Privacy Policy

This Privacy Policy explains how Velovia (“Velovia”, “we”, “us”) processes personal data when you visit velovia.ai, create an account at app.velovia.ai, connect third-party services such as Google Search Console, or use our Model Context Protocol (MCP) server.

Velovia is currently operated as an unincorporated business based in Greece by [OPERATOR LEGAL NAME], [OPERATOR ADDRESS, GREECE]. Once Velovia is incorporated, this page will be updated with the registered entity's details. Until then, the operator named above is the “data controller” for personal data we collect about our own users (for example, your account information), and the “data processor” for personal data you instruct us to process on your behalf (for example, data about visitors to your website that you bring into the Service).

1. Scope and applicable laws

This policy applies globally. Depending on where you are located, your rights may be governed by the EU General Data Protection Regulation (GDPR), the UK GDPR and Data Protection Act 2018, the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA), or other local privacy laws. Where a specific regime grants additional rights, those rights apply on top of what is described here.

2. Personal data we collect

We collect the following categories of personal data:

• Account data: email address, first and last name, organization membership, role, and authentication identifiers issued by Supabase.
• Content you provide: the website URLs, domains, business descriptions, page content, and metadata you submit to the Service.
• Google Search Console data: when you connect a Google account, we retrieve search performance data (queries, clicks, impressions, CTR, position) for properties you have authorized, together with the minimum OAuth tokens needed to maintain the connection.
• Data about your site's visitors: when we crawl or analyse your website on your instruction, we may incidentally process personal data contained in that website (for example, author names on public pages). For this category we act as a processor on your behalf.
• Usage and device data: events about how you use the Service, the features you invoke, the URLs you visit inside the app, the referrer, your user-agent, the session ID, and the IP address from which you connect.
• Support and communications: the content of emails and support requests you send us.
• Billing data (future): once paid plans launch, our payment processor (Polar) will collect the payment details needed to bill you. Velovia does not store full card numbers.

We do not knowingly collect special categories of personal data (health, biometrics, political opinions, etc.) and we ask that you do not submit such data through the Service.

3. Purposes and legal bases

Under the GDPR / UK GDPR we rely on the following legal bases:

• Performance of a contract (Art. 6(1)(b)): to create and maintain your account, authenticate you, run SEO audits, generate content, connect to Google Search Console, publish changes through integrations, and deliver the MCP server.
• Legitimate interests (Art. 6(1)(f)): to secure the Service, prevent abuse, debug errors, measure product usage at an aggregated level, communicate product updates to existing users, and defend legal claims.
• Consent (Art. 6(1)(a)): for any non-essential cookies or marketing emails where required by law. You can withdraw consent at any time.
• Legal obligation (Art. 6(1)(c)): to comply with tax, accounting, and other mandatory obligations once we start charging for the Service.

4. Use of AI providers

The Service uses third-party large language models to generate SEO recommendations, content strategies, and page drafts. When you ask the Service to analyse your site or produce content, the relevant inputs (for example, a business description, a page excerpt, or aggregated GSC metrics) are sent to one or more of the following providers: Anthropic (Claude), OpenAI (GPT), Google (Gemini), and Perplexity. We only send the data necessary to fulfil your request, and we use each provider's API endpoints under terms that prohibit the provider from using your content to train their models. We do not send your Google account credentials or OAuth tokens to any LLM provider.

5. Google Search Console data and Google API Services

Velovia's use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy, including the Limited Use requirements. We only request the minimum Search Console scopes needed for the features you enable. We use GSC data solely to produce SEO insights, recommendations, and reports for the property you connected. You can disconnect your Google account at any time from your Velovia settings; on disconnection we stop calling Google APIs with your tokens and delete the stored tokens within seven days.

