Who we are and how to read this policy
VividSphere LLP ("VividSphere", "we", "us") is a software company based in Bangalore, India. When we say "the Service" in this policy, we mean everything we operate: our marketing site at vividsphere.co, our products PrimeBase (web, iOS, Android, customer and vendor portals, and APIs published at primebase.io) and Pocket CRM (iOS and Android), and any support channels we run alongside them.
This policy applies to two groups of people, and they have different rights:
- Customers — businesses and the team members who sign in to our products to run their operations. Here, VividSphere is the data controller for account and product-usage data.
- Customer end users — your customers and vendors who log into a portal you operate on PrimeBase. Here, VividSphere is the data processor, acting on your instructions. Their privacy questions should go to you first; ours is a backstop.
If you signed up for a VividSphere product, this whole document is for you. If you're logging into someone else's portal that happens to run on PrimeBase, sections 2, 7, and 13 are the ones to read.
Information we collect
We collect only what we need to deliver the Service, bill you, keep accounts secure, and improve the product. We've grouped it into four buckets.
2.1 Information you give us directly
- Account information — your name, work email, password (stored as a one-way hash), company name, and time zone.
- Billing information — billing address and tax identifiers if you provide them. Payment card details, when collected, are processed by our payment provider; full card numbers never reach our systems.
- Customer content — anything you put into our products: customer records, contacts, projects, documents, invoices, accounting entries, files, comments, custom fields.
- Support correspondence — messages you send us by email or attachments you share with our team.
2.2 Information collected automatically
- Device & connection data — IP address, browser, OS, and the time of each request.
- Product usage — pages viewed, features used, errors encountered, and aggregate performance metrics. We use this to fix bugs and prioritise what to build next.
- Cookies & similar tech — only what's required to keep you signed in, remember preferences, and measure aggregate product usage.
2.3 Information from third parties
- Integrations you connect — when you authorise an integration (for example, connecting a Google or Outlook calendar), we receive only the data the scopes you granted allow. You can revoke at any time from your integration settings.
2.4 What we don't collect
We don't track you across the web with advertising pixels. We don't fingerprint your device. We don't read or store the contents of files you upload for purposes other than delivering them to your team and clients. And we don't train AI models on your customer content — see §4.
How we use your information
Each piece of data we hold is tied to one of a small number of lawful purposes. Here's the full map:
| Purpose | What we use | Legal basis |
|---|---|---|
| Provide the Service | Account, customer content, usage | Contract |
| Bill and collect payment | Billing info | Contract |
| Keep your account secure | Connection, device, request metadata | Legitimate interest |
| Provide customer support | Account info, correspondence | Contract |
| Improve the product | Aggregated, de-identified usage | Legitimate interest |
| Send transactional emails | Email, account events | Contract |
| Send product news (opt-in) | Email, marketing prefs | Consent |
| Comply with legal obligations | Whatever a valid order requires | Legal obligation |
3.1 Automated decisions
We don't make any decision about you that has a legal or significant effect using only automated processing. Abuse-prevention checks (such as CAPTCHA and rate limits) flag activity for human review; they don't take final action on accounts.
AI features and your customer content
PrimeBase ships several AI-assisted features (for example, OCR extraction from uploaded documents). We've designed them with the same standard we'd want as customers ourselves:
- Your customer content is never used to train VividSphere models, third-party foundation models, or anyone else's models.
- Prompts and outputs are encrypted in transit and at rest, and retained only as long as needed to deliver the feature and monitor for abuse.
- We use AI providers in pass-through mode and select providers whose terms forbid training on customer prompts.
Google API services and user data
If you connect a Google account to PrimeBase, our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
5.1 Google Calendar
When you connect Google Calendar, PrimeBase creates a dedicated calendar in your Google account and syncs PrimeBase appointments to it. We may access event titles, start/end times, descriptions, attendees, and technical identifiers for events we create. Our access is limited to calendars and events created by the PrimeBase app.
5.2 Gmail (send-only)
When you connect Gmail, PrimeBase requests the gmail.send scope only — used to send emails on your behalf from inside the product. We do not read your inbox, do not access existing messages, and do not retain message content. Your Gmail address is recorded for the purpose of associating sent emails with your account.
5.3 Permitted uses
Data received from Google APIs is used only to deliver user-facing calendar sync and email-send features in PrimeBase. We do not use Google user data for:
- advertising or marketing personalisation,
- resale or transfer to data brokers,
- creditworthiness or lending decisions,
- building standalone profiles of you outside our products, or
- training generalised AI/ML models.
