Velum.Works

Privacy Policy

Last updated: January 12, 2026

Our Commitment: Your privacy is fundamental to everything we do. We never sell your data. We never use your emails for advertising. Your information exists solely to provide you with our email management service.

1. Introduction

Velum.Works ("we," "us," "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered email management service.

By using Velum.Works, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies, please do not use our service.

2. What We Collect and Why

2.1 Account Information

When you create an account, we collect:

  • Email address: For account identification, authentication, and communications
  • Password: Hashed using bcrypt; we never store plaintext passwords
  • Name (optional): To personalize your experience

2.2 Email Account Connections

When you connect email accounts, we receive:

  • OAuth tokens: Encrypted and used only to access your email on your behalf
  • IMAP credentials: If you choose IMAP, encrypted using Fernet encryption

You can revoke access at any time through your account settings or directly through your email provider.

2.3 Email Content

To provide our AI sorting and filtering service, we process:

  • Email metadata (sender, recipient, subject, date)
  • Email body content (for AI categorization)
  • Attachments (metadata only; we don't analyze attachment contents)

Important: Email content is processed by our AI system but is never read by humans except in rare cases requiring manual intervention to fix technical issues, and only with your explicit permission.

2.4 Payment Information

Payment processing is handled entirely by Stripe. We never see or store your complete credit card number. We retain:

  • Last 4 digits of your card (for identification)
  • Billing address
  • Transaction history

2.5 Automatically Collected Information

  • Device information: Browser type, operating system, device type
  • Usage data: Features used, pages visited, actions taken
  • IP address: For security, fraud prevention, and general location
  • Cookies: For session management and authentication

3. How We Handle Your Email Data

3.1 Processing

Your email data is processed solely to:

  • Categorize emails (Primary, Social, Promotions, Spam)
  • Filter and detect spam
  • Generate AI-powered draft suggestions
  • Provide search functionality

3.2 Storage

  • Email content is stored in encrypted databases
  • Data is hosted in SOC 2 Type II certified data centers
  • Backups are encrypted and retained for disaster recovery

3.3 What We Never Do

  • We never sell your email data
  • We never use your emails for advertising or ad targeting
  • We never share email content with third parties for their marketing
  • We never train AI models on your individual emails without consent

4. Data Security

We implement comprehensive security measures:

4.1 Encryption

  • In transit: TLS 1.3 for all connections
  • At rest: AES-256 encryption for stored data
  • Credentials: Fernet encryption for OAuth tokens and API keys
  • Passwords: bcrypt with high work factor

4.2 Infrastructure

  • SOC 2 Type II certified cloud infrastructure
  • 24/7 monitoring and intrusion detection
  • Regular security audits and penetration testing
  • Strict role-based access controls

4.3 Operational Security

  • All access is logged and audited
  • Employee access requires authentication and authorization
  • Privacy and security training for all team members

5. Third Parties and Data Sharing

5.1 We Do Not Sell Your Data

We have never sold personal information and never will. We do not participate in data broker services or advertising networks that track users across sites.

5.2 Service Providers

We use trusted third-party services to operate Velum.Works:

  • Cloud Infrastructure: Oracle Cloud Infrastructure (data hosting)
  • Payment Processing: Stripe (billing and subscriptions)
  • Email Delivery: For transactional emails only

These providers are contractually obligated to protect your data and may only use it to provide their services to us.

5.3 Legal Requirements

We may disclose information if required by law, such as:

  • Valid legal process (subpoena, court order, warrant)
  • Protection of rights, property, or safety
  • Preventing fraud or security threats

We will notify you of such requests unless legally prohibited from doing so.

6. Data Retention

  • Active accounts: Data retained while your account is active
  • Deleted content: Removed from active servers within 30 days
  • Account cancellation: All data deleted within 60 days
  • Backups: Purged within 90 days of deletion
  • Financial records: Retained 7 years for legal compliance

7. Cookies and Tracking

We use essential cookies for:

  • Session management and authentication
  • Security (CSRF protection)
  • User preferences (theme, settings)

We do not use advertising cookies or third-party tracking pixels. You can manage cookies through your browser settings.

8. Your Rights

You have the right to:

  • Access: Request a copy of your personal data
  • Correction: Update inaccurate information
  • Deletion: Request deletion of your data
  • Portability: Export your data in a standard format
  • Objection: Object to certain processing activities
  • Restriction: Limit how we use your data
  • Withdraw consent: Revoke permissions at any time

To exercise these rights, contact us at support@velum.works. We will respond within 30 days.

9. GDPR Compliance (EU Users)

For users in the European Economic Area:

  • Legal basis: We process data based on consent and contractual necessity
  • Data controller: Velum.Works is the data controller for your information
  • International transfers: Data transferred outside the EU is protected by Standard Contractual Clauses
  • DPA: Data Processing Agreements available for business customers
  • Supervisory authority: You may lodge complaints with your local data protection authority

10. CCPA Compliance (California Residents)

For California residents, you have additional rights:

  • Right to Know: Categories of personal information collected, used, and disclosed
  • Right to Delete: Request deletion of personal information
  • Right to Opt-Out: We do not sell personal information, but you can still opt-out of any sharing
  • Right to Non-Discrimination: We will not discriminate against you for exercising your rights

California residents may designate an authorized agent to make requests on their behalf.

11. Children's Privacy

Velum.Works is not intended for users under 13 years of age (or 16 in the EU). We do not knowingly collect information from children. If we become aware of such collection, we will delete it immediately and terminate the associated account.

12. International Data Transfers

Our primary data infrastructure is located in the United States. If you access our service from outside the US, your information may be transferred to and stored in the US. We ensure appropriate safeguards are in place, including Standard Contractual Clauses for EU transfers.

13. Policy Updates

We may update this Privacy Policy periodically. Significant changes will be communicated via:

  • Email notification to registered users
  • Prominent notice on our website
  • Updated "Last updated" date at the top of this page

Continued use of our service after changes constitutes acceptance of the updated policy.

14. Contact Information

For privacy questions, concerns, or to exercise your rights:

Velum.Works

Email: support@velum.works

We aim to respond to all requests within 30 days.