← Back to Home
VantageCTO

Privacy Policy

Effective Date: February 23, 2026
Last Updated: February 23, 2026
Version: 1.0
Legal Entity: SeraphDev LLC, doing business as VantageCTO
Website: https://vantage-cto.com
Jurisdiction: State of Ohio, United States

VantageCTO ("VantageCTO," "we," "us," or "our") is an AI-powered virtual Chief Technology Officer platform operated by SeraphDev LLC, a limited liability company organized under the laws of the State of Ohio. VantageCTO provides strategic technical advisory services, business context management, Lean Startup methodology scaffolding, and autonomous build agent capabilities to non-technical startup founders and early-stage teams (the "Services").

This Privacy Policy explains how we collect, use, store, share, and protect your personal information and business data when you access or use our Services, including our website at vantage-cto.com, our Model Context Protocol ("MCP") server infrastructure, any native web or mobile applications, and any related tools, features, or integrations (collectively, the "Platform").

By accessing or using the Platform, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with this Privacy Policy, you must discontinue use of the Platform immediately.

Plain Language Summary: VantageCTO exists to help non-technical founders make smarter technical decisions. We take the data you share with us seriously. This document explains exactly what we collect, why we collect it, and what rights you have over your information. We encourage you to read it in full.
Section 1

Definitions

For purposes of this Privacy Policy, the following terms shall have the meanings set forth below:

Term Definition
"Personal Information" Any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to an identifiable natural person, including but not limited to name, email address, billing information, IP address, and device identifiers.
"Business Context Data" Information you provide to the Platform regarding your business, startup, product, market, customers, strategy, assumptions, decisions, experiments, validated learnings, and any other business intelligence stored within the Context Graph, whether entered manually, through conversational interaction, or via third-party integrations.
"Context Graph" The structured, persistent data model maintained by VantageCTO that stores entities (including BusinessProfile, ProblemStatement, ICP, Assumption, Decision, Experiment, and ValidatedLearning) and relationships between those entities, accumulated across sessions to form a comprehensive understanding of a User's business.
"MCP Server" The Model Context Protocol server infrastructure operated by VantageCTO that provides persistent business memory, methodology tooling, and context retrieval capabilities to Users who connect via MCP-compatible large language model clients.
"BYOLLM" Bring Your Own Large Language Model — the operational model in which Users connect their own third-party LLM client (e.g., Claude Desktop, ChatGPT, or any MCP-compatible client) to VantageCTO's MCP Server. Under this model, VantageCTO provides the memory, methodology, and tooling layer; the User's chosen LLM provider is responsible for its own data processing.
"User," "you," or "your" Any individual or entity that accesses, registers for, subscribes to, or otherwise uses the Platform or Services, including founders, team members, and developers granted access to any VantageCTO tier.
"Build Agent" The autonomous AI development agent available through the "Build It" service tier that writes code, performs browser-based testing via Playwright, generates GitHub pull requests, and deploys applications on behalf of Users.
"Dev Mode" A read-only access tier designed for developers working within a User's project. Dev Mode provides access to the project Context Graph for alignment purposes but does not permit modification of founder-side business context data.
Section 2

Information We Collect

We collect information in the following categories, depending on how you interact with the Platform:

2.1 Information You Provide Directly

  1. Account Registration Data: When you create a VantageCTO account, we collect your name, email address, password (stored in hashed form), and optionally your company name, role, and industry.
  2. Billing and Subscription Data: If you subscribe to a paid tier (Context, Co-Founder, or Studio), we collect payment information through our third-party payment processor(s). VantageCTO does not directly store full credit card numbers, bank account numbers, or other sensitive financial instrument data on our servers. Payment processing is handled by RevenueCat and/or Stripe, each of which maintains its own privacy policy and PCI-DSS compliance.
  3. Business Context Data: Through your use of the Platform — whether via conversational interaction with the MCP Server, direct input through the native application, or third-party integrations — you may provide substantial business intelligence, including but not limited to:
    • Business profiles (industry, stage, founding team, target market, budget)
    • Problem statements and Ideal Customer Profiles (ICPs)
    • Strategic assumptions and risk assessments
    • Business decisions, rationale, and alternatives considered
    • Experiment designs, hypotheses, and success criteria
    • Validated learnings, pivot histories, and outcome data
    • Technical architecture preferences, stack decisions, and hiring readiness indicators
    • Runway projections and financial planning data
  4. Communications: When you contact us for support, submit feedback, respond to surveys, or otherwise communicate with us, we collect the contents of those communications along with associated metadata.
  5. Third-Party Integration Credentials: If you use the Build It tier or connect external services (e.g., GitHub, Linear, Notion, Vercel, Railway), we may collect and store authentication tokens or API credentials necessary to operate those integrations on your behalf. These credentials are encrypted at rest and used solely for the purpose of providing the requested integration functionality.

2.2 Information Collected Automatically

  1. Usage Data: We automatically collect information about how you use the Platform, including MCP tool calls and their frequency, session timestamps and durations, features accessed and interaction patterns, methodology phase progression (Think It → Validate It → Build It), and query patterns within the Context Graph.
  2. Device and Technical Data: We may collect your IP address, browser type and version, operating system, device type, unique device identifiers, referring URLs, and general geographic location inferred from IP address.
  3. Log Data: Our servers automatically log information regarding requests made to the Platform, including request timestamps, MCP server connection events, API endpoints accessed, response codes, and error logs.
  4. Cookies and Tracking Technologies: We use cookies, local storage, and similar technologies to maintain session state, remember preferences, and analyze aggregate usage patterns. See Section 9 (Cookies and Tracking Technologies) for details.

2.3 Information from Third Parties

  1. LLM Provider Data (BYOLLM): When you connect your own LLM to VantageCTO via the MCP Server, your LLM provider may transmit metadata alongside tool calls. VantageCTO processes this data only to the extent necessary to deliver the Services. We do not access, store, or process the contents of your conversations with your LLM except to the extent that those conversations result in explicit MCP tool calls to our server (e.g., store_decision, store_assumption, retrieve_business_context).
  2. OAuth and SSO Providers: If you authenticate via Google, GitHub, or another single sign-on provider, we receive limited profile information (typically name, email, and avatar URL) as authorized by you during the OAuth flow.
  3. Analytics and Infrastructure Providers: We may receive aggregated or pseudonymized analytics data from our infrastructure and analytics providers.
Section 3

How We Use Your Information

We use the information we collect for the following purposes:

3.1 Service Delivery and Platform Operations

  1. Context Graph Construction and Maintenance: Your Business Context Data is processed and stored within a structured graph database to build and maintain your persistent business context across sessions. This is the core functionality of VantageCTO — the accumulated understanding of your startup is the primary value the Platform provides.
  2. Lean Methodology Execution: We use your data to facilitate the Build-Measure-Learn cycle, including assumption tracking, experiment design, validated learning capture, and sequencing gate enforcement across Phases 01, 02, and 03.
  3. MCP Tool Execution: When you invoke MCP tools (e.g., store_decision, update_icp, get_product_snapshot), we process the input data to execute the requested operation and return results to your LLM client.
  4. Build Agent Operations: For Users on the Build It tier, we use your validated business context and technical specifications to generate code, execute Playwright browser tests, create GitHub pull requests, and manage deployments to platforms such as Vercel or Railway.
  5. Dev Mode Read Access: For developer seats operating in Dev Mode, we provide read-only access to relevant Context Graph data to ensure development work aligns with validated business decisions and assumptions.

3.2 Account Management

  1. To create, maintain, and secure your account.
  2. To process subscriptions, billing, and payments through our third-party payment processors.
  3. To manage entitlements and feature access across service tiers (Context, Co-Founder, Studio, Dev Mode).
  4. To authenticate your identity and authorize access to your data.

3.3 Platform Improvement and Analytics

  1. To analyze aggregate usage patterns and identify which features, tools, and methodology phases deliver the most value to Users.
  2. To improve the performance, reliability, and functionality of the Platform.
  3. To develop new features, tools, and service tiers informed by real usage data.
  4. To monitor Platform health, detect errors, and troubleshoot technical issues.

3.4 Communications

  1. To send transactional communications (account confirmations, billing receipts, security alerts, service change notifications).
  2. To send product updates, feature announcements, and methodology content, subject to your communication preferences.
  3. To respond to support inquiries and feedback.

3.5 Legal and Compliance

  1. To comply with applicable legal obligations, regulations, and lawful requests.
  2. To enforce our Terms of Service, protect our rights and property, and prevent fraud or abuse.
  3. To establish, exercise, or defend legal claims.
What We Do NOT Do With Your Data: We do not sell your Personal Information or Business Context Data to third parties. We do not use your proprietary business data to train general-purpose AI models. We do not share your Context Graph data with other Users or tenants. Your business intelligence belongs to you.
Section 4

Legal Bases for Processing

Where applicable (including under the General Data Protection Regulation, or GDPR), we rely on the following legal bases for processing your personal data:

Legal Basis Processing Activities
Performance of Contract Providing the Services, maintaining your Context Graph, executing MCP tool calls, processing subscriptions, operating the Build Agent, and delivering Dev Mode access.
Legitimate Interest Platform improvement, aggregate analytics, fraud prevention, security monitoring, and product development. We balance these interests against your privacy rights and freedoms.
Consent Marketing communications, optional analytics, and any processing beyond what is necessary for service delivery. Consent may be withdrawn at any time.
Legal Obligation Tax and financial record-keeping, responding to lawful government requests, and compliance with applicable data protection laws.
Section 5

Data Sharing and Disclosure

We do not sell, rent, or trade your Personal Information or Business Context Data. We may share information only under the following limited circumstances:

5.1 Service Providers and Sub-Processors

We engage third-party service providers who process data on our behalf to deliver the Services. These providers are contractually bound to use your data only for the purposes we specify and to maintain appropriate security measures. Current categories of sub-processors include:

Provider Category Purpose Data Accessed
Cloud Infrastructure (e.g., AWS, Railway, Vercel) Hosting, storage, compute All Platform data as stored at rest and in transit
Graph Database Provider (e.g., Neo4j) Context Graph storage and querying Business Context Data, entity relationships
Payment Processor (e.g., RevenueCat, Stripe) Subscription management, billing Name, email, payment method, subscription tier
Authentication Provider (e.g., Firebase Auth, OAuth) User authentication and session management Email, UID, authentication tokens
Analytics Provider Aggregate usage analytics Pseudonymized usage data, session metadata
Email / Communications Provider Transactional and marketing emails Name, email address, communication preferences

5.2 LLM Providers (BYOLLM Users)

When you use VantageCTO in BYOLLM mode, your conversations are processed by your chosen LLM provider (e.g., Anthropic, OpenAI). VantageCTO is not the data controller for your LLM conversations. We only receive and process data that is explicitly transmitted to our MCP Server via tool calls. The content of your conversational prompts and the LLM's responses that do not result in MCP tool invocations are processed solely by your LLM provider under their respective privacy policies. You are responsible for reviewing and accepting the privacy policies and terms of service of any LLM provider you choose to connect.

5.3 Third-Party Integrations

If you authorize integrations with third-party services (GitHub, Linear, Notion, Vercel, Railway, or others), data will be transmitted to and from those services as necessary to perform the requested integration functions. Each integration is activated at your discretion and operates under the third party's own privacy policy and terms of service in addition to this Privacy Policy.

5.4 Legal Requirements

We may disclose your information if required to do so by law, regulation, legal process, or governmental request, including to comply with a subpoena, court order, or similar legal process; to protect and defend the rights, property, or safety of VantageCTO, our Users, or the public; and to detect, prevent, or address fraud, security, or technical issues.

5.5 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will provide notice before your Personal Information becomes subject to a different privacy policy.

5.6 With Your Consent

We may share your information for other purposes with your explicit, informed consent.

5.7 Aggregated or De-Identified Data

We may share aggregated or de-identified data that cannot reasonably be used to identify you. For example, we may publish aggregate statistics about how founders use the Platform's methodology phases to inform public content (e.g., blog posts, build logs). Such aggregate data will never contain individually identifiable information or proprietary business details.

Section 6

Data Retention

We retain your data for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

Data Category Retention Period Rationale
Account Data Duration of account + 30 days after deletion request Active service delivery; grace period for reactivation
Business Context Data (Context Graph) Duration of active subscription + 90 days post-cancellation The Context Graph is the core product value; the 90-day window allows for data export and resubscription. After 90 days, Context Graph data is permanently deleted.
Billing and Transaction Records 7 years from date of transaction Tax and financial compliance obligations
Server Logs and Technical Data 90 days Debugging, security monitoring, and abuse prevention
Communications and Support Records 2 years from last communication Service quality and dispute resolution
Third-Party Integration Credentials Deleted immediately upon integration disconnection or account deletion Security best practice; no reason to retain after disconnection

Upon account deletion or expiration of the applicable retention period, we will permanently delete or irreversibly anonymize your data. You may request early deletion at any time, subject to our legal obligations to retain certain records.

Section 7

Data Security

We implement and maintain reasonable administrative, technical, and physical security measures designed to protect your data from unauthorized access, disclosure, alteration, and destruction. These measures include, but are not limited to:

  1. Encryption: All data is encrypted in transit using TLS 1.2 or higher. Sensitive data at rest, including authentication tokens and third-party integration credentials, is encrypted using AES-256 or equivalent industry-standard encryption.
  2. Tenant Isolation: The Platform implements logical tenant isolation to ensure that each User's Context Graph and Business Context Data is accessible only to authorized users within that tenant. Multi-tenant architecture is designed to prevent cross-tenant data leakage.
  3. Access Controls: Access to production systems, databases, and User data is restricted to authorized personnel on a need-to-know basis, protected by multi-factor authentication and role-based access controls.
  4. Password Security: User passwords are hashed using industry-standard one-way hashing algorithms with unique salts. VantageCTO personnel cannot access, view, or retrieve your plaintext password.
  5. Infrastructure Security: Our infrastructure providers maintain SOC 2, ISO 27001, and/or equivalent security certifications. We monitor for vulnerabilities and apply security patches in a timely manner.
  6. Incident Response: We maintain an incident response plan to detect, investigate, and respond to security incidents. In the event of a data breach that poses a risk to your rights and freedoms, we will notify affected Users and applicable regulatory authorities in accordance with applicable law.

No method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially reasonable means to protect your data, we cannot guarantee its absolute security.

Section 8

Your Rights

Depending on your jurisdiction, you may have certain rights regarding your personal data. VantageCTO respects and will facilitate the exercise of these rights to the extent required by applicable law.

8.1 Rights Under U.S. State Privacy Laws (including CCPA/CPRA, Ohio Data Protection Act, and similar)

  1. Right to Know / Access: You have the right to request that we disclose the categories and specific pieces of Personal Information we have collected about you, the categories of sources from which we collected it, our business purpose for collecting it, and the categories of third parties with whom we share it.
  2. Right to Delete: You have the right to request deletion of your Personal Information, subject to certain exceptions (e.g., legal compliance, ongoing contractual obligations).
  3. Right to Correct: You have the right to request that we correct inaccurate Personal Information we maintain about you.
  4. Right to Opt-Out of Sale: We do not sell your Personal Information. However, if this practice ever changes, you will have the right to opt out.
  5. Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.
  6. Right to Data Portability: You may request a copy of your data in a structured, commonly used, and machine-readable format.

8.2 Rights Under GDPR (European Economic Area, United Kingdom, Switzerland)

If you are located in the EEA, UK, or Switzerland, you have additional rights under the General Data Protection Regulation, including:

  1. Right of Access (Article 15) — the right to obtain confirmation of whether we process your personal data and to access that data.
  2. Right to Rectification (Article 16) — the right to have inaccurate personal data corrected.
  3. Right to Erasure (Article 17) — the right to have your personal data deleted under certain circumstances.
  4. Right to Restriction of Processing (Article 18) — the right to restrict processing under certain circumstances.
  5. Right to Data Portability (Article 20) — the right to receive your personal data in a structured, machine-readable format.
  6. Right to Object (Article 21) — the right to object to processing based on legitimate interests, including profiling.
  7. Right to Withdraw Consent (Article 7) — where processing is based on consent, you may withdraw that consent at any time.
  8. Right to Lodge a Complaint — you have the right to lodge a complaint with a supervisory authority in your jurisdiction.

8.3 Context Graph Data Export

VantageCTO recognizes that your Business Context Data represents significant intellectual value. In addition to standard data portability rights, we provide Users with the ability to export their full Context Graph — including all entities, relationships, decisions, assumptions, experiments, and validated learnings — in a structured, machine-readable format (JSON and/or CSV) at any time during their active subscription and for ninety (90) days following cancellation.

8.4 How to Exercise Your Rights

To exercise any of the rights described above, please contact us at:

Email: privacy@vantage-cto.com
Mail: SeraphDev LLC, Attn: Privacy, Columbus, Ohio, United States

We will verify your identity before processing your request and respond within thirty (30) days, or within the timeframe required by applicable law. If we require additional time, we will inform you of the reason and the expected completion date.

