Privacy Policy

Last updated: 2026-05-12 · Version 0.1 (MVP self-drafted)

1. Who We Are

Velvr is operated by MAKOA LLC, a Florida limited liability company (registered agent: Northwest Registered Agent LLC, 7901 4th St N, Suite 300, St. Petersburg, FL 33702, USA). For privacy questions, contact dpo@velvr.app.

2. Roles — Controller vs. Processor

Velvr operates with a dual-role data structure:

• For your account data (email, billing, settings) — Velvr is the Data Controller.
• For fan communications processed through your connected Fanvue account — Velvr is the Data Processor and you (the creator) are the Data Controller. This is governed by our Data Processing Agreement (DPA), which is incorporated into these terms.

3. Information We Collect

From you (Controller-data)

• Account email, password hash, and security credentials.
• Persona configuration, persona briefs, brand-voice settings.
• Billing information (processed by Stripe; we store reference IDs only).

Via your Fanvue OAuth connection (Processor-data)

• Fan handles, display names, conversation contents, vault metadata.
• Purchase events, subscription state, message timestamps.

Automatically

• IP address, browser type, session timestamps, audit log events.
• Analytics events (PostHog, EU region).

4. How We Use It

• To provide the Velvr Service (auto-reply, captions, analytics).
• To run our compliance validators (caption-guard, refusal, drift, lang-offer, limits, disclosure) on AI outputs.
• For billing, support, and security monitoring.
• To comply with legal obligations (audit logs, retention).

We do not sell your data, and we do not train generic AI models with your data.

5. Sub-Processors

We use the following sub-processors:

• Supabase (PostgreSQL, US-East) — DB hosting.
• Cloudflare R2 — file storage.
• Vercel — application hosting.
• Inngest — background-job orchestration.
• Stripe — payments.
• Resend — transactional email.
• Sentry — error monitoring.
• PostHog (EU region) — analytics.
• xAI (Grok) — AI inference for replies and captions.

Material changes to this list trigger DPA re-acceptance for our customers.

6. Retention

• Account data: lifetime of account + 30 days after account deletion.
• Audit logs: 24 months.
• Failed-payment events: 6 years (US-LLC accounting standard).
• Conversation data: lifetime of account + 30 days.
• Lead captures (marketing waitlist): 3 years since last interaction.

7. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you.
• Request correction or deletion.
• Request data portability (GDPR / CCPA export).
• Object to or restrict certain processing.
• Withdraw consent at any time (where applicable).

Exercise these rights via Settings → Account → Export My Data, or by emailing dpo@velvr.app. We respond within 30 days.

8. California (CCPA)

California residents have additional rights under the CCPA, including the right to opt out of any sale of personal information. Velvr does not sell personal information. CCPA requests: email dpo@velvr.app.

9. EU/UK Residents

Velvr is currently US-only and geo-blocks access from EU/UK. If you are nonetheless processing data of EU/UK residents through Velvr as the Data Controller, our DPA applies and Standard Contractual Clauses are incorporated by reference.

10. Security

We use AES-GCM encryption for sensitive credentials, TLS for transport, row-level security in our database, and 2FA-recommended (not required) for accounts. Suspected security issues: email hello@velvr.app.

11. Cookies

We use essential cookies for authentication and session management. We use first-party analytics (PostHog EU) for product improvement. No third-party advertising trackers.

12. Changes

Material changes are notified via email and in-app banner with re-acceptance required where applicable.