Privacy Policy
Privacy at Veto
Last updated: April 6, 2026
This Privacy Policy explains how Plaw, Inc. ("Plaw," "we," "our," "us"), a Delaware corporation, collects, uses, stores, shares, and protects information when you use veto.so and related services, including api.veto.so, auth.veto.so, and docs.veto.so (collectively, the "Services"). This policy applies globally and addresses requirements under the EU General Data Protection Regulation (GDPR), UK GDPR, California Consumer Privacy Act as amended (CCPA/CPRA), Brazil's Lei Geral de Prote\u00e7\u00e3o de Dados (LGPD), Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), Japan's Act on the Protection of Personal Information (APPI), Singapore's Personal Data Protection Act (PDPA), the UAE Federal Decree-Law No. 45/2021 on Personal Data Protection (PDPL), and other applicable data protection laws.
1. Data Controller and Processor Roles
For account administration, service delivery, security operations, billing, and website analytics, Plaw acts as the data controller. For tool-call payloads, policy content, decision data, and other customer-submitted operational data processed on your instructions, Plaw acts as a data processor and your organization acts as the controller.
This dual role is reflected in our Data Processing Addendum, which governs our processing of personal data on your behalf.
2. Data We Collect and Process
| Category | Examples | Source | Purpose | Legal Basis | Retention |
|---|---|---|---|---|---|
| Account and profile data | Email, name fields, profile image URL, auth provider identifier | You or your identity provider | Account creation, authentication, organization membership, support | Contract; legitimate interests | Account lifetime, then deleted or de-identified within operational windows |
| Authentication and session data | JWT claims, auth cookies, refresh/device-code records, login metadata | Auth flows and CLI device flow | Sign-in, session continuity, fraud and abuse prevention | Contract; security legitimate interests | Short-lived tokens by design; refresh/device records until expiry, revocation, or cleanup |
| Organization and project data | Organization name/slug, project name, owner identifiers, plan tier | Workspace admins and system events | Multi-tenant isolation, permissions, billing and feature gating | Contract; legitimate interests | Until organization/project deletion and related operational retention periods |
| Policy and tool configuration | Tool names/descriptions/schemas, policy constraints, exceptions, mode settings | You, your SDK/CLI, or generated drafts reviewed by you | Policy enforcement and policy lifecycle management | Contract | Until deleted or replaced by you |
| Validation payload data | Tool arguments and optional context submitted for validation | Your agents, SDKs, CLI, and API requests | Authorize, deny, or require approval before tool execution | Contract; processor role for customer content | Stored in decision/approval records according to retention windows below |
| Decision and approval logs | Decision outcome, reason, latency, matched checks, approval status/resolver | Validation and approval workflows | Auditability, analytics, debugging, security investigations, exports | Contract; legitimate interests | By tier: 7 days (Free), 30 days (Team), 90 days (Business), enterprise-configurable |
| Session telemetry | Session IDs, call counts, cumulative argument values, agent ID metadata | Validation requests with session context | Session constraints and abuse/risk controls | Contract; legitimate interests | Operationally retained while needed for enforcement and audit |
| MCP gateway upstream data | Upstream URL/command/args, optional upstream headers (encrypted at rest) | Workspace configuration | Route and authorize MCP upstream calls | Contract | Until upstream is updated/deleted by workspace admins |
| Billing and commercial data | Customer/org IDs, email/name for billing profile, product/tier and usage events | You and billing provider interactions | Subscription management, entitlement checks, invoicing and portal flows | Contract; legal obligations | Contract term plus legally required financial record periods |
| Demo and contact submissions | Work email, company, message, submitted timestamp, IP, user agent, referer | Website forms and webhook endpoint | Respond to requests, sales operations, abuse control | Consent or pre-contract steps; legitimate interests | Sales lifecycle and operational log retention periods |
| Client-side storage data | LocalStorage auth/org/project selections, theme preference, cookie consent choice | Your browser | Session persistence, UX settings, consent management | Legitimate interests; contract | Until cleared by logout, browser settings, or local expiration behavior |
| Website product analytics | Pageviews, route changes, click interaction metadata, browser/device metadata, timezone, coarse geolocation (country/region via IP), coarse campaign parameters | Your browser via PostHog, only after cookie consent | Measure product usage, improve UX, detect regressions, understand feature adoption | Consent | Per analytics workspace retention settings and local browser storage lifecycle |
| Infrastructure and security logs | Request metadata, service logs, Cloud Logging records | Application and cloud infrastructure | Reliability, incident response, monitoring, abuse prevention | Legitimate interests; legal obligations | Cloud log bucket retention: 30 days default, 400 days for required logs |
3. Product-Specific Transparency Notes
- Validation requests include tool name, arguments, and optional context. These may contain personal data depending on what your systems send. As a processor, we process this data only on your instructions.
