VectorAIQ Visitor Privacy Policy
Effective date: May 5, 2026 · Last updated: May 5, 2026
This Privacy Policy ("Policy") describes how MAXBURST, Inc. ("MAXBURST," "we," "us," or "our"), a Delaware corporation, collects, uses, discloses, and safeguards information about website visitors who interact with the VectorAIQ embeddable chat widget (the "Widget") deployed on websites operated by our customers (each, a "Site Operator").
By using the Widget, you acknowledge that you have read and understood this Policy. If you do not agree, please do not interact with the Widget.
Notice on Legal Effect. This Policy allocates responsibility between MAXBURST and the Site Operators that deploy the Widget on their websites. To the maximum extent permitted by applicable law, this Policy operates together with our Customer Agreements and Data Processing Agreements to release and limit MAXBURST's liability as described in Section 13.
1. Who Is Responsible for Your Data
When you chat through a Widget on a third-party website (for example, example.com), two parties handle your data with different roles:
- The Site Operator — the operator of the website on which the Widget appears — is the data controller (or "business" under the CCPA). The Site Operator decides what data is collected, why, and how long it is kept, and is responsible for any consents and notices required on its site.
- MAXBURST acts as a data processor (or "service provider"). We process your data only on behalf of and on the instructions of the Site Operator under a Customer Agreement and, where applicable, a Data Processing Agreement.
This means: for questions, requests, or complaints about the data collected through a chat on a third-party website, please contact the Site Operator first. We will reasonably assist the Site Operator as required by our agreement with them.
2. Information We Collect About Visitors
When you interact with the Widget, the following categories of information may be collected and processed on the Site Operator's behalf:
(a) Identifiers and device data
- A pseudonymous visitor ID generated and stored in your browser to recognize you when you return on the same device and browser. It is not a tracking cookie.
- IP address and basic browser/device information (such as browser type and operating system).
- Approximate geolocation (country, region/state, city) derived from your IP address. We do not collect precise GPS coordinates.
- A session identifier and timing metadata for the conversation.
(b) Conversation content
- The text of messages you send and the AI-generated (or human operator) responses you receive.
- Quick-reply selections, ratings, and free-text feedback you submit.
- Products or content surfaced to you during the conversation.
(c) Contact information you choose to provide
- Name, email, phone, company, and job title when you fill out a lead form, request a callback, or volunteer them in conversation.
- A short summary of the conversation generated at the time of lead capture.
(d) Visitor-profile fields managed by the Site Operator (visible to the Site Operator only)
- Lead status, lead score, tags, and notes added by the Site Operator's staff after reviewing your conversation.
(e) Information saved in your browser
- A small amount of information is saved in your browser's local storage to keep the chat working between page loads (visitor ID, recent conversation state, whether the chat is open or closed, whether a disclaimer was dismissed). This is first-party storage on the Site Operator's website, not cross-site tracking. You can clear it at any time via your browser settings.
We do not knowingly collect payment-card numbers, government identifiers, biometric data, precise geolocation, or files unless a Site Operator has specifically enabled and instructed such collection.
3. How Information Is Collected
| Source | Mechanism |
|---|---|
| Direct from you | Messages you type, forms you submit, ratings you give. |
| Automatically | Server logs of your connection, IP address, browser information, and the visitor ID. |
| From third parties | Approximate location derived from your IP address via a geolocation lookup service. |
4. How Visitor Information Is Used
We process visitor information only for the following purposes, and only on the Site Operator's instructions:
- Routing your messages to the AI agent and returning responses in real time.
- Maintaining conversation context within a session and across return visits on the same device and browser.
- Performing semantic product search and knowledge-base retrieval to answer your questions.
- Enabling human-operator takeover when you request it or when the AI escalates.
- Capturing leads and forwarding them to the Site Operator.
- Enriching the visitor profile with the contact details and approximate location described in Section 2.
- Providing the Site Operator with conversation history, analytics, and CRM-style tools.
- Detecting abuse, enforcing acceptable use, and applying input safety guardrails.
