Your work, your relationships, your taste: these are yours. Visualist collects the data it needs to run the product for you, and nothing beyond. We do not train AI models on your Content. We do not sell your data. We use a small, named set of service providers to run the Service, and we keep your data for only as long as we need it. You have rights over your data under UK and EU law, and this document explains how to exercise them.
If you want the detail, read on. If you want to skip to your rights, section 9. If you want to contact us, legal@visualistapp.com.
Who we are
Visualist Technologies Ltd ("Visualist," "we," "us") is the data controller for the personal data described in this policy. We are a company registered in England and Wales under company number 12227268, with our registered office at 7 Bell Yard, London WC2A 2JR.
We are registered with the UK Information Commissioner's Office under registration number ZA929007.
Throughout this policy, "the Service" means the Visualist product, the marketing site at visualistapp.com, any other websites, subdomains, microsites, or campaign pages we operate, hubs you create, and any other service, tool, or channel we provide.
For anything to do with this policy or your data, write to us at legal@visualistapp.com.
What this policy covers
This policy covers personal data we collect when you use the Service.
When you invite someone into a hub (clients, partners, vendors, collaborators, anyone else), you decide why their data is there and what's done with it. In data-protection terms, that makes you the controller of their data and Visualist the processor acting on your instructions. You're responsible for having a lawful basis to invite them. We're responsible for handling their data securely and only as you direct.
What we collect
We collect personal data from three sources.
What you give us directly. When you create an account, we collect your name, email address, and account credentials. When you pay, our payment processor collects your card and billing details (we don't see or store your card number). When you use the Service, we process the content you upload, create, and generate: moodboards, projects, client briefs, messages, images, taste preferences, and anything else you put into Visualist. When you contact us, we keep the record of that conversation.
What your hub invitees give us. When someone you invite into a hub provides information (contact details, files, responses to questionnaires, messages), we process it on your instructions as part of providing hubs to you. You decide what to ask for.
What we collect automatically. When you use the Service, our systems log technical information: your IP address, browser type, device type, operating system, time of access, and how you navigate the Service. We collect diagnostic data when something goes wrong (crash reports, error logs). We use cookies on the marketing site; see our Cookies Notice for the full list.
Why we use it, and under what legal basis
Under UK GDPR, we need a lawful basis for every purpose we process data for. Here are ours.
To provide the Service to you. Running your account, delivering features, processing your Content so Vai and the rest of the product can work. Lawful basis: performance of our contract with you.
To personalize the Service for you. Visualist learns how you work, what you like, and how you see, so the product gets better at serving you over time. This is what makes taste memory, Vai's suggestions, and personalized recommendations work. Lawful basis: performance of our contract with you, and our legitimate interest in making the Service genuinely useful.
To take payments. Billing, collecting payment, handling refunds and disputes. Lawful basis: performance of our contract with you, and our legal obligation to keep financial records.
To communicate with you about the Service. Service announcements, security alerts, billing notices, policy changes. These are not marketing; they're operational and you'll receive them while you have an account. Lawful basis: performance of our contract, and legal obligation where applicable.
To send you marketing. Newsletters, product announcements, event invitations. We only send these with your consent, and you can withdraw consent at any time using the unsubscribe link in any marketing email. Lawful basis: your consent.
To keep the Service secure. Detecting fraud, preventing abuse, investigating security incidents, and enforcing our Terms. Lawful basis: our legitimate interest in running the Service safely, and our legal obligations.
To improve the Service. Analyzing aggregated, anonymized usage patterns to understand what's working and what isn't. This is product analytics, not surveillance; we look at patterns across the user base, not at individuals. Lawful basis: our legitimate interest in improving the product.
To meet our legal obligations. Responding to lawful requests from authorities, defending legal claims, complying with tax and corporate law. Lawful basis: legal obligation, and our legitimate interest in defending our rights.
AI, your Content, and how we use it
This is the section most of our users care about most, so we're stating it plainly.
We do not train foundation AI models on your Content. Your moodboards, your client work, your taste, your messages, the images you upload, the words you write: none of it is used to train general-purpose AI models whose outputs benefit anyone other than you.
We do not share your Content with AI providers for training purposes. When the product needs to generate something (a Vai response, an image edit, a draft email), we send the relevant data to our AI providers (OpenAI and Anthropic) via their APIs under standard commercial terms. Under those terms, the providers do not retain your data and do not use it to train their models. The request happens, the response comes back, and your data is not stored on their side.
We do use your Content to personalize the Service for you. This is what taste memory is. Visualist learns your visual preferences, how you brief a project, how you write to clients, what you tend to pick, and uses that learning to make your experience of the product better over time. What we learn from your work stays with your work. It never shapes another user's experience, and if you delete your account, the learning goes with it.
