, etc.), to measure usage and improve the Service. The granularity, retention period, and opt-out methods depend on the telemetry regime applicable to you (see Section 7.2).
• AI usage measurement: for each interaction with an AI agent, we record technical metadata (model used, duration, token volume, calculated cost) to measure usage per user for billing purposes and Service improvement. No content from your messages, tasks, or AI agent responses is retained in these records.
• Technical data: browser type, operating system, language, time zone, pages viewed on the marketing site. IP addresses collected during your navigation on the marketing site are processed by our audience measurement provider (Cloudflare) without depositing cookies or individually identifying you. IP addresses collected at the time of registration via the Ambassador Program are processed as described in Section 7.3 (rolling salted hash). IP addresses collected at the time of marketing site form submission are processed as described in Section 6.3 (hashing for consent proof purposes).
• Cookies and similar technologies: see Section 6.

3.3 Information collected from third parties

We do not collect your personal information from third parties, except to the extent that you choose to connect to the Application via a third-party authentication provider (for example Google), in which case we receive the minimal information necessary to create your account (email address, name, unique identifier).

3.4 Sensitive information

We do not intentionally collect information considered sensitive under applicable laws (ethnic origin, political or religious opinions, health status, sexual orientation, biometric data, etc.). We ask you not to enter such information in the content of your tasks or projects.

4. Purposes of Collection and Legal Basis

We use your personal information only for the following purposes:

For users in Quebec and Canada, your consent to these purposes is expressed through your adherence to this policy at the time of account creation or marketing site form submission. You may withdraw your consent at any time according to the methods provided in Section 11 — including by clicking the unsubscribe link present in every marketing email you receive from us.

5. Artificial Intelligence and Automated Decisions

The Application uses artificial intelligence to help you organize and plan your work. This includes in particular:

• Task extraction from content you enter;
• Automatic task duration estimation;
• Automated calendar scheduling;
• Interaction with your AI agents (CPO and COO).

How it works: When you interact with these features, the relevant content (for example, task text, your project parameters) is transmitted to our AI provider, Anthropic PBC (United States), via a secure connection. Anthropic processes this information to generate a response, which is then returned to you. Under Anthropic's commercial terms, this information is not used to train its models.

Vector learning from your data: In addition to AI features provided by Anthropic, Vector maintains its own statistical learning mechanisms to improve duration estimate accuracy. These mechanisms operate at two levels:

• Personal library. As you complete tasks, Vector records the time actually spent and uses it to progressively refine future estimates offered to you. This library is kept in pseudonymized form in our systems (your internal identifier appears in it to allow personalization of your estimates); it does not contain task labels or project content. It is strictly reserved to you: it is not shared with other users, nor used to train third-party AI models.
• Community library (anonymous by construction). To offer useful estimates to new users who don't yet have personal history, Vector publishes an aggregated view calculated from task durations of all users: by task category and industry, the average duration, dispersion, and number of contributors. This view only exposes a statistic from a minimum of five (5) contributors per category-industry, making it impossible to identify any individual. This default library is progressively replaced by your personal library as you use the Service.

Your rights regarding automated decisions: In accordance with Law 25 and the GDPR, when a decision concerning you is based exclusively on automated processing (for example, automatic task duration estimation, automatic calendar slot scheduling), you have the right:

• To be informed that this decision is automated;
• To know the personal information used to make this decision;
• To know the main factors and parameters that led to this decision;
• To have inaccurate information corrected;
• To submit your observations to a member of our staff and have this decision reviewed.

To exercise these rights, write to us at [email protected].

Important: You retain at all times the ability to modify, refuse, replace, or ignore any AI-generated suggestion or planning. You remain the decision-maker.

6. Audience Measurement, Cookies, and Marketing Site Forms

Vector adopts a minimalist approach to cookies and similar technologies.

6.1 Marketing site audience measurement (vectorplanning.ai)

Our marketing site uses no tracking cookies, no advertising pixels, and no third-party tracking scripts. We also do not use Consent Management Platforms (CMPs), as none of the technologies deployed on the marketing site require it.