We do not use Site Visitor conversation content to train or fine-tune our generally available AI models.
5. Legal Bases for Processing (EEA / UK / Switzerland)
Where the GDPR or UK GDPR applies, the lawful bases for processing visitor data are:
- Performance of a contract between MAXBURST and the Site Operator (Art. 6(1)(b)) — to deliver the chat service.
- Legitimate interests (Art. 6(1)(f)) — to operate, secure, and route Widget conversations to AI processing, balanced against your rights.
- Consent (Art. 6(1)(a)) — where the Site Operator has obtained your consent (for example, via a cookie/consent banner) and passed it to us, or where consent is otherwise required by law.
For visitor data, the Site Operator is responsible for selecting the appropriate legal basis and for collecting valid consent where required, including any consent required for storing information on your device.
6. AI Processing and Automated Decision-Making
The Widget uses third-party large language models (currently provided by OpenAI) to generate responses. Conversation content is transmitted to that provider for the sole purpose of generating a response in real time. The provider acts as a sub-processor under its API terms and, per its published policy, does not use API inputs or outputs to train its models by default.
Important disclosures about AI output:
- The AI agent's responses are machine-generated and may contain inaccuracies or out-of-date information.
- The AI agent does not make legally or similarly significant automated decisions about you. It surfaces information, recommends products, and routes requests; final decisions remain with the Site Operator and with you.
- Outputs should not be relied upon for medical, legal, financial, or other professional advice.
- See Section 13 for the corresponding limitation of liability.
7. Disclosure of Visitor Information
We disclose visitor information only as described below.
7.1 To the Site Operator
All visitor data described in Section 2 is made available to the Site Operator that owns the website on which the Widget appears. The Site Operator's own privacy policy governs its subsequent use of that data.
7.2 To Sub-Processors
We engage the following sub-processors to operate the Widget. Each is bound by written terms requiring confidentiality and security measures consistent with this Policy.
| Sub-Processor | Role for Visitor Data |
|---|---|
| OpenAI (United States) | Generates AI responses to conversation content. |
| Supabase (United States / EU) | Stores conversations, messages, and visitor profiles in managed databases. |
| DigitalOcean (United States) | Hosts the backend that receives chat traffic. |
| Vercel (United States / global edge) | Delivers the Widget to your browser. |
| IP geolocation provider (EU) | Provides approximate location from an IP address. We send only the IP address. |
A current, itemized list is available on request.
7.3 To Site-Operator-Designated Recipients
If a Site Operator integrates a CRM, email tool, webhook, or analytics destination, we will forward visitor data to those recipients on the Site Operator's instruction. MAXBURST has no control over, and accepts no responsibility for, the practices of those downstream recipients.
7.4 For Legal Reasons
We may disclose information if we believe in good faith that disclosure is required to comply with a subpoena, court order, or other legal process; to enforce our agreements; to protect the rights, property, or safety of MAXBURST, our users, or others; or to investigate fraud or security incidents.
7.5 Business Transfers
In the event of a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or part of our assets, information may be transferred to the successor entity, subject to this Policy or a substantially similar one.
7.6 No Sale of Personal Information
MAXBURST does not sell visitor personal information for monetary consideration and does not "share" it for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act (CCPA), as amended.
8. International Data Transfers
The Widget is operated from the United States. Visitor information may be transferred to, processed in, and stored in the United States and other countries where our sub-processors operate. Where personal data is transferred from the EEA, UK, or Switzerland to a country not deemed adequate, we rely on Standard Contractual Clauses and any applicable UK addendum, supplemented by appropriate safeguards.
9. Data Retention
| Visitor data | Default retention |
|---|---|
| Conversation transcripts and messages | Retained per the Site Operator's configuration. Deleted records are purged on a rolling basis. |
| Visitor profiles | Retained per the Site Operator's configuration; deletable on request. |
| Lead records | Retained per the Site Operator's configuration. |
| Active session state | Cleared after approximately 10 minutes of inactivity. |
| Conversation status | Marked ended after approximately 1 hour of silence. |
| Short-term conversation memory | Pruned after approximately 7 days. |
| Backups | Encrypted backups may persist for up to 30 days after deletion in the live system. |
Site Operators may configure shorter retention windows. Where law requires longer retention (e.g., litigation hold), data will be retained for the period required.