The short version: personalization is the product. Training is not something we do.
Who we share data with
We don't sell your data. We share it with a small, named set of service providers who help us run the Service. Each is bound by contract to handle your data only for the purposes we specify, and each is listed below.
| Provider | What they do | Region |
|---|---|---|
| Stripe | Payments processing | United States |
| PostHog | Product and site analytics | European Union |
| SendGrid | Transactional email (password resets, receipts, notifications) | United States |
| Google Workspace | Our internal business operations (email, documents) | United States / global |
| Linear | Our internal issue tracking | United States |
| OpenAI | AI model inference (via API) | United States |
| Anthropic | AI model inference (via API) | United States |
| AWS | Hosting and infrastructure | European Union |
| Cloudflare | Content delivery and security | Global edge network |
| GitHub | Our internal code hosting | United States |
| Sentry | Error monitoring and diagnostics | European Union |
We may also share your data where we're legally required to (court orders, lawful requests from regulators, tax authorities), or to defend our legal rights. If Visualist is ever acquired, merged, or reorganized, your data would transfer to the successor entity under this same policy; we'd notify you before that happened.
International transfers
Visualist is based in the UK. Most of our infrastructure is in the EU. Some of our providers are based in the United States. Where your data leaves the UK or EU, we rely on the legal mechanisms that UK and EU law require:
- The UK-US Data Bridge and EU-US Data Privacy Framework, where the provider is certified under them.
- The UK International Data Transfer Agreement or EU Standard Contractual Clauses, where the provider is not.
In plain terms: any time your data goes somewhere that doesn't have the same protections as the UK or EU, we've put contracts in place to hold the provider to UK/EU standards anyway.
How long we keep your data
We keep data only as long as we need to, and here's what that means in practice.
- Your account data: for as long as your account is active, plus 30 days after you close it. After 30 days, it's permanently deleted from our live systems.
- Billing and payment records: seven years from the date of the transaction, because UK tax law requires it.
- Your communications with us: two years from the date of your last message to us.
- Log and diagnostic data: 90 days.
- Backups: up to 90 days after you delete something from the live Service. Backups exist so we can recover from failure; they're not a second copy we keep for other purposes.
- Data you've asked us to delete: removed as soon as reasonably practicable, subject to the retention periods above where we're legally required to keep something.
Your rights
Under UK GDPR and EU GDPR, you have the following rights over your personal data. You can exercise any of them by emailing legal@visualistapp.com. We'll respond within one month.
- Access. You can ask for a copy of the personal data we hold about you.
- Rectification. You can ask us to correct data that's inaccurate or incomplete.
- Erasure. You can ask us to delete your data. There are some exceptions (we may need to keep financial records, for example), and we'll tell you if any apply.
- Restriction. You can ask us to pause processing your data in certain circumstances.
- Portability. You can ask for a copy of the data you've given us, in a machine-readable format, so you can take it to another service.
- Objection. You can object to any processing we're doing on the basis of legitimate interest.
- Withdraw consent. Where we rely on your consent, you can withdraw it at any time. Withdrawing consent doesn't affect the lawfulness of processing we did before you withdrew.
- Complain to the ICO. If you think we've handled your data wrongly, you can complain to the UK Information Commissioner's Office at ico.org.uk, or by post at Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. We'd prefer you come to us first so we can try to put it right, but that's your call.
Children
Visualist is a product for working professionals. You need to be 18 or older to use the Service. We don't knowingly collect data from anyone under 13. If you believe a child under 13 has given us information, contact legal@visualistapp.com and we'll delete it.
California residents
If you live in California, the California Consumer Privacy Act gives you specific rights over your data.
- The right to know what personal information we've collected about you, where it came from, why we collected it, and who we've shared it with.
- The right to delete personal information we've collected from you, subject to some exceptions.
- The right to correct inaccurate personal information.
- The right to opt out of the "sale" or "sharing" of your personal information. We don't sell or share your personal information in the way CCPA defines those terms.
- The right not to be discriminated against for exercising any of these rights.
To exercise any of these, email legal@visualistapp.com.
Security
We take security seriously. Your data is encrypted in transit and at rest. Access to production systems is limited to people who need it for their job. We review our security practices regularly.
No system is perfectly secure. If we ever have a data breach that's likely to affect your rights, we'll notify you and the ICO within 72 hours of becoming aware of it, as UK GDPR requires.
Your account security is partly in your hands. Choose a strong password, don't share your credentials, and sign out when you're done on a shared device. If you think your account has been compromised, contact us immediately.
Changes to this policy
We may update this policy from time to time. If we make material changes, we'll notify you by email before they take effect. For smaller changes, we'll update the "Last updated" date at the top. The current version is always the one you're reading now.
Contact
Visualist Technologies Ltd
7 Bell Yard, London WC2A 2JR