To measure interest generated by our content, we rely on two anonymous mechanisms:

• Cloudflare Web Analytics: an audience measurement service that deposits no cookies and does not identify visitors individually. European privacy authorities (notably CNIL and EDPB) recognize this type of measurement as exempt from prior consent.
• Anonymous article view counting: we count, in a strictly anonymous manner, article views exceeding 30 seconds. No user identifier is created, stored, or transmitted. This measurement serves only to evaluate the editorial relevance of our content.

Ambassador Program attribution. When a visitor arrives on the marketing site from an Ambassador's referral link (link of the form vectorplanning.ai/?ref=CODE), the referral code is carried in the URL then transmitted to the registration page if the visitor decides to create an account. This mechanism deposits no cookie on the visitor's browser: attribution is done only via URL parameter, for the duration of navigation. Upon registration, the referral code is associated with the created account according to Ambassador Program rules.

6.2 Vector Application local storage

The Application uses a few local storage mechanisms strictly necessary for its operation:

• Session storage: necessary to keep you authenticated during your work session.
• Interface preferences: local recording of your display preferences (light or dark theme, language, etc.) to personalize your experience.

These mechanisms serve no tracking, profiling, or audience measurement purpose. They are not shared with third parties and are exempt from prior consent under applicable rules, being strictly necessary for providing the Service you have explicitly requested.

You can configure your browser to block cookies and local storage, but this may prevent the Application from working properly (for example, the inability to stay authenticated).

6.3 Marketing site forms

The marketing site makes certain forms available that you may choose to submit voluntarily, for example to download a free guide. This section describes what is collected at that moment, what it's used for, and how you can withdraw your consent.

Information collected at the time of submission:

• Name (or first name) and email address you enter in the form.
• Interface language (French or English) at the time of submission, to address you in the language you use.
• Page identifier from which the form was submitted (for example, the article slug), in order to understand which editorial resources generate the most interest.
• Submission timestamp (date and time).
• Salted and truncated hash of the IP address at the time of submission, kept as proof of your consent under the Canadian Anti-Spam Legislation (CASL). The IP address in clear is never stored; only a non-reversible cryptographic hash is retained.
• Download counter and timestamp of the last download of the requested resource, in order to measure the editorial effectiveness of our content (for example, comparing the number of submissions to the number of effective downloads to identify resources that are not consumed and improve them). These counters are attached only to your internal record in our database; they are not used for profiling or advertising targeting purposes.
• State of your consent to receive regular marketing communications (non-pre-checked checkbox), if you chose to check this box.

Processing purposes and types of emails you may receive:

1. Delivery of the requested resource. Immediately after your submission, we send you an email containing the download link. This email directly responds to your request: it does not constitute commercial communication.
2. Short series of follow-up emails related to the downloaded resource. During the fourteen (14) days following your submission, you may receive up to three (3) additional emails, the content of which remains directly related to the resource you downloaded — for example, a question to understand whether the method helped you, or a complement on its application. Because you explicitly requested a resource on this topic, the Canadian Anti-Spam Legislation (CASL) allows us to chain this short series of emails without additional authorization required from you. Each email contains a one-click unsubscribe link; you can opt out at any time.
3. Regular marketing communications (newsletter, product announcements). You will only receive these communications if you have expressly checked the box provided at the time of form submission. This box is never pre-checked, in accordance with Law 25 and CASL. You may at any time withdraw this consent by clicking the unsubscribe link present in each email, or by writing to [email protected].

Subprocessors involved:

• Supabase, Inc. (United States) — storage of your submission in our database (Canada Central region).
• Resend, Inc. (United States) — email delivery.
• Cloudflare, Inc. (United States) — execution of the function that receives your submission and static hosting of the resources you download.

Retention period:

• If you do not check the marketing box: your information is kept at most twelve (12) months after your last interaction (or until your unsubscription, whichever comes first), then deleted or anonymized.
• If you check the marketing box: your information is kept as long as your consent is active. You may withdraw it at any time via the unsubscribe link. Upon your unsubscription, your name and email address are deleted or anonymized within a reasonable time; only a non-identifying technical trace of the unsubscription may remain, to prevent accidental re-registration of the same address.