5.4 Sharing and disclosure
We do not sell Google user data. We share it only with the sub-processors strictly necessary to deliver the integration (for example, our cloud hosting provider), under contractual confidentiality and data-protection obligations.
5.5 Security
OAuth access and refresh tokens are encrypted at the application layer with AES-256-GCM before they hit the database. Token access is restricted to the integration code paths that need it; the rest of the application sees the integration as opaque.
5.6 Retention and deletion
Tokens and integration metadata are retained while your account is active and the integration is enabled. Disconnecting the integration stops further API access and removes the tokens from our database. You can also revoke access at any time from your Google Account security settings.
How long we keep data
We keep different categories of data for different durations, based on what's necessary and what regulators require:
| Category | Active retention | After deletion |
|---|---|---|
| Customer content (records, documents, files) | For the life of your account | Hard-deleted within 30 days |
| Account & billing records | For the life of your account | Retained as required by tax law |
| Product analytics events | Aggregated and de-identified | No link to you |
| Database backups | Rolling encrypted backups | Overwritten on rotation |
| Support correspondence | For the life of your account | Hard-deleted on request |
You can trigger deletion of your workspace at any time from in-product settings (PrimeBase: Settings → Account → Close workspace; Pocket CRM: in-app account deletion), or by emailing contact@vividsphere.co. Hard deletion completes within 30 days; we'll send you written confirmation when it's done.
Your rights and how to exercise them
Depending on where you live, you have some or all of the following rights over the personal information we hold about you:
- Access — request a copy of what we hold.
- Rectification — correct anything inaccurate.
- Erasure — ask us to delete it ("the right to be forgotten").
- Portability — receive your data in a structured format. Admins can self-serve CSV exports for most records; for other data, email us.
- Object or restrict — opt out of processing based on legitimate interest, or pause it temporarily.
- Withdraw consent — for anything we do based on consent (mainly product news), instantly.
- Lodge a complaint — with your local supervisory authority in the EU/EEA, the UK ICO, or — for California residents — the California Attorney General.
How to exercise them
Email contact@vividsphere.co from the address on file. We'll respond within 30 days (and usually within one business day). We don't charge for these requests, and we won't ask you why — though if a request is clearly unfounded or repetitive we may decline it.
Your rights live primarily with the business whose portal you logged into — they're the data controller. Reach out to them first. If they don't respond, write to us and we'll help mediate or, if necessary, act on the request directly.
How we protect your data
The short version: encryption everywhere, strict workspace isolation, role-based access, careful defaults.
- TLS in transit. AES-256 at rest on Google Cloud Platform with envelope encryption managed by the cloud provider.
- Sensitive identifiers and authentication tokens are additionally encrypted at the application layer before they hit the database.
- Every record carries a workspace ID. Postgres row-level security policies block cross-tenant reads and writes at the database layer.
- Every API endpoint declares the permission it requires. Custom roles and access rules let admins restrict who can see and do what in your workspace.
- Application secrets stored in Google Cloud Secret Manager with IAM-scoped access. Production access limited to a small number of engineers.
- Public-facing forms are protected by a CAPTCHA challenge and a honeypot trap. Access codes on shared links are stored as one-way hashes with brute-force lockout.
For a fuller picture, see our security overview.
If we discover a security incident that affects your data, we'll notify your workspace admins directly by email — what happened, what to check on your side, and what we're doing to fix it. We aim to respond within one business day.
International data transfers
Our products are hosted on Google Cloud Platform in the United States. VividSphere LLP is based in India. If you sign up from the EU/EEA, UK, or another jurisdiction outside the US, your data will be transferred to and processed in the United States, with administrative access from India.
For these transfers, we rely on the European Commission's Standard Contractual Clauses (SCCs) and the UK Addendum, supplemented by the technical safeguards described in §9 (encryption in transit, encryption at rest, application-layer encryption for sensitive identifiers, workspace isolation by row-level security).
Children's privacy
Our products are tools for businesses. They are not intended for use by individuals under 18, and we don't knowingly collect personal information from anyone under 18. If you're a parent or guardian and believe your child has provided us with personal information, write to us at contact@vividsphere.co and we'll delete it.
Changes to this policy
We'll update this policy as our products evolve. When we do, we'll change the "Last updated" date at the top, and — if the change is material — we'll notify account admins by email before it takes effect, with enough time for you to export and delete first if you'd prefer to leave.
Contact us
The fastest way to reach the team responsible for this policy is by email. A real human reads it, and we aim to respond within one business day.
- Email us anything · contact@vividsphere.co
- Postal address · VividSphere LLP, L-148, 5th Main Road, Sector 6, HSR Layout, Bangalore South, Bangalore - 560102, Karnataka, India