GDPR Compliance

1. Data Controller

Velora acts as the data controller for all personal information collected through the Velora mobile application. We process your data in accordance with the European Union's General Data Protection Regulation (EU GDPR 2016/679) and the UK GDPR. This page supplements our Privacy Policy with EU/EEA-specific information.

2. Legal Basis for Processing

We process your personal data under the following legal bases as defined in Article 6 of the GDPR:

• Consent (Art. 6(1)(a)) — for AI-powered personalized content generation, push notifications, marketing communications, and optional analytics tracking
• Contract Performance (Art. 6(1)(b)) — for subscription management, credit system operations, in-app purchase processing, and core service delivery
• Legitimate Interest (Art. 6(1)(f)) — for anonymous analytics, fraud prevention, credit system abuse detection, and security monitoring
• Legal Obligation (Art. 6(1)(c)) — for financial record keeping of transactions (7-year retention), COPPA age verification compliance, and responding to lawful data requests

3. Your Rights Under GDPR

As an EU/EEA resident, you have the following rights. To exercise any of these, contact our Data Protection Officer:

• Right of Access (Art. 15) — request a complete copy of all personal data we process about you, including natal chart data, credit history, journal entries, and AI interaction metadata
• Right to Rectification (Art. 16) — request correction of inaccurate birth data, display name, or other personal information
• Right to Erasure (Art. 17) — request deletion of all your personal data ("right to be forgotten"). All data deleted within 30 days, except where retention is required by law
• Right to Restriction (Art. 18) — request that we limit processing of your data while a dispute is resolved or accuracy is verified
• Right to Data Portability (Art. 20) — receive your personal data (birth info, journal entries, credit history) in a structured, commonly used, machine-readable format (JSON)
• Right to Object (Art. 21) — object to processing based on legitimate interest, including analytics and profiling for content personalization
• Rights Related to Automated Decisions (Art. 22) — our AI features involve automated processing but do not make legally binding decisions. You may request human review of any AI-generated content

4. Data Categories Processed

Detailed categories of personal data processed under GDPR:

• Identity Data — display name, birth date, birth time, birth location (city/country)
• Contact Data — email address (only if account is linked)
• Financial Data — subscription status, credit balance, purchase history (processed via RevenueCat; we do not store payment card details)
• Content Data — journal entries, AI chat messages, compatibility partner birth data
• Technical Data — anonymous device identifier, app version, OS version, crash logs
• Usage Data — feature usage frequency, session duration, daily check-in patterns (anonymized and aggregated)

5. International Data Transfers

Your data may be transferred to and processed on servers located outside the European Economic Area (EEA). We ensure adequate protection through:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• EU-US Data Privacy Framework compliance for US-based providers (OpenAI, Firebase, Google AdMob)
• Data Processing Agreements (DPAs) with all third-party processors
• Regular assessment of third-party data protection practices

6. Data Retention Periods

We apply the following retention periods in accordance with data minimization principles (Art. 5(1)(e)):

• Active account data (birth info, preferences, credit balance): retained while account is active
• Data after account deletion: permanently erased within 30 days of deletion request
• Financial transaction records: retained for 7 years (legal requirement)
• Anonymous analytics data: retained for 24 months in aggregated, non-identifiable form
• AI conversation logs: not stored — deleted immediately after session
• Journal entries: retained while account is active; exportable before deletion
• Content moderation flags: retained for 12 months for safety monitoring

7. Data Security Measures

We implement appropriate technical and organizational measures as required by Article 32 of the GDPR:

• AES-256 encryption for all personal data at rest
• TLS 1.3 encryption for all data in transit
• Role-based access controls with least-privilege principle
• Optimistic locking on credit transactions to prevent data integrity issues
• Regular security assessments and code audits
• Data breach notification — supervisory authorities notified within 72 hours, affected individuals notified without undue delay (Art. 33, 34)
• Pseudonymization and anonymization where possible

8. Cookies & Tracking

The Velora mobile application does not use browser cookies. We use anonymous device identifiers (IDFA/GAID) for analytics. Under the ePrivacy Directive, we request consent before enabling non-essential tracking. You can withdraw consent at any time via your device privacy settings.

9. Children's Data (Art. 8)

Velora requires users to provide their birth date during onboarding. Users under 16 in the EU/EEA (or the applicable age in their member state) require parental consent for AI data processing. Users under 13 are blocked from all AI features in compliance with COPPA and GDPR Art. 8. We do not knowingly collect excessive data from children.

10. Data Protection Officer

11. Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local Data Protection Supervisory Authority. You can find your authority at the European Data Protection Board website: edpb.europa.eu.