Privacy Policy

Campbell Labs LLC operates VAIBot. This policy explains how we collect, use, and protect your data.

Information we collect

We collect information you provide directly, such as your email address when you sign up or subscribe to updates. We also collect usage data automatically, including governance decision counts, API request metadata (agent IDs, tool names, risk classifications), and account activity. We do not collect or store the content of the commands your agents attempt to execute — only the governance decision metadata.

How we use your information

We use your information to provide and improve the VAIBot service, send you important account notifications and product updates (only if you opted in), calculate your quota usage, generate governance receipts and audit trails, and comply with legal obligations. We do not sell your personal data to third parties.

Data retention

Governance receipts are retained for the duration specified by your plan (30 days for Free, 1 year for Govern and Audit). Account data is retained for as long as your account is active. You may request deletion of your account and associated data at any time by contacting us.

On-chain data

If you use the Audit plan, governance receipt hashes are anchored to the Base blockchain via Merkle roots. This on-chain data is public, permanent, and cannot be deleted — this is by design, as it provides the tamper-proof guarantees the product is built on. No personally identifiable information is included in on-chain records.

Third-party services

VAIBot uses the following third-party services: Supabase (authentication and database), Stripe (payment processing), Resend (transactional email). Each service has its own privacy policy governing their use of data. We share only the minimum data necessary for each service to function.

RenderFuse (content-boundary protection)

RenderFuse is VAIBot's content-boundary protection. It scans, sanitizes, and render-guards untrusted content — web pages, emails, documents, or pasted text — to neutralize hidden instructions, phishing and look-alike links, tracking pixels, and other unsafe artifacts before they reach an assistant or user. When you provide a URL, RenderFuse fetches that page only to analyze it, through a fetcher that refuses private or internal network addresses. For each request, RenderFuse records a content-boundary receipt under your account containing cryptographic hashes of the source, sanitized, and final content, the policy version applied, the decision, and the artifacts it blocked or downgraded (including the domains involved). It does not store the full raw source content or the summary text. A receipt can be verified at a public link gated by an unguessable identifier; that public view shows only the decision, the neutralized artifacts, and the hashes — never your account identity or the original source URL. When RenderFuse is used through a third-party assistant such as a custom GPT, the content you submit is sent to RenderFuse over an authenticated connection, and that assistant's own privacy policy also governs its handling of your data. RenderFuse receipts follow the same plan-based retention described above.

Security

We use industry-standard security practices including encryption in transit (TLS), encrypted at-rest storage, and scoped API keys. Governance receipts are integrity-protected via SHA-256 content hashing. If you discover a security vulnerability, please disclose it responsibly by contacting us directly.

Your rights

Depending on your jurisdiction, you may have the right to access, correct, or delete your personal data; object to or restrict certain processing; and data portability. To exercise these rights, contact us at the address below. We will respond within 30 days.

Contact

Campbell Labs LLC For privacy inquiries: briantacampbell@gmail.com This policy was last updated June 2026.