Privacy Policy
Last updated: February 2026
At Velora Digital Limited (“Velora”, “we”, “us”), we respect your privacy. This policy explains what data we collect, how we use it, and your rights.
Velora Digital Limited is a company registered in England and Wales. We are the data controller for the personal data described in this policy.
What we collect
Account information
When you create a Velora account, we collect:
- Your name and email address
- Organisation name (if applicable)
- Payment and billing information (processed by our payment provider)
App usage
When you use the Velora platform (app.velora.build), we collect and process:
- Connected site information (CMS credentials, site URLs)
- Content source configurations (RSS feed URLs, email connections via OAuth, social account connections)
- Skills and editorial configuration data
- Generated article drafts and content
- Usage metrics (articles generated, features used)
Email monitoring
If you connect an email inbox via OAuth (Gmail or Outlook), we access email content on a read-only basis. We only process emails from senders or domains you have configured. Email content may incidentally contain personal data (sender names, email addresses, content of press releases).
Waitlist
When you join our waitlist, we collect:
- Your name
- Email address
- Website URL (optional)
- Timestamp of signup
- Attribution data (UTM parameters, referrer) if available
This data is used only to contact you about Velora and send product updates.
Website analytics
We do not currently use third-party analytics on this marketing site. We may add privacy-respecting analytics in the future.
How we use your data
- To provide and operate the Velora service
- To communicate with you about your account, the product, and service updates
- To process payments and manage your Subscription
- To improve and develop the Service
- To comply with legal obligations
- To send waitlist updates and product announcements (you can unsubscribe at any time)
We do not use your Customer Content or Output to train, fine-tune, or improve our AI models without your prior written consent.
Legal basis for processing
We process your personal data on the following legal bases under UK GDPR:
- Performance of a contract — to provide the Service and manage your account
- Legitimate interests — to improve our Service, communicate with you, and ensure security
- Consent — for marketing communications (you can withdraw at any time)
- Legal obligation — where required by law
Data sharing
We do not sell your data. We share data only with:
- Service providers who help us operate the Service (hosting, payment processing, email delivery). These providers process data on our behalf under data processing agreements.
- AI model providers to generate content. Content is processed through their APIs but is not retained by them for training purposes (subject to our agreements with those providers).
- Legal authorities when required by law or to protect our rights.
Sub-processors
We use the following sub-processors to provide the Service:
| Provider | Purpose | Location |
|---|---|---|
| Railway | Application hosting | EU/US |
| Neon | Database hosting | US |
| Vercel | Marketing site hosting | Global |
| Resend | Email delivery | US |
| Anthropic | AI model provider | US |
We will maintain an up-to-date list of sub-processors and will notify you of any changes.
Data security
We use industry-standard security measures to protect your data:
- Encrypted connections (HTTPS/TLS) for all data in transit
- Encryption at rest for sensitive credentials (CMS passwords, OAuth tokens)
- Access controls and authentication
- Regular security reviews
Data retention
- Account data is retained for as long as your account is active, plus 90 days after termination for data export purposes.
- Customer Content and Output is deleted within 90 days of account termination, unless you request earlier deletion or we are required by law to retain it.
- Waitlist data is retained until you unsubscribe or your data is no longer needed.
- Credentials (CMS passwords, OAuth tokens) are revoked and deleted immediately on account termination.
International data transfers
Some of our sub-processors are located outside the UK. Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place, including the UK International Data Transfer Agreement (IDTA) or other approved transfer mechanisms.
Your rights
Under UK GDPR, you have the right to:
- Access your personal data
- Rectify inaccurate personal data
- Erase your personal data (subject to legal retention requirements)
- Restrict processing in certain circumstances
- Data portability — receive your data in a structured, commonly used format
- Object to processing based on legitimate interests
- Withdraw consent for marketing communications at any time
To exercise these rights, email us at privacy@velora.build. We will respond within one month.
You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk.
Cookies
This marketing site uses minimal cookies:
- Essential cookies for site functionality
- Session cookies that expire when you close your browser
We do not use advertising or tracking cookies on this site.
Changes to this policy
We may update this policy from time to time. We will notify you of significant changes by email or through a notice on our website at least 30 days before they take effect.
Contact
If you have questions about this privacy policy or our data practices, contact us at:
Velora Digital Limited Email: privacy@velora.build