10. Security
We use industry-standard administrative, technical, and physical safeguards to protect visitor data, including:
- Encryption in transit for all chat traffic between your browser and our servers.
- Encryption at rest for stored conversations, messages, and visitor profiles.
- Tenant isolation so that each Site Operator's data is segregated from other Site Operators'.
- Input safety filters to screen abusive or out-of-scope input before it reaches the AI agent.
- Access controls based on least privilege, with monitored production environments.
No system is impenetrable. We cannot and do not guarantee absolute security, and you transmit information at your own risk. Section 13 governs our liability in the event of a security incident, to the maximum extent permitted by applicable law.
11. Your Rights and Choices
Subject to verification and applicable exceptions, you may have the right to:
- Access the personal information we hold about you.
- Correct inaccurate personal information.
- Delete personal information.
- Restrict or object to certain processing.
- Data portability — receive your data in a structured, commonly used format.
- Withdraw consent where processing is based on consent.
- Lodge a complaint with a supervisory authority (in the EEA), the UK ICO, or your state attorney general.
11.1 How to Exercise Your Rights
Direct your request to the Site Operator (the operator of the website on which the Widget appeared). The Site Operator is responsible for responding within the timelines required by applicable law (generally 30 days under the GDPR; 45 days under the CCPA, extendable once). We will reasonably assist the Site Operator as required by our DPA.
If you cannot reach the Site Operator, you may contact us at privacy@getvectoraiq.com and we will route your request appropriately.
11.2 California Residents (CCPA / CPRA)
California residents have the additional rights to know, delete, correct, opt out of "sale" or "sharing," and limit use of sensitive personal information. As stated in Section 7.6, MAXBURST does not sell or share personal information for cross-context behavioral advertising. We do not knowingly process the personal information of consumers under 16 for sale or sharing.
11.3 EEA / UK Residents
In addition to the rights above, you have the right to lodge a complaint with your local Data Protection Authority. Where the Site Operator is established outside the EEA/UK, the Site Operator is responsible for any local-representative obligation that may apply.
11.4 Practical Choices
- Clear local data: clear your browser's site data for the website hosting the Widget to remove the visitor ID and recent conversation state.
- Refuse to chat: simply do not open or use the Widget. Loading the page may still log standard connection information (IP and browser type) when the Widget loads.
- Refuse to share contact info: leave lead forms blank. The conversation will continue without contact details.
12. Cookies, Browser Storage, and Children
12.1 First-Party Browser Storage
The Widget does not set tracking cookies. It saves a small amount of information in your browser's local storage on the Site Operator's website to keep the chat working — namely a visitor ID, recent conversation state, whether the chat is open or closed, and whether a disclaimer was dismissed.
The Site Operator is responsible for disclosing this in its own cookie/consent notice where required by law.
12.2 Children
The Widget is not directed to and not intended for use by children under 13 (or under 16 in the EEA). We do not knowingly collect personal information from such children. If we learn that we have inadvertently collected such information, we will delete it. If you believe a child has provided personal information through the Widget, please contact us at privacy@getvectoraiq.com.
12.3 Do Not Track / Global Privacy Control
The Widget does not respond to legacy "Do Not Track" browser signals, which are not supported by a uniform standard. Any honoring of the Global Privacy Control (GPC) signal on the Site Operator's website is the responsibility of the Site Operator.
13. Disclaimers and Limitation of Liability
PLEASE READ THIS SECTION CAREFULLY. IT LIMITS THE LIABILITY OF MAXBURST AND ITS AFFILIATES.
