Privacy Policy

Effective: June 28, 2026

Table of Contents

1. Introduction

Venovax is a product of Venture Beyond Aspirations, LLC ("VBA," "we," "our," or "us"), a Missouri limited liability company. This Privacy Policy explains how we collect, use, store, and protect information when you use Venovax.

This policy applies to venovax.io, all hosted workspaces we provide, client portals, partner portals, APIs, mobile applications, communications services, AI features, and any future Venovax services (collectively, the "Service").

By creating an account, accessing, or using the Service, you acknowledge that you have read and understood this Privacy Policy and agree to its terms. If you do not agree, please do not use the Service.

The VBA master Privacy Policy also applies to any interaction you have with VBA outside of Venovax (for example through vbaspire.com, VBA Core, Kreadiv, VBA Voice, VBA Tech, or VBA events). Where the two policies overlap, this Venovax policy controls for the Venovax product.

2. Information We Collect

We collect information necessary to provide, maintain, and improve the Service. The categories below describe what we collect and why.

2.1 Account Information

When you register or manage a Venovax account, we collect:

  • Name
  • Email address
  • Phone number
  • Billing information, including payment method details (handled by our payment processors)
  • Authentication information, such as passwords and OAuth tokens
  • Workspace name, role assignments, and team structure

2.2 CRM Data

The Service is designed to help you manage your business relationships. The content you enter into Venovax may include:

  • Contacts and companies
  • Deals, pipelines, and stage histories
  • Products and services
  • Invoices and proposals
  • Notes, tasks, and activities
  • Forms and form submissions
  • Uploaded files and documents
  • Client portal content
  • Knowledge base articles

This data belongs to you or your organization. We process it solely to operate the Service on your behalf.

2.3 Workforce Data

If you use Venovax Workforce features, we collect information you or your employees submit, including:

  • Employee records and job titles
  • Applicant information
  • Work schedules and shift assignments
  • Time entries and geofenced clock-in coordinates
  • PTO requests and balances
  • Uploaded HR documents and offer letters
  • Preferred payout method (for example, Cash App handle, Zelle, Apple Pay, Venmo, cash, check, or direct deposit information)

Venovax does not move money on your behalf and does not connect to consumer payout networks. We only record the preferred method so you can prepare payroll-ready exports.

2.4 Education Data

For customers using Venovax Education, the Service may process:

  • Student records and enrollment information
  • Guardian contact details
  • Attendance records
  • Grades and academic progress
  • Tuition and billing information
  • Faculty and staff records
  • Class records and schedules

Schools and educational institutions remain responsible for obtaining required consents and complying with applicable student privacy laws.

2.5 Communications Data

If you provision a business phone number or use communications features powered by VBA Voice, we and our telecom carrier collect:

  • Phone numbers assigned to your workspace
  • Call detail records and call duration
  • Voicemail audio and voicemail transcripts
  • SMS and MMS message metadata and message bodies
  • Call recordings (only when you explicitly enable recording)
  • E911 service address
  • 10DLC and Toll-Free messaging registration information

2.6 Usage Data

We automatically collect certain technical information to operate and improve the Service:

  • Browser type and version
  • Device type and operating system
  • IP address
  • Approximate location derived from IP address
  • Feature usage and interaction events
  • Crash reports and error logs
  • Analytics and performance metrics

2.7 Payments Data

If you connect Stripe or Square to issue invoices and accept payments, the payment processor handles card data and payouts directly. Venovax stores invoice metadata, payment status, the connected processor account ID, and a record of the Venovax platform fee on Pro accounts. We do not store full card numbers or bank account credentials.

2.8 Email and Calendar Connections

If you sign in with Google, connect Gmail for sending, or connect Google Calendar, we store OAuth tokens scoped to the functionality you authorize. If you connect Outlook or IMAP for inbox sync, we store OAuth tokens or encrypted credentials and the message metadata and bodies you choose to sync.

2.9 QuickBooks Online Integration

If you connect QuickBooks Online, we store OAuth tokens scoped to the functionality you authorize. We read and cache:

  • Company profile and chart of accounts
  • Invoices, purchases, and bills (income and expense transactions)
  • Account balances and transaction line items
  • Customer and vendor names associated with transactions

Venovax does not write to your QuickBooks Online account. We do not create, modify, or delete QuickBooks records. Synced financial data is stored in your workspace database and protected by row-level security. You may disconnect QuickBooks Online at any time from Settings - Integrations.

3. How We Use Information

We use the information we collect to:

  • Provide, operate, and maintain the Service
  • Authenticate users and secure accounts
  • Sync calendar and email connections
  • Route calls and SMS
  • Generate AI assistance and insights
  • Prepare payroll-ready exports
  • Process payments through your connected Stripe or Square account
  • Prevent fraud and abuse
  • Provide customer support
  • Comply with telecom, tax, and legal obligations
  • Analyze usage and improve the Service

We do not sell your personal information.