- Decision and approval records store payloads and outcome metadata to provide audit trails and exports. Retention follows your plan tier.
- If AI-assisted validation or policy generation is enabled, relevant prompt material may be transmitted to the configured third-party LLM provider. We do not use this data to train models.
- MCP upstream headers are stored encrypted at rest and decrypted only for authorized runtime use.
- Website analytics (PostHog) are only activated after you provide cookie consent. PostHog is configured with aggressive PII masking, property denylists, and respect for Do Not Track (DNT) and Global Privacy Control (GPC) signals. When active, PostHog automatically collects your browser timezone and derives coarse geolocation (country/region) from your IP address. IP addresses are not stored after geolocation lookup.
4. How We Use Data
- Deliver, operate, and secure the Services
- Authenticate users and manage organization/project access
- Evaluate tool calls and produce allow/block/approval outcomes
- Provide logs, analytics, and data exports for customer audit needs
- Operate billing, entitlements, and subscription lifecycle events
- Prevent fraud, misuse, and abuse; investigate security incidents
- Comply with legal obligations and enforce contractual rights
- Improve the Services (using aggregated, de-identified data only)
- Communicate service updates, security notices, and (with consent) marketing
We do not sell personal information. We do not share personal information for cross-context behavioral advertising. We do not use Customer Data to train AI models unless you explicitly opt in.
5. Cookies, Local Storage, and Tracking
We use a minimal set of cookies and local storage. Full details are in our Cookie Policy. In summary:
Essential (no consent required)
- veto_auth_token, veto_auth_user — authentication state
- veto_current_org, veto_current_project — workspace context
- veto-theme — display preference
- veto_cookie_consent — your consent choice
- Auth session cookies on auth.veto.so (cross-subdomain, 30-day expiry)
Analytics (consent required)
- PostHog client identifiers in localStorage — only set after you click "Accept" in our cookie banner
- Session recording is disabled by default and requires separate opt-in
We respect Do Not Track (DNT) browser signals and Global Privacy Control (GPC) signals. When either signal is detected, analytics cookies are not set regardless of consent state.
6. Sub-Processors and Data Sharing
We share data only as necessary to operate the Services. Our current sub-processors:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Google Cloud Platform (GCP) | Cloud infrastructure, compute, storage, networking, logging | United States (us-central1) |
| Convex | Real-time database and backend functions | United States |
| Resend | Transactional email delivery (verification, notifications) | United States |
| PostHog | Product analytics (consent-gated) | European Union (Frankfurt) / United States |
| Better Auth | Authentication infrastructure | Self-hosted on GCP |
| Autumn | Billing and subscription management | United States |
| Vercel | Documentation site hosting (docs.veto.so) | Global CDN |
| GitHub | Source code hosting, CI/CD | United States |
The full, maintained list is at veto.so/legal/subprocessors. We notify customers at least 30 days before engaging a new sub-processor. You may object to a new sub-processor as described in our DPA.
Additionally, if you enable AI-assisted features, data may be transmitted to your configured LLM provider. Customer-configured webhooks and MCP upstreams receive data at endpoints you specify — you are responsible for those destinations.
