Velur is shipping. New seats opening soon. Join the waitlist →
velur
← Home

Legal · Privacy Notice

Your data stays yours.

The short version

  • • We connect to your tools read-only, we can never change anything.
  • • Your raw customer data stays in our EU database; only aggregated numbers reach the AI.
  • • The AI doesn't train on your data, and your data is never sold or shared with other brands.
  • • You can disconnect and delete everything whenever you want.

Last updated: June 2026

1. The data we collect and process

We work with three kinds of data, and we treat them very differently.

  • Connected business data. When a customer connects their tools (Shopify, Meta, Stripe, Recharge, Google Ads, Klaviyo), we read their orders, customers, products, ad spend, subscriptions and related records, read-only, to build their revenue intelligence. We process this on the customer's behalf, as their processor.
  • Account and user data. Names, work emails and login details of the people who use Velur, so we can run accounts, support and billing.
  • Website and prospect data. The email you enter in the waitlist form, plus basic, privacy-first analytics about how the site is used.

2. How we use data, and our lawful bases

We use data only for clear purposes, each with a lawful basis under the GDPR:

  • To provide the service (model your data, write your daily brief): performance of a contract.
  • To secure and improve the product (debugging, abuse prevention, reliability): legitimate interests.
  • To contact waitlist signups and send service messages: consent or legitimate interests.
  • To meet legal and tax obligations: legal obligation.

We never sell your data, and we never use it to train shared AI models.

3. The principle that shapes everything: minimal egress

Your raw business data stays in your ecosystem. The most sensitive records, individual customer names, emails and transactions, never leave our database. To write your brief we send the AI model only aggregated, derived numbers (revenue by channel, blended ROAS, churn by cohort). The model reasons over the summary, never over your customers.

4. Where your data is stored and transferred

Connected business data is processed and stored on EU infrastructure, under GDPR-compliant data-processing agreements, encrypted in transit and at rest. Where any provider operates outside the EU, we rely on appropriate safeguards (such as Standard Contractual Clauses) and keep transfers to the minimum the service needs.

5. How long we keep it

We keep connected data while you use Velur, so your history and trends stay intact. If you stop using the product, we delete your connected data; we keep account and billing records only as long as the law requires. You can ask us to delete your data at any time.

6. How we share your data

We don't sell data or share it with other brands. We use a small set of trusted sub-processors to run Velur, each under a data-processing agreement:

  • Anthropic, the AI that drafts the brief (receives aggregates only; does not train on the data; zero-retention used where it qualifies).
  • Supabase, database and storage (EU region).
  • Vercel, website and application hosting.
  • Resend, transactional email (delivering your brief).

We may also disclose data where the law requires it, or to protect rights and safety. We'll keep this list current as the product grows.

7. Cookies and tracking

The marketing site uses privacy-first analytics with no advertising cookies and no cross-site tracking. We don't build profiles of you across the web, and we honour Global Privacy Control / Do-Not-Track signals.

8. Communications

Service messages (security, account, your brief) are part of using Velur. Anything promotional is optional, and every marketing email has a one-click unsubscribe.

9. Security

We use read-only connections, encryption, strict tenant isolation (one business can never see another's data, even by mistake) and least-privilege access. No system is perfectly secure, but we design Velur so that the most sensitive data is the least exposed.

10. Your rights

Under the GDPR (and similar laws) you can access, correct, export, restrict, or delete your data, and object to certain processing, at any time. To exercise any right, email hello@velur.ioand we'll handle it promptly.

11. Our role: controller and processor

For connected business data, the customer is the controller and Velur is the processor, we act on their instructions. For account/user and website data, Velur is the controller. A data-processing agreement governs the processor relationship with each customer.

12. Children, changes and contact

Velur is a business tool and is not directed at children. If this notice changes, the "last updated" date will reflect it. Questions, or to reach whoever handles data protection at Velur, write to hello@velur.io.