1. High-level posture
Vizuna is designed to be privacy-first. Reflections may include sensitive workplace context, so the product is built to minimise exposure, avoid attribution, and limit what organisations can access.
Vizuna's customer-facing production backend is hosted with Supabase in the European Union / Ireland (eu-west-1). Web hosting and related server-side web services are provided through Vercel. AI providers may process limited inputs only when Vizuna AI features are enabled.
2. Data access and privacy boundaries
- Individual reflections and free-form feedback are not provided to organisations as raw text.
- Where organisation-level reporting exists, it is designed to be anonymised and aggregated.
- Vizuna AI outputs are designed to be pattern-based and not reveal who said what.
- Recipient-level outreach tracking records, where used for Vizuna's own outreach operations, are restricted to authorised Vizuna roles that need them for business development or customer-facing work and are not exposed to customer organisations.
3. Account and authentication
- Vizuna uses authenticated sessions to control access to user data.
- Sensitive actions such as account deletion and data export require additional confirmation or re-authentication flows.
4. Logging and operational safety
Vizuna treats free-form reflection text and Vizuna AI chat content as sensitive. Operational logging is designed to avoid storing:
- Reflection text
- Vizuna AI chat transcripts
- Tokens and credentials
- Device tokens and notification bodies
5. Operational tooling
Operational monitoring and structured logging are in place. The operational tooling that may process limited, non-personal metadata includes:
- Plausible Analytics — cookie-free, privacy-focused web analytics on the public marketing site. Collects aggregate page views, referral sources, and country-level location. Does not collect personal data or track individuals across sites.
- Vercel Speed Insights — lightweight web performance telemetry (page load times, core web vitals). Does not collect personal content.
- First-party product analytics (Vizuna behavior telemetry) — Vizuna operates its own pseudonymous product analytics pipeline that records interaction telemetry such as page engagement, navigation behavior, scroll depth, viewport dimensions, and session duration across the marketing site and customer portal. Administrative areas are intentionally excluded from this dataset. It uses pseudonymous browser identifiers and a browser-based opt-out flag. It does not log IP address or user-agent, does not collect reflection text or Vizuna AI content, and events are not joined to a user's Vizuna account. Events are handled through Vizuna's first-party telemetry flow, stored with Vizuna's existing infrastructure provider, and automatically deleted after 90 days. Access to the resulting dashboards is limited to authorised Vizuna operational roles. See the Cookie Policy and Privacy Policy for user-facing details and opt-out instructions.
- Vizuna outreach-link reporting — Vizuna may record that a tracked business-development link was clicked without setting a browser cookie. Vizuna does not use an outreach attribution cookie or downstream browsing attribution for this flow.
6. Incident response
Vizuna maintains a documented incident response and escalation process for security and privacy incidents.
7. Compliance posture
Vizuna supports GDPR-style privacy principles globally and provides documentation for enterprise privacy and security review. Formal security certifications are claimed only when completed and verified.
8. Contact
For security questions or to request additional security documentation, please contact us at support@vizuna.com.