Privacy Policy
Last updated: May 19, 2026
This Privacy Policy explains how Plaw, Inc. d/b/a Veto ("Veto," "we," "our," "us"), a Delaware corporation, collects, uses, stores, shares, and protects information when you use veto.so and related services, including api.veto.so, auth.veto.so (collectively, the "Services"). This policy applies globally and addresses requirements under the EU General Data Protection Regulation (GDPR), UK GDPR, California Consumer Privacy Act as amended (CCPA and CPRA), Brazil's Lei Geral de Prote\u00e7\u00e3o de Dados (LGPD), Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), Japan's Act on the Protection of Personal Information (APPI), Singapore's Personal Data Protection Act (PDPA), the UAE Federal Decree-Law No. 45/2021 on Personal Data Protection (PDPL), and other applicable data protection laws.
For account administration, service delivery, security operations, billing, and website analytics, Veto acts as the data controller. For tool-call payloads, policy content, decision data, and other customer-submitted operational data processed on your instructions, Veto acts as a data processor and your organization acts as the controller.
This dual role is reflected in our Data Processing Addendum, which governs our processing of personal data on your behalf.
| Category | Examples | Source | Purpose | Legal Basis | Retention |
|---|---|---|---|---|---|
| Account and profile data | Email, name fields, profile image URL, auth provider identifier | You or your identity provider | Account creation, authentication, organization membership, support | Contract; legitimate interests | Account lifetime, then deleted or de-identified within operational windows |
| Authentication and session data | JWT claims, auth cookies, refresh/device-code records, login metadata | Auth flows and CLI device flow | Sign-in, session continuity, fraud and abuse prevention | Contract; security legitimate interests | Short-lived tokens by design; refresh/device records until expiry, revocation, or cleanup |
| Organization and project data | Organization name/slug, project name, owner identifiers, plan tier | Workspace admins and system events | Multi-tenant isolation, permissions, billing and feature gating | Contract; legitimate interests | Until organization/project deletion and related operational retention periods |
| Policy and tool configuration | Tool names/descriptions/schemas, policy constraints, exceptions, mode settings | You, your SDK/CLI, or generated drafts reviewed by you | Policy enforcement and policy lifecycle management | Contract | Until deleted or replaced by you |
| Validation payload data | Tool arguments and optional context submitted for validation | Your agents, SDKs, CLI, and API requests | Authorize, deny, or require approval before tool execution | Contract; processor role for customer content | Stored in decision/approval records according to retention windows below |
| Decision and approval logs | Decision outcome, reason, latency, matched checks, approval status/resolver | Validation and approval workflows | Auditability, analytics, debugging, security investigations, exports | Contract; legitimate interests | Hosted query/export retention by tier: 90 days (Core), 1 year (Growth), 2 years (Scale), enterprise-configurable |
| Session telemetry | Session IDs, call counts, cumulative argument values, agent ID metadata | Validation requests with session context | Session constraints and abuse/risk controls | Contract; legitimate interests | Operationally retained while needed for enforcement and audit |
| MCP gateway upstream data | Upstream URL/command/args, optional upstream headers (encrypted at rest) | Workspace configuration | Route and authorize MCP upstream calls | Contract | Until upstream is updated/deleted by workspace admins |
| Billing and commercial data | Customer/org IDs, email/name for billing profile, product/tier and usage events | You and billing provider interactions | Subscription management, entitlement checks, invoicing and portal flows | Contract; legal obligations | Contract term plus legally required financial record periods |
| Sandbox and contact submissions | Work email, company, message, submitted timestamp, IP, user agent, referer | Website forms and webhook endpoint | Respond to requests, customer operations, abuse control | Consent or pre-contract steps; legitimate interests | Customer-request lifecycle and operational log retention periods |
| Client-side storage data | LocalStorage auth/org/project selections, theme preference, cookie consent choice | Your browser | Session persistence, UX settings, consent management | Legitimate interests; contract | Until cleared by logout, browser settings, or local expiration behavior |
| Website product analytics | Pageviews, route changes, click interaction metadata, browser/device metadata, timezone, coarse geolocation (country/region via IP), coarse campaign parameters | Your browser via PostHog, only after cookie consent | Measure product usage, improve UX, detect regressions, understand feature adoption | Consent | Per analytics workspace retention settings and local browser storage lifecycle |
| Infrastructure and security logs | Request metadata, service logs, Cloud Logging records | Application and cloud infrastructure | Reliability, incident response, monitoring, abuse prevention | Legitimate interests; legal obligations | Cloud log bucket retention: 30 days default, 400 days for required logs |
We do not sell personal information. We do not share personal information for cross-context behavioral advertising. We do not use Customer Data to train AI models unless you explicitly opt in.