4. Artificial Intelligence

Venovax AI powers features such as Max AI, email drafting, meeting summaries, CRM insights, proposal generation, workflow recommendations, and future AI capabilities.

When you use an AI feature, your prompt, the relevant CRM context (for example, the deal or contact you are working on), and your workspace identifier are securely routed through the Lovable AI Gateway. The gateway may utilize supported AI providers, including the Google Gemini family of models, solely to generate the requested response.

We contractually require our AI providers not to train their generalized foundation models on your prompts or outputs. Customer prompts and outputs are not used to train generalized foundation models.

AI outputs may contain inaccuracies, omissions, or errors and should be reviewed by a human before being acted on or shared with third parties. We do not guarantee that AI-generated content is correct, complete, or suitable for any particular purpose.

AI usage is metered at the workspace level and shared across every seat in the workspace. When the allowance is reached, AI features pause until the next billing cycle or until additional credits are purchased. AI usage may be limited to protect platform stability.

5. Google API Compliance

When you choose to sign in with Google, connect Gmail sending, or connect Google Calendar to Venovax, our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

5.1 Google Sign-In

With your explicit OAuth consent, Venovax requests the following scopes to authenticate you and associate a Google account with your Venovax user profile:

  • openid
  • https://www.googleapis.com/auth/userinfo.email
  • https://www.googleapis.com/auth/userinfo.profile

5.2 Gmail Send

If you separately connect Gmail, Venovax requests:

  • https://www.googleapis.com/auth/gmail.send - allows authenticated users to send emails from their connected Gmail account directly within the Venovax CRM.

Venovax does not read Gmail inboxes through Google's APIs. We do not request Gmail modify scopes, Gmail label scopes, or any inbox read permissions.

5.3 Google Calendar

If you separately connect Google Calendar, Venovax requests calendar events and calendar read-only scopes to display your calendar in the in-app scheduler, create meetings booked through Venovax, and detect availability.

5.4 Limited Use Commitments

Venovax complies with the Google API Services User Data Policy and Limited Use requirements. Specifically:

  • Google user data is used solely to provide the user-requested functionality within Venovax.
  • We never use Google user data to train AI models or improve generalized machine learning systems.
  • We never sell, rent, or transfer Google user data to third parties for advertising or data brokering.
  • We do not allow humans to read your Google user data except (a) with your explicit consent, (b) for security investigations, (c) to comply with applicable law, or (d) where the data has been aggregated and anonymized for internal operations.
  • OAuth tokens and any calendar events you sync are stored encrypted at rest in our managed database and protected by tenant-scoped row-level security.

5.5 Revoking Access

You can disconnect your Google account at any time from Settings - Profile - Mailboxes inside Venovax, which deletes the stored OAuth tokens. You can also revoke Venovax's access directly from your Google Account permissions page.

6. Controller and Processor

For data you and your employees enter about your customers, employees, applicants, and students, your workspace is the controller and Venovax is the processor. We process that data on your behalf and per your instructions. Your employer or workspace owner can see workforce data you submit (time entries, geofence coordinates, documents, payout method).

Venovax acts as the controller only for platform operations, authentication, billing, account management, and the direct relationship between Venovax and the individual user. This includes data such as login credentials, support correspondence, billing records, and platform-generated logs.

For the Partner's own organization data (the people who run the Partner account, their billing, and the workspaces they provisioned), Venovax is the controller.

7. Partner Program

Venovax offers a Partner program in which approved resellers and agencies ("Partners") can provision and administer client workspaces. When a Partner is linked to your workspace:

  • The Partner is treated as an authorized administrator of your workspace. They can see the same workspace data your own admins can see (contacts, deals, workforce records, invoices, call/SMS metadata, and so on), subject to the role you grant them.
  • The Partner may use a time-bounded, audit-logged "View As" / impersonation session to provide support. We record who impersonated which workspace and when, and surface that activity in the workspace audit log.
  • The end client remains the controller of the workspace data. Venovax processes that data on behalf of the client, and shares the minimum information the Partner needs (workspace name, plan, billing status, usage, support context) to operate the account.
  • For Partner-billed accounts, Venovax shares limited account and billing data with the Partner (plan, seat count, add-ons, invoice totals, payment status, revenue-share amounts). Venovax does not share end-customer card numbers with Partners; payments are processed by Stripe or Square.
  • You can disconnect a Partner from your workspace at any time from Settings; doing so revokes their administrative access and ends future impersonation. Past audit-log entries are retained.
  • Partners may apply their own branding to client workspaces where permitted by the client.