6. MCP server and code integrations

When you use the Velovia MCP server with a client such as Claude Code or Cursor, Velovia transmits pre-computed SEO recommendations, execution plans, and content briefs to that client upon the client's request. Velovia does not access your source code, local files, or repositories. Any code changes are performed locally by your MCP client; Velovia only records that a recommendation was marked as completed when your client reports that status back.

7. Who we share data with

We do not sell or rent personal data. We share it only with:

• Sub-processors that help us run the Service (hosting, database, email, analytics, error tracking, AI inference, web crawling, keyword data, payment processing). The current list is kept up to date at velovia.ai/subprocessors.
• Integrations you connect: when you link a third-party platform (Google Search Console, WordPress, Framer, Webflow, GitHub, etc.) we exchange with that platform only the data needed to make the integration work.
• Professional advisors and authorities: lawyers, accountants, or public authorities where we are required to disclose data by law or to establish, exercise, or defend legal claims.
• Business transfers: if Velovia is acquired, merged, or reorganized, personal data may be transferred to the successor entity subject to the same commitments.

8. International data transfers

Our primary database is hosted by Supabase in the EU (AWS eu-central-1, Frankfurt). Some of our sub-processors, including AI providers and payment processors, are located outside the European Economic Area, notably in the United States. Where personal data of EEA, UK, or Swiss users is transferred to such countries, we rely on the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable), or on the EU–US Data Privacy Framework where the recipient is certified. You can request a copy of the safeguards in place by emailing privacy@velovia.ai.

9. Retention

We keep your account data for as long as your account is active. On account deletion we erase or anonymize personal data within 30 days, except where we must keep it longer to meet legal obligations (for example, invoices are kept for the period required by Greek tax law), resolve disputes, or enforce our Terms. Error logs in Sentry are retained for up to 90 days. Aggregated and anonymized metrics that no longer identify any individual may be kept indefinitely.

10. Security

We protect personal data with TLS in transit, encryption at rest in Supabase-managed storage, role-based access controls, short-lived authentication sessions, and logging of administrative actions. OAuth tokens for third-party platforms are stored encrypted. Access to production systems is restricted to the minimum personnel needed to operate the Service. No system is completely secure: if we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users and the competent supervisory authority without undue delay and, in any case, within 72 hours where required.

11. Your rights

Depending on your location, you have the right to:

• access the personal data we hold about you
• have inaccurate data corrected
• have your data erased (“right to be forgotten”)
• restrict or object to certain processing
• receive your data in a portable, machine-readable format
• withdraw any consent you have given
• not be subject to a decision based solely on automated processing that produces legal or similarly significant effects on you

California residents have the additional right to know the categories and specific pieces of personal information we have collected, the right to delete, the right to correct, the right to opt out of the “sale” or “sharing” of personal information (we do not engage in either), and the right not to be discriminated against for exercising these rights.

To exercise any right, email privacy@velovia.ai from the address associated with your account. We respond within 30 days (extendable by a further 60 days where the request is complex). If you believe we have mishandled your data, you can lodge a complaint with the Hellenic Data Protection Authority (www.dpa.gr) or with the supervisory authority of your country of residence.

12. Cookies and analytics

We use cookies and similar technologies to keep you logged in and to understand how the Service is used. For details, including the specific cookies we set and how to opt out of non-essential cookies, see our Cookie Policy.

13. Automated decision-making

The Service uses automated systems to generate SEO recommendations, content drafts, and prioritization. These outputs are suggestions; a human (you) decides whether to publish them. We do not use automated decision-making that produces legal or similarly significant effects on you within the meaning of Article 22 GDPR.

14. Children

The Service is intended for business users and is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

15. Changes to this policy

We may update this policy to reflect changes to the Service or applicable law. When we make material changes we will notify you by email or through the Service at least 14 days before the change takes effect. The date at the top of this page always reflects the latest revision.

16. Contact

For any question about this policy, to exercise your rights, or to request our DPA or a list of safeguards for international transfers, email privacy@velovia.ai. Postal address: [OPERATOR ADDRESS, GREECE].