7. International Data Transfers
Plaw is based in the United States. Data may be processed in the U.S. and other jurisdictions where we or our sub-processors operate. We implement appropriate transfer safeguards as required by applicable law:
- EU/EEA: We rely on the EU-U.S. Data Privacy Framework (DPF) where applicable, and Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914) as a supplementary transfer mechanism.
- United Kingdom: We use the UK Extension to the EU-U.S. DPF, the UK Addendum to EU SCCs (International Data Transfer Agreement), or equivalent mechanisms approved by the ICO.
- Brazil (LGPD): Transfers are based on contractual safeguards and the data subject rights enumerated in Section 10.
- Canada (PIPEDA): We maintain contractual protections ensuring comparable protection for data transferred outside Canada. We remain accountable for data in our sub-processors' hands.
- Japan (APPI): We provide information about the data protection system in the receiving country and monitor sub-processor compliance as required by APPI cross-border transfer rules.
- Singapore (PDPA): Transfers are protected by contractual obligations ensuring a comparable standard of protection under Singapore's Personal Data Protection Act 2012 (as amended 2020). We comply with PDPC transfer requirements including ensuring recipients are bound by legally enforceable obligations.
- United Arab Emirates (PDPL / DIFC): For users subject to UAE Federal Decree-Law No. 45/2021 (PDPL) or the DIFC Data Protection Law No. 5/2020, transfers are governed by adequate contractual safeguards and we ensure the receiving jurisdiction provides adequate data protection or appropriate safeguards are in place.
8. Security Measures
- Encryption in transit (TLS 1.2+) for all service endpoints
- Encryption at rest for databases and sensitive configuration
- Hashed API key storage with scoped access controls
- Secret management for production credentials and encryption keys
- Operational monitoring, structured logging, and abuse-rate controls
- Regular security assessments and vulnerability management
- Least-privilege access for internal team members
- Incident response procedures with defined notification timelines
Details at veto.so/security.
9. Data Retention and Deletion
We retain data only as long as necessary for service delivery, security, legal obligations, and legitimate business needs. Specific retention by category:
- Decision logs: 7 days (Free), 30 days (Team), 90 days (Business), enterprise-configurable
- Account data: Account lifetime plus operational cleanup windows
- Infrastructure logs: 30 days default, 400 days for required audit logs
- Billing records: As required by tax and financial reporting laws
You may request deletion of your account and associated data at any time by contacting team@plaw.io. We will process deletion requests within 30 days, subject to legal retention obligations and backup-recovery constraints. After account deletion, Customer Data is purged within 90 days from all production systems and within 180 days from backups.
10. Your Privacy Rights
Depending on your location, you have specific rights under applicable data protection laws. Submit requests to team@plaw.io.
European Economic Area, United Kingdom, and Switzerland (GDPR / UK GDPR)
- Right of access (Art. 15)
- Right to rectification (Art. 16)
- Right to erasure / "right to be forgotten" (Art. 17)
- Right to restriction of processing (Art. 18)
- Right to data portability (Art. 20)
- Right to object to processing based on legitimate interests (Art. 21)
- Right to withdraw consent at any time (Art. 7(3))
- Right to lodge a complaint with your local supervisory authority
- Right not to be subject to solely automated decision-making with legal effects (Art. 22)
Response time: 30 days (extendable by 60 days for complex requests with notice).
California, United States (CCPA/CPRA)
- Right to know what personal information is collected, used, and disclosed
- Right to access your personal information
- Right to delete your personal information
- Right to correct inaccurate personal information
- Right to opt out of sale or sharing of personal information
- Right to limit use of sensitive personal information
- Right to non-discrimination for exercising your rights
We do not sell personal information. We do not share personal information for cross-context behavioral advertising. You may designate an authorized agent to make requests on your behalf, subject to verification.
