Privacy Policy
Last updated: 23 June, 2026 · Effective: 23 June, 2026
1. Who we are
This Privacy Policy explains how Velin (“UseVelin”, “Velin”, “we”, “us”) collects and uses personal data.
For personal data we process about our account holders and website visitors, Velin is the data controller.
For personal data contained in the evidence and content you upload to your workspace, Velin acts as a data processor on your behalf — you (our customer) are the controller. That processing is governed by our Data Processing Agreement (/legal/dpa), not this policy.
Contact: privacy@usevelin.com · general: hello@usevelin.com · security: security@usevelin.com.
2. What this policy covers
This policy covers the Velin website (usevelin.com) and the Velin application (app.usevelin.com). It does not cover third-party services you reach via links from our site.
3. Personal data we collect (as controller)
| Category | Examples | Source |
|---|---|---|
| Account data | Name, email address, authentication credentials (hashed), MFA factors | You, at sign-up |
| Workspace/membership data | Workspace name, your role, invitations you send | You |
| Usage & security data | Log-in events, IP address, audit-log entries, device/browser metadata, error reports | Automatically, in use |
| Billing data | Subscription tier, plan status — we do not store payment card details | Paddle (our payment processor) |
| Support data | Emails and messages you send us | You |
We do not intentionally collect special-category data about our account holders. Sign-in via Google or Microsoft shares your name and email with us per your chosen provider.
4. Why we use it and our lawful basis (GDPR Art. 6)
| Purpose | Lawful basis |
|---|---|
| Provide and operate the service, manage your account and workspaces | Performance of a contract (Art. 6(1)(b)) |
| Secure the service — authentication, MFA, abuse prevention, audit logging | Legitimate interests (Art. 6(1)(f)): protecting our service and users |
| Transactional email (sign-up, password reset, invitations, approval notifications) | Performance of a contract |
| Billing, invoicing, tax records | Performance of a contract; legal obligation (Art. 6(1)(c)) |
| Product analytics and improvement (aggregate/diagnostic) | Legitimate interests |
| Respond to your enquiries and support requests | Legitimate interests / contract |
| Comply with legal obligations (tax, accounting, lawful requests) | Legal obligation |
Where we rely on legitimate interests, we have balanced those against your rights; you may object (see §9).
5. Cookies and tracking
- The marketing website uses no advertising or analytics cookies and sets no tracking cookies.
- The application uses strictly necessary cookies only — to keep you signed in and secure your session. These are essential to the service and are not used for advertising.
We do not sell personal data and do not use it for cross-site advertising.
6. Who we share data with (sub-processors)
We use a small set of vetted sub-processors, each under a data-processing agreement. The authoritative, current list is maintained at /legal/sub-processors. As of the effective date it includes:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, file storage | EU (Frankfurt, eu-central-1) |
| Vercel | Application hosting | EU region |
| Resend | Transactional email delivery | Ireland |
| Paddle | Payment processing / merchant of record | Ireland |
| Google / Microsoft | Optional single-sign-on (only if you choose it) | EU |
| Sentry | Error and operational monitoring (PII-scrubbed) | EU |
We remain responsible for our sub-processors’ handling of your data. We will give notice of material changes to this list per our DPA.
We may also disclose data where required by law, to enforce our terms, or in connection with a corporate transaction (with safeguards).
7. International transfers
Our core infrastructure is hosted in the EU (Frankfurt). Where a sub-processor processes data outside the EEA, we rely on an appropriate transfer mechanism — an EU adequacy decision or the European Commission’s Standard Contractual Clauses (2021), with supplementary measures where required.
8. How long we keep it
- Account and workspace data: for as long as your account is active, then deleted or anonymised within 90 days of closure, except where we must retain it (e.g. tax/accounting records, typically 6/7 years).
- Security/audit logs: retained for 90 days for integrity and security purposes.
- Evidence content you upload: retained per your instructions as controller; see the DPA. We never silently delete it.
- Billing records: retained as required by law.
9. Your rights
Under the GDPR you have the right to: access your data; have it corrected; have it erased; restrict or object to processing; data portability; and to withdraw consent where processing is based on consent. To exercise any of these, contact privacy@usevelin.com. We will respond within one month (extendable by two further months for complex requests, with notice).
You also have the right to lodge a complaint with the Irish Data Protection Commission (dataprotection.ie) or your local supervisory authority.
If your request concerns evidence content in a workspace where Velin is a processor, we will refer you to, or assist, the relevant controller (our customer).
10. Security
We protect personal data with measures including: EU-only hosting; encryption in transit and at rest; row-level tenant isolation; mandatory multi-factor authentication; an append-only, tamper-evident audit log; signed-URL-only access to stored files; and PII scrubbing in monitoring. We never store payment card data. No system is perfectly secure, but we take these obligations seriously.
11. Children
Velin is a business tool not directed to children and is not intended for anyone under 16. We do not knowingly collect their data.
12. Changes to this policy
We may update this policy. Material changes will be notified by email or in-app, and the “Last updated” date will change. Continued use after changes take effect constitutes acceptance.
13. Contact
Questions or requests: privacy@usevelin.com. Security matters: security@usevelin.com.