Privacy Policy

Information you provide.

• Account details: name, email, role, workspace name, billing address.
• Authentication events managed through our identity provider (Clerk): sign-in timestamps, IP address, two-factor status.
• Payment details: handled by our payment processor (Stripe). We never store full card numbers on our systems.
• Creative content: images, videos, ad copy, product feeds, audience files you upload.

Information we receive from connected ad platforms. When you authorize a platform (Meta, Google, TikTok, LinkedIn, Amazon, Microsoft, Snapchat, Pinterest, X, Reddit, Shopify, and others), we receive the data scoped by your consent — typically campaign settings, performance metrics, audience definitions, and creative metadata. We do not receive the contents of private messages or end-user identifiers beyond those needed to measure attribution.

Automatically collected.

• Usage data: pages visited, features used, approximate location, device type.
• Error logs and performance telemetry (with personal identifiers scrubbed).
• Cookies and similar technologies — see Section 7.

• To operate the Service — run your campaigns, compute attribution, generate reports, train and evaluate machine-learning models that serve your workspace.
• To bill you — process subscriptions, invoices, and tax.
• To communicate — onboarding guidance, security alerts, product updates. Marketing emails require opt-in and can be unsubscribed at any time.
• To improve the Service — we may use aggregated, de-identified data for product benchmarking and machine-learning quality. We apply k-anonymity so that no individual workspace’s data can be re-identified in benchmark outputs.
• To comply with law — including responding to lawful requests and enforcing our Terms.

For users in the European Economic Area, United Kingdom, or Switzerland, we process personal data under one of the following bases:

• Contract — to provide the Service you subscribed to.
• Legitimate interests — to secure and improve the Service, balanced against your privacy rights.
• Consent — for marketing communications and optional cookies.
• Legal obligation — to meet tax, accounting, and anti-fraud requirements.

We do not sell personal data. We share it only with:

• Sub-processors — cloud hosting, Clerk (authentication), Stripe (billing), Anthropic and Replicate (AI model inference), SendGrid or Resend (email), and similar service providers, each under a data-processing agreement.
• Connected ad platforms — when you direct us to create or modify a campaign on your behalf, the relevant data is sent to that platform.
• Authorities — when required by law or to protect the rights, safety, or property of VelaReach, our users, or the public.
• In a business transfer — such as a merger, acquisition, or asset sale, subject to standard confidentiality safeguards.

We retain account data for the life of your workspace plus a reasonable period to meet legal and accounting obligations. Raw event data is retained for up to 90 days; aggregated analytics are retained up to 24 months. You can request earlier deletion — see Section 6.

Depending on where you live, you may have the right to:

• Access, correct, or delete your personal data.
• Export a portable copy of your Customer Content.
• Object to or restrict certain processing.
• Withdraw consent for marketing or optional cookies.
• Lodge a complaint with your local data-protection authority.

Send requests to privacy@velareach.com. We verify the requester’s identity before acting to protect your data from being released to someone else.

The Service uses cookies and similar technologies for authentication (Clerk session), security (CSRF protection), and product analytics. Our public marketing site honors the Global Privacy Control (GPC) signal and Google Consent Mode v2. You can manage cookies through your browser.

We encrypt data in transit (TLS 1.2+) and at rest (AES-256). Platform OAuth tokens are sealed in a per-workspace encrypted vault. We apply principle of least privilege, rotate credentials regularly, and log administrative access. No system is perfect — if you believe your account has been compromised, contact security@velareach.com immediately.

The Service is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact us and we will delete it.

VelaReach operates globally. Personal data may be transferred to jurisdictions outside your country of residence. When we transfer data out of the EEA, UK, or Switzerland, we rely on the European Commission’s Standard Contractual Clauses or an equivalent transfer mechanism.

We may update this Privacy Policy from time to time. Material changes will be announced via email or a notice in the Service at least 30 days before they take effect.

Privacy questions or requests: email privacy@velareach.com.