Privacy Policy
Last updated: May 12, 2026
1. Introduction
VisualBI.ai ("we", "our", or "us") operates the visualbi.ai website, the VisualBI web designer, and the VisualBI Power BI custom visual (collectively, the "Service"). This Privacy Policy explains what we collect, how we use it, who we share it with, and the rights you have over it.
This document is companion to our Terms of Service and our Refund Policy. By using the Service you agree to the practices described here.
2. Information We Collect
2.1 Account information
- Name, email address, and password hash when you register.
- If you sign in via Google or Microsoft (OAuth), we receive your name, email, and profile picture from the provider.
- Organization name and team member emails you invite.
2.2 Billing information
- Payments are processed by Paddle.com Market Ltd, our Merchant of Record. Paddle handles your card / payment method details directly; we do not store full card numbers, CVV codes, or bank details on our servers.
- We store your Paddle customer ID, the active subscription ID, the plan and billing interval, the invoice metadata returned by Paddle (date, amount, status, invoice URL), and your billing-contact email so that the in-app billing page works.
- VAT / GST / sales tax is calculated and collected by Paddle based on your billing country.
2.3 Product usage
- Project metadata (titles, page count, last edited at) and aggregate counters (export count, AI feature usage, session duration).
- The full content of projects, themes, and templates you create — stored so the editor and exports work.
- We do not train AI models on your project content without your explicit opt-in consent.
2.4 License validation telemetry
When the VisualBI custom visual loads inside Power BI, it makes a single validation call per render to our API. The exact data fields sent on that call are listed below; nothing else is sent.
| Field | Description | Sensitivity |
|---|---|---|
| license_key | The key issued to you | Confidential |
| manifest_envelope | HMAC-signed metadata embedded at export time (proves the binding came from us) | Confidential |
| instance_id, page_id | UUIDs assigned by us at export time to one specific visual on one specific page | Internal |
| schema_hash | SHA-256 of the report's table and measure names — the raw names never leave Power BI | Hashed (irreversible) |
| tenant_id | Microsoft Entra tenant UUID, when available (only after Microsoft AppSource certification) | Low |
| host_env | "Power BI Web" / "Desktop" / "Mobile" | Low |
| locale, timezone | Browser locale (e.g. en-US) and IANA timezone name (e.g. Europe/Istanbul) | Low |
| user_agent_class | Browser family + major version (e.g. "Edge/130 Win") — the full UA string is not sent | Low |
| screen_class | Resolution class (e.g. "1920x1080@2") — not pixel-exact | Low |
| client_ip | Anonymized to a /24 block for IPv4 or /48 block for IPv6 — the full IP is not stored | Anonymized |
What we do not collect: the actual data values shown in your report (rows, cell values, measure results), screenshots of the rendered visual, the report's URL inside your Power BI workspace, your full IP address, your full user-agent string, or any user/email identifiers from inside Power BI.
License validation data is the basis for our enforcement decisions (allow, watermark, pending review, block). The full list of decision categories and their consequences is in the Terms of Service §10 and the License FAQ.
2.5 Cookies and local storage
- Session cookies for authentication and CSRF protection (essential — cannot be disabled).
- localStorage entries for theme, language, and editor preferences (essential for UX).
- Optional analytics cookies (PostHog), which load only if you accept them via the cookie banner.
2.6 Device and session metadata
- Server-side request logs include IP address, user-agent, and request timestamp. These are kept for 30 days for security monitoring and are not joined to project content.
- Active session list (visible to you under Profile → Security) includes a coarse device label and last-seen time.
3. How We Use Your Information
- Provide and operate the editor, the export pipeline, and the custom visual.
- Process payments, manage subscriptions, deliver invoices, and track export credits.
- Validate license keys and enforce the usage limits described in our Terms of Service.
- Send transactional emails (account verification, password reset, billing receipts, license alerts).
- Detect and prevent fraud, abuse, license sharing, and security incidents.
- Improve the product based on aggregate, anonymized usage patterns.
We do not sell your personal data. We do not use your project content for advertising. We do not share your data with marketing networks.