Your rights. The rights described in Section 11 (access, rectification, withdrawal of consent, erasure, portability, complaint) apply fully to information collected via marketing site forms.

7. Profiling, Product Telemetry, and Anti-Fraud

In accordance with Section 8.1 of the Act respecting the protection of personal information in the private sector (Law 25), we explicitly inform you of the individualized evaluation mechanisms that the Application implements, their purposes, their retention period, and the means at your disposal to control them.

The Application does not use geolocation functions that identify you to a precise location. The Application does not perform biometric identification.

7.1 Active profilings and their purposes

The Application implements three individualized evaluation mechanisms that Law 25 qualifies as profiling:

(a) AI feature usage measurement — contractual purpose. For each interaction you have with an AI agent (CPO Arthur, COO Alfred, support agent Lina), we record technical metadata: internal session identifier, business trigger, model used, duration, token volume, calculated cost. No content from your messages or agent responses is retained in these records. This data helps us measure your usage for billing purposes and calibrate quotas associated with each Plan. It is kept as long as your account is active and may be communicated to you upon request.

(b) Engagement counters — customer support purpose. We calculate a small number of aggregated indicators about you (last login date, last meaningful action date, number of logins and actions over the last 30 days, engagement trend). These counters allow us to identify users who no longer seem to be benefiting from the Service and to offer them help (by email or notification in the Application). We do not do this to push you to remain subscribed: we do it to verify that there isn't a blockage we could help you overcome. You can disable this mechanism at any time in Settings → Notifications.

(c) Activation Validation — anti-fraud purpose (Ambassador Program). If you register via an Ambassador's link, we verify during your extended trial period (21 days) that you accumulate seven (7) days of significant activity over a rolling fourteen (14) day window. This verification triggers the Ambassador's reward attribution. It applies only to your trial evaluation window and has no consequence on your access to the Service. Details of this mechanism are in the Ambassador Program Conditions.

Your rights regarding automated decisions. In accordance with Law 25 and the GDPR, when a decision concerning you is based exclusively on automated processing from one of these profilings, you have the right:

• To be informed that this decision is automated;
• To know the personal information used;
• To know the main factors and parameters that led to this decision;
• To have inaccurate information corrected;
• To submit your observations to a member of our staff and have this decision reviewed.

To exercise these rights, write to us at [email protected].

7.2 Product telemetry — three regimes

Beyond the profilings described above, Vector records product telemetry that describes how you interact with the Application (for example: did you modify a slot the calendar suggested, integrate a suggestion from Arthur, open the morning briefing, etc.). This telemetry contains no content from your tasks, projects, notes, or conversations: only interaction events. It helps us understand which features are used, which are underused, and where we need to improve the experience.

Three regimes are possible. The regime applicable to your account is indicated in Settings → Privacy.

Minimal regime — full opt-out. No event telemetry is recorded. Only counters strictly necessary for contract performance (last login, subscription status) are kept. You can switch to minimal regime at any time via Settings → Privacy, without penalty.

Standard regime — applicable by default. Event telemetry is recorded in pseudonymized form (your internal identifier appears in it to allow aggregation). Raw lines are kept for 90 rolling days. Beyond that, they are automatically aggregated into cohort statistics (by user profile, plan, industry) then deleted by a scheduled automation. This is the regime applicable to all Service users after public launch.

Extended regime — beta testers. During the beta phase, users participating in the Beta Program are subject to a more detailed event telemetry regime, framed by the Beta Confidentiality Agreement (Beta NDA) which lists its exhaustive content and retention modalities. Participation in the Beta Program — and therefore the extended regime — is voluntary at entry, and is the counterpart to the privileged and personalized access offered during the beta. The beta tester may at any time exit the Beta Program, which interrupts extended telemetry and switches their account to standard regime; they then lose the benefits associated with the Beta Program. At the official end of the beta, each beta tester explicitly chooses between the standard regime (by default) or voluntary continuation of the extended regime post-beta, with opt-out possible at any time.

Retention of data collected during the beta. Raw lines of extended telemetry collected during the beta are kept at most six (6) months after the official end of the beta. Before deletion, they are aggregated into non-identifying cohort statistics that may be kept for historical analysis.