13.1 No Warranties
THE WIDGET, INCLUDING ALL AI-GENERATED OUTPUT, IS PROVIDED "AS IS" AND "AS AVAILABLE", WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED. TO THE FULLEST EXTENT PERMITTED BY LAW, MAXBURST DISCLAIMS ALL WARRANTIES, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, ACCURACY, AND UNINTERRUPTED OR ERROR-FREE OPERATION. We make no warranty that AI-generated responses are accurate, complete, current, lawful, or fit for any particular purpose.
13.2 Site Operator Responsibility
For visitor data, the Site Operator is the data controller. The Site Operator is solely responsible for: (a) the lawfulness of its instructions to MAXBURST; (b) providing required notices and obtaining required consents (including any consent for browser storage and any consent for processing children's data); (c) the accuracy and lawful basis of any data it directs us to process; (d) honoring data-subject requests it receives; and (e) the operation of any human-operator features (including takeover, lead routing, and notes or tags written by its staff). MAXBURST is not liable for the Site Operator's privacy practices, the configuration of its chat agent, or its handling of leads after delivery.
13.3 Third-Party Services
MAXBURST relies on the sub-processors listed in Section 7.2. We are not liable for outages, security incidents, or data-handling practices of those third parties beyond the obligations they owe to us in their own service terms.
13.4 Limitation of Liability
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT WILL MAXBURST, ITS AFFILIATES, OR ITS OFFICERS, DIRECTORS, EMPLOYEES, AGENTS, OR LICENSORS BE LIABLE TO ANY VISITOR FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, INCLUDING WITHOUT LIMITATION DAMAGES FOR LOSS OF PROFITS, REVENUE, GOODWILL, USE, OR DATA, ARISING OUT OF OR IN CONNECTION WITH THE WIDGET OR THIS POLICY, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
WHERE LIABILITY CANNOT BE EXCLUDED UNDER APPLICABLE LAW, MAXBURST'S TOTAL CUMULATIVE LIABILITY TO ANY VISITOR ARISING OUT OF OR RELATING TO THE WIDGET OR THIS POLICY WILL NOT EXCEED ONE HUNDRED U.S. DOLLARS (US $100.00).
13.5 Release of Claims
If you believe your privacy rights were violated through your use of a Widget on a third-party website, you acknowledge that the Site Operator — not MAXBURST — is the controller of that data and the proper respondent. To the maximum extent permitted by applicable law, you release MAXBURST and its affiliates, officers, directors, employees, and agents from claims arising from the Site Operator's acts, omissions, instructions, or configuration, including the content of system prompts, retention settings, lead-routing destinations, and operator-entered notes or tags.
13.6 Statutory Carve-Outs
Nothing in this Policy excludes or limits liability where exclusion is prohibited by law, including for fraud, willful misconduct, gross negligence (where non-waivable), death or personal injury caused by negligence, or any other liability that cannot be excluded under applicable mandatory law.
14. Governing Law
This Policy is governed by the laws of the State of Delaware, U.S.A., without regard to its conflict-of-laws principles. Any dispute arising out of or relating to this Policy will be resolved exclusively in the state or federal courts located in New Castle County, Delaware.
If you are a consumer in the EEA, UK, or other jurisdiction with non-waivable consumer-protection laws, this Section does not deprive you of the protection of mandatory law, and you may bring proceedings in the courts of your habitual residence.
15. Changes to This Policy
We may update this Policy from time to time. The "Last Updated" date at the top reflects the most recent revision. For material changes, we will provide reasonable advance notice through Site Operators or by prominent notice. Your continued interaction with the Widget after the effective date of an update constitutes acceptance of the revised Policy, to the extent permitted by applicable law.
16. Contact Us
MAXBURST, Inc.399 Conklin Street, Suite 305
Farmingdale, NY 11735
United States
- Privacy inquiries: privacy@getvectoraiq.com
- Security reports: security@getvectoraiq.com
- Data-subject requests: info@getvectoraiq.com (subject line: "Privacy Request")
For questions about a specific website's chat Widget, please contact the operator of that website first.
This Policy is provided in English. Translations are for convenience only; the English version controls in the event of any conflict.