Privacy Policy

This Privacy Policy explains how VectorLabs s.r.o. (IČO: 23149281), a company registered in the Czech Republic ("VectorLabs," "we," "us"), collects, uses, stores, and protects your personal data when you use JAX — our AI-powered product feedback platform available at getjax.app, including the Chrome extension, web dashboard, and related services (the "Service").

We are committed to protecting your privacy in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), Czech Act No. 110/2019 Coll. on the Processing of Personal Data, and other applicable data protection laws.

The data controller for your personal data is:

3.1 Account Data

When you create an account, we collect information provided through our authentication provider (Clerk), which may include:

• Name and email address
• Profile picture (if provided)
• Authentication identifiers

3.2 Workspace and Team Data

• Organization/workspace name
• Team member information (name, email, role)
• Integration credentials and tokens for connected third-party services (Linear, Jira, Asana)

3.3 Feedback and Bug Report Data

When you use the Chrome extension or the chat agent, we collect:

• Screenshots of the web application you are testing
• Contextual metadata: current URL, viewport dimensions, browser console logs, and network request data (HAR files)
• Chat messages and feedback text you provide to the AI agent
• Bug reports and feature requests generated through the Service

3.4 Product Documentation

• Documents uploaded by workspace administrators (markdown, PDFs, etc.)
• Git repository data connected for product context

3.5 Usage and Technical Data

• IP address and approximate geolocation
• Browser type and version
• Device information
• Pages visited and features used within the Service
• Timestamps of activity

We process your personal data for the following purposes and legal bases under the GDPR:

To power the AI features of the Service, we send your data (including screenshots, chat messages, and feedback context) to third-party AI providers for processing. Currently, we use Google's Gemini AI models.

• Data sent to AI providers is used solely for generating responses within the Service and is not used to train third-party AI models (subject to the AI provider's enterprise data processing terms).
• We select AI providers that offer contractual commitments regarding data protection and security.
• We may change AI providers at any time. We will update this policy accordingly when we do.

We recommend that you do not submit highly sensitive personal data (such as health data, financial credentials, or government-issued identification numbers) through the AI chat features.

We do not sell your personal data. We share your data only in the following circumstances:

• Service providers and sub-processors: We use third-party services to operate the platform, including hosting providers, authentication services (Clerk), AI providers (Google), and analytics tools (PostHog). These providers process data on our behalf under data processing agreements. For a full list of sub-processors and details of our processing obligations, see our Data Processing Agreement.
• Connected third-party platforms: When you integrate JAX with task management tools (Linear, Jira, Asana), data from your bug reports and feedback is sent to those platforms as directed by you.
• Within your workspace: Team members in your workspace can access shared feedback, conversations, and reports.
• Legal requirements: We may disclose data when required by law, regulation, or legal process.
• Business transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity.

Your data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States (for services such as Google AI and Clerk). When such transfers occur, we ensure appropriate safeguards are in place, including:

• European Commission adequacy decisions
• Standard Contractual Clauses (SCCs) approved by the European Commission
• EU-U.S. Data Privacy Framework certification of the recipient

We retain your data for as long as necessary to:

• Provide the Service to you while your account is active.
• Comply with legal, accounting, or reporting obligations.
• Resolve disputes and enforce our agreements.

When you delete your account, we will delete or anonymize your personal data within 30 days, except where retention is required by law. Aggregated, anonymized data that cannot be used to identify you may be retained indefinitely for analytics and service improvement purposes.

We implement appropriate technical and organizational measures to protect your data, including:

• Encryption of data in transit (TLS) and at rest
• Access controls and authentication requirements
• Regular security reviews and updates
• Secure hosting infrastructure

While we take reasonable precautions, no method of transmission or storage is 100% secure. We cannot guarantee absolute security of your data.

As a data subject, you have the following rights under the GDPR. To exercise any of these rights, contact us at hello@vectorlabs.cz.

• Right of access — request a copy of the personal data we hold about you.
• Right to rectification — request correction of inaccurate or incomplete data.
• Right to erasure — request deletion of your personal data ("right to be forgotten").
• Right to restriction of processing — request that we limit how we process your data.
• Right to data portability — receive your data in a structured, machine-readable format.
• Right to object — object to processing based on legitimate interests.
• Right to withdraw consent — where processing is based on consent, you may withdraw it at any time.

We will respond to your request within 30 days. If your request is complex, we may extend this by an additional 60 days, with notification.

The Service uses cookies and similar technologies for authentication, session management, and analytics. For a detailed breakdown of the specific cookies we use, their purposes, and how to manage them, please see our Cookie Policy.

• Essential cookies: Required for authentication and core functionality. These cannot be disabled.
• Analytics cookies: We use PostHog for product analytics to understand how the Service is used and to improve it. PostHog may set cookies to track sessions and events.

We do not use advertising or third-party tracking cookies. We do not sell data to advertisers.

The JAX Chrome extension collects data only from web applications explicitly registered in your JAX workspace. It does not collect data from other websites or from your general browsing activity. Specifically:

• The extension is dormant unless activated by the user on a registered application.
• Captured data (screenshots, console logs, network requests, URL, viewport) is transmitted directly to JAX servers over encrypted connections.
• The extension does not access browser history, bookmarks, passwords, form autofill data, or data from other tabs.
• You can uninstall the extension at any time to stop all data collection.

The Service is not intended for individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or through a notice in the Service. The "Last updated" date at the top reflects the most recent revision.

We encourage you to review this policy periodically. Continued use of the Service after changes take effect constitutes your acceptance of the updated policy.

If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with a supervisory authority. For the Czech Republic, this is:

For any questions about this Privacy Policy or to exercise your data protection rights, please contact us at: