velin

Privacy Policy

Last updated: 23 June, 2026 · Effective: 23 June, 2026

1. Who we are

This Privacy Policy explains how Velin (“UseVelin”, “Velin”, “we”, “us”) collects and uses personal data.

For personal data we process about our account holders and website visitors, Velin is the data controller.

For personal data contained in the evidence and content you upload to your workspace, Velin acts as a data processor on your behalf — you (our customer) are the controller. That processing is governed by our Data Processing Agreement (/legal/dpa), not this policy.

Contact: privacy@usevelin.com · general: hello@usevelin.com · security: security@usevelin.com.

2. What this policy covers

This policy covers the Velin website (usevelin.com) and the Velin application (app.usevelin.com). It does not cover third-party services you reach via links from our site.

3. Personal data we collect (as controller)

CategoryExamplesSource
Account dataName, email address, authentication credentials (hashed), MFA factorsYou, at sign-up
Workspace/membership dataWorkspace name, your role, invitations you sendYou
Usage & security dataLog-in events, IP address, audit-log entries, device/browser metadata, error reportsAutomatically, in use
Billing dataSubscription tier, plan status — we do not store payment card detailsPaddle (our payment processor)
Support dataEmails and messages you send usYou

We do not intentionally collect special-category data about our account holders. Sign-in via Google or Microsoft shares your name and email with us per your chosen provider.

4. Why we use it and our lawful basis (GDPR Art. 6)

PurposeLawful basis
Provide and operate the service, manage your account and workspacesPerformance of a contract (Art. 6(1)(b))
Secure the service — authentication, MFA, abuse prevention, audit loggingLegitimate interests (Art. 6(1)(f)): protecting our service and users
Transactional email (sign-up, password reset, invitations, approval notifications)Performance of a contract
Billing, invoicing, tax recordsPerformance of a contract; legal obligation (Art. 6(1)(c))
Product analytics and improvement (aggregate/diagnostic)Legitimate interests
Respond to your enquiries and support requestsLegitimate interests / contract
Comply with legal obligations (tax, accounting, lawful requests)Legal obligation

Where we rely on legitimate interests, we have balanced those against your rights; you may object (see §9).

5. Cookies and tracking

  • The marketing website uses no advertising or analytics cookies and sets no tracking cookies.
  • The application uses strictly necessary cookies only — to keep you signed in and secure your session. These are essential to the service and are not used for advertising.

We do not sell personal data and do not use it for cross-site advertising.

6. Who we share data with (sub-processors)

We use a small set of vetted sub-processors, each under a data-processing agreement. The authoritative, current list is maintained at /legal/sub-processors. As of the effective date it includes:

Sub-processorPurposeLocation
SupabaseDatabase, authentication, file storageEU (Frankfurt, eu-central-1)
VercelApplication hostingEU region
ResendTransactional email deliveryIreland
PaddlePayment processing / merchant of recordIreland
Google / MicrosoftOptional single-sign-on (only if you choose it)EU
SentryError and operational monitoring (PII-scrubbed)EU

We remain responsible for our sub-processors’ handling of your data. We will give notice of material changes to this list per our DPA.

We may also disclose data where required by law, to enforce our terms, or in connection with a corporate transaction (with safeguards).

7. International transfers

Our core infrastructure is hosted in the EU (Frankfurt). Where a sub-processor processes data outside the EEA, we rely on an appropriate transfer mechanism — an EU adequacy decision or the European Commission’s Standard Contractual Clauses (2021), with supplementary measures where required.

8. How long we keep it

  • Account and workspace data: for as long as your account is active, then deleted or anonymised within 90 days of closure, except where we must retain it (e.g. tax/accounting records, typically 6/7 years).
  • Security/audit logs: retained for 90 days for integrity and security purposes.
  • Evidence content you upload: retained per your instructions as controller; see the DPA. We never silently delete it.
  • Billing records: retained as required by law.

9. Your rights

Under the GDPR you have the right to: access your data; have it corrected; have it erased; restrict or object to processing; data portability; and to withdraw consent where processing is based on consent. To exercise any of these, contact privacy@usevelin.com. We will respond within one month (extendable by two further months for complex requests, with notice).

You also have the right to lodge a complaint with the Irish Data Protection Commission (dataprotection.ie) or your local supervisory authority.

If your request concerns evidence content in a workspace where Velin is a processor, we will refer you to, or assist, the relevant controller (our customer).

10. Security

We protect personal data with measures including: EU-only hosting; encryption in transit and at rest; row-level tenant isolation; mandatory multi-factor authentication; an append-only, tamper-evident audit log; signed-URL-only access to stored files; and PII scrubbing in monitoring. We never store payment card data. No system is perfectly secure, but we take these obligations seriously.

11. Children

Velin is a business tool not directed to children and is not intended for anyone under 16. We do not knowingly collect their data.

12. Changes to this policy

We may update this policy. Material changes will be notified by email or in-app, and the “Last updated” date will change. Continued use after changes take effect constitutes acceptance.

13. Contact

Questions or requests: privacy@usevelin.com. Security matters: security@usevelin.com.