velsoPOC

Legal

Privacy Policy

Last updated: March 7, 2026

Velso (“Velso”, “we”, “us”, or “our”) is committed to protecting your personal information. This Privacy Policy explains what data we collect, why we collect it, how we use it, and what rights you have over it. It applies to all users of the Velso platform at velso.app.

This policy is written to comply with the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA/CPRA). If you have questions, contact us at privacy@velso.app.

1. Who We Are

Velso is an AI-powered operations platform for solo freelancers. For the purposes of EU and UK data protection law, Velso is the data controller responsible for your personal data.

Contact:
Velso
Email: privacy@velso.app

If you are located in the European Economic Area (EEA) and have concerns about how we handle your data, you have the right to contact your local data protection authority (DPA). A list of EU DPAs is available at edpb.europa.eu.

2. Data We Collect

2.1 Account and Profile Data

When you create an account, we collect:

  • Full name
  • Email address
  • Password (stored as a cryptographic hash — never in plain text)
  • Business name
  • VAT number (optional)
  • Business address
  • Phone number
  • Bank details: IBAN, BIC, bank name (used to generate invoices)

2.2 Client Data You Enter

When you create a project and run a client intake, you provide data about your clients:

  • Client name and company name
  • Client email address
  • Project description, budget, and timeline
  • Any other details you or your client enter into an intake form

You are the data controller for your clients' personal data. Velso processes this data on your behalf as a data processor. You are responsible for ensuring you have a lawful basis to share your clients' personal data with Velso and that you have informed them appropriately.

2.3 Usage and Technical Data

  • IP address (for security and fraud prevention)
  • Browser type and device information
  • Pages visited within the app and timestamps
  • Error logs and diagnostic data

We do not use any third-party analytics scripts (e.g., Google Analytics). Technical data is collected from server logs only.

2.4 Billing Data

When you subscribe to Velso, payment is processed by Stripe. We do not store your credit card number, card CVV, or full card details on our servers. Stripe provides us with a non-sensitive token and your billing email. See Stripe's Privacy Policy for details.

2.5 AI-Processed Content

When you use AI features (brief generation, contract drafting, scope checks, status update emails), the relevant project data and instructions are sent to AI model providers (Anthropic Claude and/or Google Gemini) for processing. See Section 5 for details on these sub-processors.

3. How We Use Your Data

We use your data for the following purposes:

Providing the service

Creating and managing your account, generating briefs, contracts, invoices, scope checks, and status emails.

Billing and subscription management

Processing your subscription payments via Stripe, sending invoices and receipts.

Sending transactional emails

Sending invoices and project status updates to your clients via Resend. You control when these are sent.

Security and fraud prevention

Monitoring for unauthorized access, abuse, and protecting user accounts.

Service improvement

Analyzing aggregate, anonymized usage patterns to improve Velso's features. We do not use your personal data or client data for AI model training without your explicit consent.

Legal compliance

Complying with applicable laws, regulations, and lawful requests from public authorities.

4. Lawful Basis for Processing (GDPR)

Under GDPR, we must have a lawful basis for processing personal data. Here is the basis for each category:

Processing ActivityLawful Basis
Account creation and managementContract (Article 6(1)(b)) — necessary to provide the service you signed up for
Generating AI content from your dataContract (Article 6(1)(b)) — core service functionality
Subscription billing via StripeContract (Article 6(1)(b)) — necessary for payment processing
Sending transactional emails via ResendContract (Article 6(1)(b)) — service delivery
Security monitoring and fraud preventionLegitimate interests (Article 6(1)(f)) — protecting users and the platform
Legal compliance and record-keepingLegal obligation (Article 6(1)(c))
Service improvement (anonymized data only)Legitimate interests (Article 6(1)(f))

5. Third-Party Processors

We share your data only with trusted third-party service providers necessary to operate Velso. We do not sell your personal data to any third party. Each processor is bound by a Data Processing Agreement (DPA) or equivalent contractual protections.

Neon (Neon Inc.)

Role
Database hosting
Data shared
All personal data and project data stored in your account
Location
United States (AWS us-east-1)
Policy
Neon Privacy Policy

Vercel Inc.

Role
Application hosting and deployment
Data shared
IP addresses, request logs, application traffic
Location
United States (global edge network)
Policy
Vercel Privacy Policy

Stripe Inc.

Role
Subscription billing and payment processing
Data shared
Billing email, subscription status, payment tokens
Location
United States
Policy
Stripe Privacy Policy

Resend (Resend Inc.)

Role
Transactional email delivery
Data shared
Recipient email addresses, email content (invoices, status updates)
Location
United States
Policy
Resend Privacy Policy

Anthropic PBC

Role
AI content generation (Claude models)
Data shared
Project data submitted to AI features (brief content, contract inputs, scope check content, status update drafts)
Location
United States
Policy
Anthropic Privacy Policy

Google LLC (Google Gemini)

Role
AI content generation (Gemini models, used as an alternative AI provider)
Data shared
Project data submitted to AI features
Location
United States
Policy
Google Privacy Policy

We do not share your data with any other third parties except as required by law (e.g., in response to a valid court order or legal process).

6. International Data Transfers

Velso is operated primarily for users in the European Economic Area (EEA) and globally. All our infrastructure and third-party processors are located in the United States, which means your personal data is transferred to and processed in a country outside the EEA.