We use a minimal set of cookies and local storage. Full details are in our Cookie Policy. In summary:
PostHog is configured to respect Do Not Track (DNT) browser signals. You can decline analytics in the cookie banner at any time by clearing your consent choice and choosing "Decline" when the banner returns.
We share data only as necessary to operate the Services. Our current sub-processors:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Google Cloud Platform (GCP) | Cloud infrastructure, compute, storage, networking, logging | United States (us-central1) |
| Convex | Real-time database and backend functions | United States |
| Resend | Transactional email delivery (verification, notifications) | United States |
| PostHog | Product analytics (consent-gated) | European Union (Frankfurt) and United States |
| Better Auth | Authentication infrastructure | Self-hosted on GCP |
| Autumn | Billing and subscription management | United States |
| Vercel | Static documentation and marketing page hosting | Global CDN |
| GitHub | Source code hosting, CI/CD | United States |
The full, maintained list is at veto.so/legal/subprocessors. We notify customers at least 30 days before engaging a new sub-processor. You may object to a new sub-processor as described in our DPA.
Additionally, if you enable AI-assisted features, data may be transmitted to your configured LLM provider. Customer-configured webhooks and MCP upstreams receive data at endpoints you specify: you are responsible for those destinations.
Veto is based in the United States. Data may be processed in the U.S. and other jurisdictions where we or our sub-processors operate. We implement appropriate transfer safeguards as required by applicable law:
Details at veto.so/security.
We retain data only as long as necessary for service delivery, security, legal obligations, and legitimate business needs. Hosted query/export retention by category:
You may request deletion of your account and associated data at any time by contacting team@veto.so. We will process deletion requests within 30 days, subject to legal retention obligations and backup-recovery constraints. After account deletion, Customer Data is purged within 90 days from all production systems and within 180 days from backups.
Depending on your location, you have specific rights under applicable data protection laws. Submit requests to team@veto.so.
Response time: 30 days (extendable by 60 days for complex requests with notice).
We do not sell personal information. We do not share personal information for cross-context behavioral advertising. You may designate an authorized agent to make requests on your behalf, subject to verification.
Response time: 15 days. Complaints may be filed with the Autoridade Nacional de Prote\u00e7\u00e3o de Dados (ANPD).
Data transferred outside Canada may be accessible to foreign authorities under their laws. We remain accountable for data in our sub-processors' hands.
We do not collect Special Care-Required Personal Information (health, criminal records, race, religion, social status) through the Services.
Response time: 30 days. Complaints may be filed with the Personal Data Protection Commission (PDPC). We appoint a Data Protection Officer as required by the PDPA.
For DIFC-based entities, the Commissioner of Data Protection oversees enforcement. For UAE federal PDPL, the UAE Data Office is the competent authority. We comply with data localization requirements where applicable.
If you are located in a jurisdiction with data protection legislation not specifically listed above (e.g., Australia Privacy Act 1988, South Korea PIPA, South Africa POPIA, Thailand PDPA, Indonesia PDP Law), we will honor your statutory rights. Contact team@veto.so with your request and applicable jurisdiction.
Veto's policy engine makes automated authorization decisions (allow, deny, require approval) about tool calls. These decisions are made about software actions, not about natural persons. The policy engine does not make decisions that produce legal effects concerning individuals or similarly significantly affect them within the meaning of GDPR Article 22.
If you configure Veto in a context where authorization decisions could have significant effects on individuals (e.g., automated systems affecting employment, credit, or service access), you are responsible for implementing appropriate human oversight as required by applicable law. Veto's approval workflows and decision records are designed to support this.
The Services are B2B infrastructure and are not directed to children. We do not knowingly collect personal information from anyone under 16 years of age. If you believe a child has provided us with personal information, contact team@veto.so and we will promptly delete it.
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify affected customers without undue delay and in any event within 72 hours of becoming aware of the breach (as required by GDPR Article 33). Notification will include the nature of the breach, categories of data affected, likely consequences, and measures taken to address and mitigate the breach.
For customers subject to CCPA, LGPD, PIPEDA, or other laws with breach notification requirements, we will provide information necessary for you to fulfill your own notification obligations.
We may update this Privacy Policy as our services and legal obligations evolve. For material changes, we will provide at least 30 days advance notice via email or through the Services. We will always post the updated policy on this page and revise the "Last updated" date. Previous versions are available upon request.
Plaw, Inc. d/b/a Veto is the data controller for the processing described in this policy.
If you are in the EEA or UK and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection supervisory authority. If you are in Brazil, you may contact the ANPD. If you are in Canada, you may contact the Office of the Privacy Commissioner.