Brazil (LGPD)
- Right to confirmation of processing and access to data
- Right to correction of incomplete, inaccurate, or outdated data
- Right to anonymization, blocking, or deletion of unnecessary or excessive data
- Right to data portability
- Right to information about public and private entities with which data has been shared
- Right to information about the possibility of denying consent and its consequences
- Right to revoke consent
Response time: 15 days. Complaints may be filed with the Autoridade Nacional de Prote\u00e7\u00e3o de Dados (ANPD).
Canada (PIPEDA / Quebec Law 25)
- Right to access personal information held about you
- Right to challenge accuracy and completeness and request amendments
- Right to withdraw consent (subject to legal or contractual restrictions)
- Right to file a complaint with the Office of the Privacy Commissioner of Canada
Data transferred outside Canada may be accessible to foreign authorities under their laws. We remain accountable for data in our sub-processors' hands.
Japan (APPI)
- Right to disclosure of retained personal data
- Right to correction, addition, or deletion of inaccurate data
- Right to request cessation of use or erasure
- Right to request cessation of provision to third parties
We do not collect Special Care-Required Personal Information (health, criminal records, race, religion, social status) through the Services.
Singapore (PDPA)
- Right to access personal data in our possession or control
- Right to correction of personal data that is inaccurate, incomplete, or outdated
- Right to withdraw consent for collection, use, or disclosure
- Right to request information about how your data has been used or disclosed in the past year
- Right to data portability (effective February 2021 amendments)
Response time: 30 days. Complaints may be filed with the Personal Data Protection Commission (PDPC). We appoint a Data Protection Officer as required by the PDPA.
United Arab Emirates (PDPL / DIFC)
- Right to access and obtain a copy of your personal data
- Right to rectification of inaccurate or incomplete data
- Right to request erasure of personal data
- Right to restrict or object to processing
- Right to data portability in a structured, machine-readable format
- Right to withdraw consent where processing is consent-based
For DIFC-based entities, the Commissioner of Data Protection oversees enforcement. For UAE federal PDPL, the UAE Data Office is the competent authority. We comply with data localization requirements where applicable.
Other Jurisdictions
If you are located in a jurisdiction with data protection legislation not specifically listed above (e.g., Australia Privacy Act 1988, South Korea PIPA, South Africa POPIA, Thailand PDPA, Indonesia PDP Law), we will honor your statutory rights. Contact team@plaw.io with your request and applicable jurisdiction.
11. Automated Decision-Making
Veto's policy engine makes automated authorization decisions (allow, deny, require approval) about tool calls. These decisions are made about software actions, not about natural persons. The policy engine does not make decisions that produce legal effects concerning individuals or similarly significantly affect them within the meaning of GDPR Article 22.
If you configure Veto in a context where authorization decisions could have significant effects on individuals (e.g., automated systems affecting employment, credit, or service access), you are responsible for implementing appropriate human oversight as required by applicable law. Veto's approval workflows and audit logs are designed to support this.
12. Children's Privacy
The Services are B2B infrastructure and are not directed to children. We do not knowingly collect personal information from anyone under 16 years of age. If you believe a child has provided us with personal information, contact team@plaw.io and we will promptly delete it.
13. Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify affected customers without undue delay and in any event within 72 hours of becoming aware of the breach (as required by GDPR Article 33). Notification will include the nature of the breach, categories of data affected, likely consequences, and measures taken to address and mitigate the breach.
For customers subject to CCPA, LGPD, PIPEDA, or other laws with breach notification requirements, we will provide information necessary for you to fulfill your own notification obligations.
14. Changes to This Policy
We may update this Privacy Policy as our services and legal obligations evolve. For material changes, we will provide at least 30 days advance notice via email or through the Services. We will always post the updated policy on this page and revise the "Last updated" date. Previous versions are available upon request.
15. Contact and Complaints
Plaw, Inc. is the data controller for the processing described in this policy.
- Privacy and data subject requests: team@plaw.io
- Security incidents: team@plaw.io
- Legal and compliance: team@plaw.io
If you are in the EEA or UK and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection supervisory authority. If you are in Brazil, you may contact the ANPD. If you are in Canada, you may contact the Office of the Privacy Commissioner.