7.3 Ambassador Program anti-fraud — IP address

The Ambassador Program provides that a single Ambassador may not refer more than two (2) Referees registered from the same IP address over a rolling thirty (30) day window (Ambassador Program Conditions, Section 10.1). To enforce this cap without retaining IP addresses in clear, we use a rolling salted hash mechanism:

• At each Referee registration, your IP address is combined with a salt specific to the registration day, and we store only the SHA-256 hash of this combination. The IP address itself is never written in our databases.
• Thirty (30) rolling salts are kept (one per day). To verify the cap, we recalculate the hash of the new IP address with active salts and look for a collision.
• Beyond 30 days, the corresponding salt is deleted. The hash then becomes mathematically irreversible — it is no longer possible to find the source IP address, even by our technical team.

This mechanism allows us to prevent the simplest fraud without accumulating IP address history in clear. It applies only to registrations made via an Ambassador link; registrations made directly from the marketing site generate no IP hash record.

Important. You retain at all times the ability to modify, refuse, replace, or ignore any AI-generated suggestion or planning. You remain the decision-maker.

8. Communication to Third Parties and Subprocessors

We never sell your personal information.

We communicate certain information to third-party service providers (subprocessors, or processors within the meaning of the GDPR) who process it on our behalf, under our responsibility, and only for the purposes provided in this policy. These providers are bound by contractual confidentiality and security commitments.

The main categories of subprocessors at the time of writing this policy are:

This list may evolve. An up-to-date version is available upon request at [email protected].

We may also communicate your personal information:

• To any public authority, court, or regulatory body when required by law;
• To assert our rights, prevent fraud, or protect the safety of persons or property;
• In the context of a commercial transaction (merger, acquisition, asset sale), in which case you will be informed in accordance with applicable law.

9. Communication of Information Outside Quebec

Several of our subprocessors are established outside Quebec, primarily in the United States and the United Kingdom. In accordance with Section 17 of the Act respecting the protection of personal information in the private sector, we conduct a privacy impact assessment (PIA) before any communication of personal information outside Quebec. This assessment takes into account in particular:

• The sensitivity of the information;
• The purpose of its use;
• The protection measures in place, including contractual ones;
• The legal regime applicable in the destination jurisdiction, particularly the principles of personal information protection applicable there.

When information from persons located in the European Economic Area or the United Kingdom is transferred to a country not benefiting from an adequacy decision, we rely on recognized transfer mechanisms, particularly standard contractual clauses adopted by the European Commission or equivalent mechanisms.

10. Retention of Personal Information

We keep your personal information as long as necessary to achieve the purposes described in Section 4, including to:

• Provide you with the Service as long as your account remains active;
• Comply with our legal, accounting, tax, and contractual obligations;
• Allow the exercise or defense of a legal right.

When you delete your account, we proceed with the deletion or anonymization of your personal information within a reasonable time, subject to information we must retain to comply with a legal obligation or for dispute management. Some backup information may remain in our systems for a limited period before being erased according to our backup cycles.

For billing information, the retention period corresponds to the deadlines imposed by applicable tax laws (generally 6 to 7 years in Canada).

For information collected via marketing site forms, specific retention periods are detailed in Section 6.3.

11. Your Rights

Subject to the conditions and limits provided by applicable laws, you have the following rights regarding your personal information:

• Right of access: obtain confirmation that we hold personal information concerning you and obtain a copy.
• Right of rectification: have inaccurate, incomplete, or ambiguous information corrected.
• Right to portability: obtain your computerized personal information that you provided to us in a structured and commonly used technological format, or request its transmission to a third party you designate, when technically possible and not entailing serious practical difficulties.
• Right to cessation of dissemination, de-indexation or re-indexation ("right to be forgotten"): request the cessation of dissemination of your personal information or the de-indexation of a hyperlink attached to your name, under the conditions provided by law.
• Right to withdraw your consent at any time, when processing is based on it, without affecting the lawfulness of prior processing.
• Right to erasure (GDPR): request the deletion of your personal information under the conditions provided by the GDPR.
• Right to restriction of processing and right to object (GDPR): under the conditions provided by the GDPR.
• Right regarding automated decisions: see Section 5.