These transfers are made in compliance with Chapter V of the GDPR. We rely on one or more of the following transfer mechanisms:

  • Standard Contractual Clauses (SCCs) — approved by the European Commission under Decision 2021/914, incorporated into our agreements with US-based processors.
  • EU-US Data Privacy Framework — where applicable, processors certified under the EU-US DPF.

You may request a copy of the applicable transfer safeguards by emailing privacy@velso.app.

7. Data Retention

We retain your data for as long as necessary to provide the service:

  • Account data: Retained for the duration of your account. Upon account deletion, personal data is deleted within 30 days, except where we are required by law to retain it longer (e.g., financial records for tax purposes — typically 7 years).
  • Project and client data: Retained for the duration of your account. Deleted within 30 days of account closure, subject to the same legal retention exceptions.
  • Invoice records: Retained for up to 7 years from the invoice date to comply with applicable accounting and tax obligations.
  • Server logs: Retained for up to 90 days for security and debugging purposes, then deleted.
  • Backup data: Encrypted database backups may retain data for up to 30 days after deletion from the live database.

You can request early deletion of your account and data at any time by contacting privacy@velso.app.

8. Security

We take the security of your data seriously and implement appropriate technical and organizational measures, including:

  • Passwords stored using bcrypt hashing — never in plain text
  • All data transmitted over TLS/HTTPS encryption
  • Database access restricted to application services with least-privilege credentials
  • Single-tenant data model: each user can only access their own data
  • Authentication session tokens with short expiry and secure cookie flags
  • Neon Postgres database with encryption at rest
  • Regular dependency updates and security patching

No system is 100% secure. If you discover a security vulnerability, please disclose it responsibly to security@velso.app.

9. Cookies and Local Storage

Velso uses only essential cookies. We do not use any tracking cookies, advertising cookies, or third-party analytics scripts.

CookiePurposeDurationType
better-auth.session_tokenAuthenticates your session after sign-inSessionEssential
better-auth.csrf_tokenPrevents cross-site request forgery attacksSessionEssential

Because we only use strictly necessary cookies, we are not required to obtain cookie consent under the ePrivacy Directive. If you disable cookies entirely, you will not be able to log in to Velso.

10. Your Rights Under GDPR

If you are located in the EEA, UK, or Switzerland, you have the following rights regarding your personal data:

Right of Access (Art. 15)

You can request a copy of all personal data we hold about you.

Right to Rectification (Art. 16)

You can request correction of inaccurate or incomplete personal data.

Right to Erasure / 'Right to be Forgotten' (Art. 17)

You can request deletion of your personal data where there is no compelling reason for us to continue processing it.

Right to Data Portability (Art. 20)

You can request your data in a structured, machine-readable format (JSON or CSV) to transfer to another service.

Right to Restriction of Processing (Art. 18)

You can request that we limit how we use your data in certain circumstances (e.g., while a dispute is resolved).

Right to Object (Art. 21)

You can object to processing based on legitimate interests. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.

Right to Withdraw Consent

Where processing is based on your consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

Right to Lodge a Complaint

You have the right to lodge a complaint with your national data protection authority if you believe we have not handled your data lawfully.

To exercise any of these rights, email privacy@velso.app with the subject line “Data Rights Request”. We will respond within 30 days. We may need to verify your identity before processing the request.

11. California Privacy Rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) gives you specific rights regarding your personal information.

Categories of Personal Information We Collect

  • Identifiers (name, email, IP address)
  • Commercial information (subscription plan, payment history)
  • Internet or network activity (pages visited, timestamps)
  • Professional or employment-related information (business name, VAT number)
  • Financial account information (IBAN, BIC — used solely for invoice generation)
  • Inferences drawn to understand your use of the service

We Do Not Sell Your Personal Information

Velso does not sell your personal information to third parties, and has not done so in the preceding 12 months. We do not share personal information for cross-context behavioral advertising.

Your CCPA Rights

  • Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you in the past 12 months.
  • Right to Delete: You may request deletion of personal information we have collected from you, subject to certain exceptions (e.g., legal obligations).
  • Right to Correct: You may request correction of inaccurate personal information.
  • Right to Opt-Out of Sale/Sharing: As we do not sell or share personal information for advertising purposes, this right is not applicable. No opt-out mechanism is required.
  • Right to Limit Use of Sensitive Information: We only use sensitive personal information (IBAN, financial data) for the purpose of providing the service (invoice generation). We do not use it for any other purpose.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights. Exercising your rights will not result in denial of service, different pricing, or a different level of quality.

How to Exercise Your CCPA Rights

Submit a verifiable consumer request to privacy@velso.app with the subject line “CCPA Request”. You may submit up to two requests per 12-month period. We will respond within 45 days (extendable by an additional 45 days where necessary).

12. Children's Privacy

Velso is a business tool intended for adults (18+). We do not knowingly collect personal data from children under 16 (or under 13 in the US). If you believe a minor has provided us with personal data, please contact us at privacy@velso.app and we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

  • Update the “Last updated” date at the top of this page
  • Send a notification to the email address on your account
  • Where required by law, obtain your consent before applying changes

Continued use of Velso after the effective date of an updated policy constitutes acceptance of the updated terms, where permitted by law.

14. Contact

For any questions, concerns, or requests related to this Privacy Policy or your personal data:

Velso Privacy Team

Email: privacy@velso.app

We aim to respond to all requests within 30 days.

Terms of Service·Back to Velso