8. Security

We protect your data using industry-standard measures, including:

  • Encryption in transit. All data transmitted between your browser and our servers is protected using TLS.
  • Encryption at rest. Sensitive data stored in our databases is encrypted at rest.
  • Row-level security. Database policies enforce that each tenant can access only its own data.
  • Tenant isolation. Workspace data is logically and technically separated from other workspaces.
  • Role-based access controls. Users can only access features and data permitted by their assigned role.
  • Audit logging. We log administrative actions, impersonation sessions, and security-relevant events.
  • MFA support. Multi-factor authentication is available and encouraged for all accounts.
  • Continuous monitoring. We monitor for anomalies, unauthorized access attempts, and security threats.
  • Secure development practices. We follow secure coding standards and conduct regular security reviews.

9. Third-Party Providers and Subprocessors

We rely on a small set of trusted providers to deliver the Service. Each provider is bound by a written data-processing agreement and receives only the minimum information necessary to perform its services.

  • Supabase - managed Postgres database, authentication, and file storage.
  • Stripe - payment processing, Stripe Connect payouts, and subscription billing.
  • Square - alternative payment processing and catalog/payment sync for workspaces that connect Square instead of Stripe.
  • Cloudflare - edge runtime, DDoS protection, and content delivery.
  • Google - authentication, outbound Gmail sending, and calendar integration, when you connect your account.
  • Microsoft - Outlook and Microsoft 365 integration, when you connect your account.
  • Lovable AI Gateway - routing to AI model providers for AI features.
  • VBA Voice (operated by VBA) and its underlying telecom carrier - voice, SMS/MMS, voicemail, and E911 services.
  • Intuit / QuickBooks Online - reading financial records, invoices, purchases, bills, and account data when you connect your QuickBooks account.
  • Transactional email providers - delivery of system emails (magic links, invoices, notifications, and support correspondence).

10. Cookies and Analytics

Venovax uses cookies, browser storage, session identifiers, and similar technologies to operate and improve the Service. These technologies help us:

  • Authenticate you and maintain your session
  • Remember your preferences and settings
  • Analyze feature usage and traffic patterns
  • Monitor performance and stability
  • Detect and prevent security threats

We may use analytics and performance monitoring tools to understand how the Service is used. Analytics data is not sold to third parties and is used only to improve the Service.

11. International Users

Venovax is operated from the United States. If you access the Service from outside the United States, your information will be transferred to, stored in, and processed in the United States or other jurisdictions where our subprocessors operate, subject to applicable safeguards.

We rely on appropriate legal mechanisms, such as standard contractual clauses or adequacy decisions where applicable, to facilitate international transfers in compliance with applicable data protection laws.

12. Data Retention

We retain your data only as long as necessary for the purposes described in this policy, including:

  • Providing the Service
  • Legal compliance
  • Tax obligations
  • Dispute resolution
  • Security investigations
  • Telecommunications regulatory requirements

When your workspace is canceled or deleted, we remove your data from active systems within a reasonable timeframe, subject to the retention requirements above. For more details about deletion procedures, please refer to our data deletion page.

13. Children's Privacy

Venovax is not directed to children under 13. We do not knowingly collect personal information from children under 13 except where educational institutions lawfully use Venovax Education on behalf of students.

Schools and educational institutions remain responsible for obtaining any required parental consents and complying with applicable student privacy laws, including the Family Educational Rights and Privacy Act (FERPA) where applicable.

If you believe we have inadvertently collected information from a child under 13 without proper authorization, please contact us at privacy@venovax.io and we will promptly delete the information.

14. Your Rights

You may access, export, correct, or delete your workspace data from in-app settings, or by contacting us. You may also withdraw consent for marketing communications at any time. Service notices (billing, security, telecom and E911 compliance) are required and cannot be unsubscribed from while service is active.

California residents (CCPA/CPRA). You have the right to know, delete, correct, and limit the use of sensitive personal information, and to opt out of "sale" or "share" of personal information. Venovax does not sell personal information. To exercise these rights, email privacy@venovax.io.

15. Telecom and E911

Business phone numbers provisioned through Venovax are regulated telecom services delivered through VBA Voice. You must register a valid 911 service address before placing or receiving calls, and you authorize that address to be shared with emergency services and our carrier as required by law.

Recording laws vary by state; if you enable call recording, you are responsible for any required announcements or consent. SMS to US numbers is subject to 10DLC and Toll-Free messaging registration; carrier pass-through fees may apply.

16. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be announced through in-app notices, email, or our website. Your continued use of the Service after the effective date of the updated policy constitutes acceptance of the changes.

17. Contact

Venovax (a product of Venture Beyond Aspirations, LLC)
Email: privacy@venovax.io
Legal: legal@venovax.io

Mailing Address:
18336 Edison Ave #1042
Chesterfield, MO 63005