How to exercise your rights: send your request, accompanied by reasonable proof of your identity, to [email protected]. We will respond within the deadline provided by applicable law (generally 30 days in Quebec and Canada, and one month under the GDPR), this deadline may be extended in accordance with law in case of complex request.

No fees apply to a reasonable request. Minimal fees may be required for transcription, reproduction, or transmission, in accordance with law, and their approximate amount will be communicated to you in advance.

Right to complain:

• If you are in Quebec and are not satisfied with the handling of your request, you may file a complaint with the Commission d'accès à l'information du Québec (cai.gouv.qc.ca).
• If you are elsewhere in Canada, you may address the Office of the Privacy Commissioner of Canada (priv.gc.ca).
• If you are in the EEA or the United Kingdom, you may address the data protection authority of your country of residence.

12. Personal Information Security

We implement reasonable security measures, in accordance with generally recognized industry practices, to protect your personal information against loss, theft, unauthorized access, use, modification, or unauthorized communication. These measures are of physical, technological, and organizational nature, and are proportionate to the sensitivity of the information.

No security measure can however guarantee absolute protection. You also have a role to play by:

• Choosing a robust and unique password;
• Preserving the confidentiality of your credentials;
• Promptly reporting to us any unauthorized access you suspect.

Confidentiality incidents: In the event of a confidentiality incident presenting a risk of serious harm, we will proceed with the notifications required by applicable law, particularly to the Commission d'accès à l'information du Québec and the persons concerned, within the prescribed deadlines.

13. Minors

The Application is intended for professional use by solopreneurs, freelancers, and entrepreneurs. You must be at least 18 years old to create an account and use the Service. By creating an account, you declare that you have reached the age of majority in your jurisdiction of residence and have the legal capacity to enter into this commitment.

We do not knowingly collect personal information concerning persons under 18 years of age. If you find that a minor has transmitted personal information to us, please notify us at [email protected] so that we can proceed with their deletion as soon as possible.

14. Privacy by Default

In accordance with Section 9.1 of the Act respecting the protection of personal information in the private sector, Application settings that have privacy controls are configured by default at the highest level of confidentiality, without intervention on your part. You may subsequently adjust these settings according to your preferences.

Similarly, marketing consent checkboxes on the marketing site are never pre-checked: you must actively check them to express your consent.

15. Changes to This Policy

We may modify this policy from time to time to reflect the evolution of our practices, the Service, or legal requirements. When changes are substantial, we will notify you by an appropriate means (for example, email, notice in the Application, or prominent notice on our Internet site) before they take effect. The effective date at the top of the document indicates the version in force. Previous versions may be obtained upon request.

16. Applicable Law and Jurisdiction

This policy is governed by the laws in force in the province of Quebec (Canada) and the federal Canadian laws that apply to it. Any dispute related to this policy is subject to the exclusive jurisdiction of the courts of the judicial district of Bedford, subject to the imperative rights recognized by the personal information protection laws of your place of residence.

17. Contact Us

For any question, request, or complaint regarding this policy:

We commit to handling your request diligently and providing you with a response within the deadlines prescribed by applicable law.

This policy is drafted in French. An English version is available for convenience; in case of discrepancy, the French version prevails for users in Quebec.

Changelog

v1.2 — May 16, 2026. Scope extended to the marketing site. Addition of Section 6.3 (Marketing site forms) specifying the information collected via opt-in forms, the three types of emails that may be sent (transactional, CASL-implied follow-up, CASL-express marketing), the subprocessors involved, retention periods, and the download counter (for internal editorial purposes). Two lines added to Section 4 (follow-up mini-funnel; regular marketing communications under express consent). Mention of CASL in Section 1. Renaming of Section 6 ("Audience measurement, cookies, and marketing site forms") and restructuring into subsections 6.1 (audience measurement), 6.2 (Application local storage), 6.3 (forms). Clarifications in Section 10 on retention of marketing information (12 months after last interaction if marketing box not checked). Explicit mention of the absence of pre-checked boxes in Section 14.

v1.1 — May 16, 2026. Initial version covering the Application.