Privacy Policy

Last updated: March 2026

This Privacy Policy describes how VSME ("we", "us", "our") collects, uses, and protects your personal data when you use the VSME platform ("Service").

1. Data We Collect

Account Data

• Email address (used for authentication and account communications)
• Password (hashed with scrypt — we never store plaintext passwords)
• Account tier and credit balance

Conversation Data

• Chat messages you send to the AI assistant
• AI-generated responses
• Feedback you provide on responses (thumbs up/down, corrections)

Usage Data

• Daily query counts and credit consumption
• Session timestamps
• Knowledge base articles referenced per query

ServiceNow Instance Data (Optional)

If you connect your ServiceNow instance:

• Instance URL and OAuth tokens (encrypted with AES-256-GCM at rest)
• Instance security configuration snapshots (system properties, hardening settings)
• No ServiceNow user credentials are stored — authentication uses OAuth 2.0

2. How We Use Your Data

• Provide the Service: Your queries and connected instance data are used to generate contextual security analysis
• Improve accuracy: Feedback on AI responses is used to refine future answers for your account
• Enforce limits: Usage data tracks credit consumption per your subscription plan
• Security: Account and session data is used to authenticate requests and prevent abuse

3. Third-Party Data Sharing

We share data with third parties only in the following cases:

• LLM Provider: Your queries (and relevant knowledge base context) are sent to our AI provider (Anthropic or OpenAI) for response generation. Query content is sent via API and is subject to the provider's data processing terms. We do not send your email, password, or ServiceNow credentials to the LLM provider.
• Email Service: Your email address is shared with our email provider (Resend) solely for account verification and password reset emails.

We do not sell your data. We do not use your data for advertising. We do not share your data with any other third parties.

4. Data Storage and Security

• All data is stored server-side in an SQLite database
• Passwords are hashed using scrypt with unique salts
• ServiceNow OAuth tokens are encrypted with AES-256-GCM
• Authentication uses HMAC-signed tokens in httpOnly cookies (not accessible via JavaScript)
• All connections use HTTPS/TLS encryption in transit

5. Data Retention

• Account data is retained while your account is active
• Conversation history is retained while your account is active
• ServiceNow instance snapshots are overwritten on each new scan
• Upon account deletion, all your data is permanently removed within 30 days

6. Your Rights (GDPR)

If you are located in the European Economic Area, you have the right to:

• Access: Request a copy of all personal data we hold about you
• Rectification: Request correction of inaccurate data
• Erasure: Request deletion of your account and all associated data
• Portability: Receive your data in a machine-readable format
• Restriction: Request that we limit processing of your data
• Objection: Object to processing of your data for specific purposes

To exercise any of these rights, contact us at privacy@nowisor.com. We will respond within 30 days.

7. Cookies

We use a single essential cookie (vsme_auth) for authentication. This is an httpOnly, secure cookie that cannot be accessed by client-side JavaScript. We do not use tracking cookies, analytics cookies, or any third-party cookies.

8. Children's Privacy

The Service is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children.

9. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email at least 14 days before they take effect.

10. Contact

For privacy-related questions or data requests, contact us at privacy@nowisor.com.