Velokai

Privacy policy

Effective date: 2026-05-24

This Privacy Policy explains how Velokai ("we", "us", "our") collects, uses, retains, and shares your personal data when you use our Service. We are the data controller for personal data processed about you.

1. Data we collect

We collect only the data needed to run the Service:

  • Account data: email address, name, hashed password (Argon2id; we never store cleartext), 2FA configuration if enabled.
  • Sign-in metadata: IP address, device user-agent, approximate location (city + country from Cloudflare). Used for suspicious-sign-in detection and your sign-in history.
  • Operational data: leads + conversations you connect to your AI worker, plus the activity log of actions it takes.
  • Cookies: an essential session cookie for sign-in; an analytics cookie only if you grant consent via our banner.
  • Anonymized telemetry: error reports and performance metrics via Sentry (sampled, no PII).

2. Purpose of processing

We process your data to:

  • Provide the Service (authentication, lead handling, AI agent runs).
  • Protect your account (suspicious-sign-in alerts, abuse prevention).
  • Improve the Service (anonymized error + performance telemetry).
  • Communicate with you (transactional emails; product updates only with consent).
  • Comply with legal obligations (audit trail, retention windows).

3. Retention

  • Account data: retained while your account is active. On self-initiated deletion, a 30-day grace window applies; after that, we hard-delete your account and all linked data.
  • Sign-in metadata: 90 days, then auto-purged.
  • Audit log: 1 year (we keep this beyond your account deletion as required for security forensics + legal obligations).
  • AI worker activity: 90 days, then auto-purged.
  • Anonymized telemetry: 90 days, then auto-purged.

4. Third parties

We use the following sub-processors to run the Service. Each handles only the data needed for its function and is bound by appropriate contractual safeguards (Data Processing Agreement where required by law):

  • Railway — application hosting.
  • MongoDB Atlas — database hosting.
  • Cloudflare — DNS + CDN + DDoS protection + geo headers.
  • Resend — transactional email delivery.
  • Better Auth Cloud — authentication + audit logging.
  • Anthropic— LLM inference (the AI worker's brain). Per Anthropic's commercial terms, your data is NOT used to train models.
  • Modal — secure sandbox infrastructure for the AI worker runtime.
  • Sentry — error + performance monitoring.

We do not sell your personal data. We do not share it with advertisers.

5. Your GDPR rights

If you are in the EU, EEA, Switzerland, or the United Kingdom, you have the following rights under GDPR / UK-GDPR:

  • Right of access — request a copy of all personal data we hold about you. Use Settings → Your data → Download my data.
  • Right to rectification — correct inaccurate or incomplete data. Email + name from Settings → Email.
  • Right to erasure("right to be forgotten") — delete your account and all linked data via Settings → Danger Zone. 30-day grace window applies.
  • Right to data portability — receive your data in a machine-readable JSON format. Same path as access.
  • Right to restriction — request we pause processing your data. Email privacy@velokai.com.
  • Right to object — object to processing based on our legitimate interests. Email privacy@velokai.com.
  • Right to not be subject to automated decision-making — we use AI for lead-handling, but every action it takes is logged + can be reviewed; significant decisions are not made solely by algorithm.
  • Right to lodge a complaint with your local data protection authority.

6. International transfers

Some sub-processors (e.g. our LLM provider) are based in the United States. We rely on Standard Contractual Clauses (SCCs) and/or adequacy decisions to ensure your data is protected to GDPR-equivalent standards in transit and at rest.

7. Security

We use industry-standard security practices: Argon2id password hashing, encryption in transit (TLS), encryption at rest (provider-managed), principle-of-least-privilege access controls, audit logging, and ongoing security reviews. We use Cloudflare for DDoS protection at the edge.

8. Changes to this policy

We may update this Policy. Material changes will be communicated via email at least 30 days before they take effect.

9. Contact

Privacy questions or to exercise any of the rights above, email privacy@velokai.com.

This document is a pre-launch draft and has not been reviewed by counsel. It will be replaced with the final lawyer-reviewed version before paid customer onboarding.