Section 9

Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your experience on the Platform. The categories of cookies we use include:

Cookie Type Purpose Duration
Strictly Necessary Authentication, session management, security. These cookies are essential for the Platform to function and cannot be disabled. Session or up to 30 days
Functional Remembering your preferences, methodology phase state, and UI settings. Up to 1 year
Analytics Understanding aggregate usage patterns, feature adoption, and Platform performance. Up to 2 years

We do not use advertising or retargeting cookies. You may manage cookie preferences through your browser settings. Disabling certain cookies may affect Platform functionality.

Section 10

AI-Specific Disclosures

VantageCTO is an AI-powered platform. The following disclosures address how artificial intelligence is used within the Services and how your data interacts with AI systems:

10.1 AI Processing

The Platform uses AI and large language models to provide strategic business advisory, methodology scaffolding, and (in the Build It tier) autonomous code generation. AI outputs are informed by your Context Graph data but are generated by probabilistic language models. VantageCTO does not guarantee the accuracy, completeness, or suitability of any AI-generated output.

10.2 Model Training

Your Business Context Data is NOT used to train general-purpose AI models. VantageCTO does not contribute User data to the training datasets of any third-party LLM provider. If we ever develop proprietary AI models, any use of User data for model improvement would occur only on aggregated, de-identified data and only with explicit notice and, where required, consent.

10.3 BYOLLM Data Flow

Under the BYOLLM model, the data flow is as follows:

  1. You interact with your chosen LLM client (e.g., Claude Desktop).
  2. When you invoke a VantageCTO MCP tool, the tool call parameters are transmitted from your LLM client to our MCP Server.
  3. Our MCP Server processes the tool call, reads from or writes to your Context Graph, and returns results to your LLM client.
  4. The conversational context between you and your LLM that does NOT result in an MCP tool call is NOT transmitted to or processed by VantageCTO.

This means VantageCTO only sees the structured data you explicitly send to it through tool calls — not your full conversational history with your LLM.

10.4 Hosted LLM Tier

For Users on tiers that include a VantageCTO-hosted LLM, conversational data is processed by our hosted model in addition to MCP tool calls. This conversational data is used solely to generate responses within your session and is subject to the same security, retention, and deletion policies as all other User data described in this Privacy Policy. Conversational data from hosted sessions is not used to train or fine-tune models unless explicitly de-identified and aggregated.

10.5 Automated Decision-Making

The Platform's sequencing gate (which prevents progression to Build It without validated Phase 01 and 02 context) constitutes an automated decision that affects service access. This gate is a core design feature of the methodology and is disclosed here for transparency. You may contact us if you have questions about how this gate affects your use of the Services.

Section 11

International Data Transfers

VantageCTO is based in Ohio, United States. If you access the Platform from outside the United States, your data will be transferred to and processed in the United States and potentially other countries where our service providers operate. These countries may have data protection laws that differ from those of your jurisdiction.

Where required by applicable law (including GDPR), we implement appropriate safeguards for international data transfers, including Standard Contractual Clauses (SCCs) approved by the European Commission, data processing agreements with sub-processors, and assessment of the data protection laws of recipient countries.

Section 12

Children's Privacy

The Platform is not directed to individuals under the age of eighteen (18). We do not knowingly collect Personal Information from children under 18. If we become aware that we have collected Personal Information from a child under 18, we will take steps to delete such information promptly. If you believe a child under 18 has provided us with Personal Information, please contact us at privacy@vantage-cto.com.

Section 13

Do Not Track Signals

Some web browsers transmit "Do Not Track" (DNT) signals to websites. Because there is no universally accepted standard for interpreting DNT signals, VantageCTO does not currently respond to DNT signals. We will update this policy if a uniform standard is adopted.

Section 14

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, or applicable laws. When we make material changes, we will notify you by posting the updated Privacy Policy on the Platform with a revised "Last Updated" date and, where required by law, by sending you a direct notification via email or in-product notice. Your continued use of the Platform after such changes take effect constitutes your acceptance of the revised Privacy Policy.

We maintain version history of this Privacy Policy and will make prior versions available upon request.

Section 15

Contact Information

For questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact:

SeraphDev LLC, d/b/a VantageCTO
Attn: Data Privacy
Columbus, Ohio, United States
Email: privacy@vantage-cto.com
Website: https://vantage-cto.com

For privacy-related complaints that we are unable to resolve, you may have the right to lodge a complaint with your local data protection authority.

VantageCTO Privacy Policy — Version 1.0

© 2026 SeraphDev LLC, d/b/a VantageCTO. All rights reserved.