4. Data Sharing & Third Parties
We share data only with the processors listed below, each scoped to a single specific function. All processors are contractually bound to GDPR-compatible terms.
| Processor | Purpose | Data shared |
|---|---|---|
| Paddle.com Market Ltd | Payment processing (Merchant of Record) | Email, name, billing country, payment details (collected directly by Paddle) |
| Resend | Transactional email delivery | Email address, message content (welcome, password reset, billing, license alerts) |
| Cloudflare R2 | Storage of uploaded media (project thumbnails, avatars, custom themes) | The uploaded files themselves; served via Cloudflare CDN |
| Railway | Application and database hosting | All data we hold (Railway acts as our infrastructure provider) |
| PostHog Inc. | Optional product analytics (page views, funnels, feature usage) | Pseudonymous usage events, coarse device/browser metadata, and account identifiers you already hold with us (only after analytics consent) |
| Google & Microsoft | OAuth sign-in (only if you choose it) | Basic profile (name, email, picture) |
| Microsoft AppSource | License provisioning (only if you purchase via AppSource) | License entitlement records issued by Microsoft |
We may also disclose data when required by law, in response to a lawful request from a competent authority, or to defend our legal rights or those of our users.
5. Data Retention
- Account data — kept for as long as your account is active. Deleted within 30 days of account closure (we may retain a minimal record of the closure itself for fraud prevention).
- Project content — kept for as long as your account is active. You can export full copies at any time via the editor.
- License validation events — the per-event log (timestamp + violation type) is kept for 12 months on a rolling basis. Aggregate counters survive past 12 months for usage reporting and abuse detection.
- Billing records — kept as required by applicable financial regulations (typically 7–10 years depending on jurisdiction).
- Server access logs — kept for 30 days.
6. Security
We use industry-standard controls: TLS / HTTPS for all transport, bcrypt for password hashing, JWT-based authentication with refresh-token rotation, session device limits, rate limiting, HMAC-signed manifests for license integrity, and regular dependency audits. Payment-card data never touches our servers (handled by Paddle).
No system is perfectly secure. If we discover a personal-data breach affecting you, we will notify you and the relevant supervisory authority within the deadlines required by applicable law (GDPR Article 33: 72 hours; KVKK: en kısa sürede).
7. Your Rights (GDPR & KVKK & CCPA)
Depending on where you live, you have the following rights with respect to your personal data:
- Access — request a copy of the personal data we hold about you.
- Rectification — request correction of data that is inaccurate or incomplete.
- Deletion — request deletion of your account and personal data. You can also delete your account yourself from Settings → Profile.
- Export — receive your projects and account data in a machine-readable format (.pbip, JSON).
- Portability — transmit your data to another service.
- Restriction — request that we limit processing of your data.
- Objection — object to processing for specific purposes.
- Withdraw consent — for processing that depends on your consent (e.g. optional analytics).
- Lodge a complaint — with your local data-protection authority.
To exercise these rights, email [email protected] with "Privacy" in the subject line. We respond within 30 days. We may ask you to verify your identity before acting on a request, to protect against fraud.
Note on telemetry: license validation telemetry is a functional requirement of the licensed Power BI visual and is processed as necessary for performance of the contract under GDPR Article 6(1)(b) / KVKK Article 5(2)(c). That is separate from optional PostHog analytics, which runs only if you accept analytics cookies in the banner. Deleting your account removes your account data and stops license validation collection tied to that account.
8. International Data Transfers
We are a Türkiye-based company. Some of our processors (Paddle, Cloudflare, Resend, Railway, Microsoft, Google) operate globally and may process your data in countries outside the European Economic Area, the United Kingdom, or Türkiye. Where required by law we rely on appropriate safeguards (Standard Contractual Clauses, adequacy decisions) for such transfers.
9. Children's Privacy
The Service is intended for business use and is not directed at children under 18. We do not knowingly collect personal information from children. If you believe we hold data about a child, contact us and we will delete it.
10. End-User Notice (Reports You Publish)
If you publish a Power BI report that contains a VisualBI custom visual, the visual will perform the validation calls described in §2.4 from your end users' browsers. You are responsible for disclosing this in your own privacy notice to your end users (under GDPR / KVKK transparency obligations). You can copy or link to the §2.4 table for that purpose.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes (those affecting how we collect, use, or share your data) will be announced by email and a notice in the app at least 30 days before taking effect. The latest version always lives at this URL with the revision date at the top.
12. Data Controller & Contact
Data controller: Inforbis (sole proprietorship), Diyarbakır, Türkiye — Dicle University Technopark.
Under KVKK Article 16, the operator is currently within the threshold exemption for VERBİS registration (annual revenue and headcount below the published thresholds). This will be revisited annually.
Privacy questions / data-subject requests: [email protected] with "Privacy" in the subject line.
General contact: [email protected]