Privacy Policy

1. Introduction

Vela Cloud Ltd, operating as Vela ("we," "us," or "our"), is committed to protecting your personal information. This Privacy Policy explains what data we collect, why we collect it, how we use it, and the rights available to you.

This policy applies to all users of the Vela platform, visitors to our website at usevela.io, and anyone who contacts us for support. By using our services, you agree to the practices described in this policy.

You must be at least 18 years old to use Vela. We do not knowingly collect personal data from anyone under the age of 18.

2. Data Controller and Processor

Vela Cloud Ltd acts as a data controller for account registration data (your name, email, and billing information). For data you upload or sync into the platform from your own CRM systems (such as customer records, opportunity data, and contact information), Vela Cloud Ltd acts as a data processor on your behalf. In this capacity, we process that data solely according to your instructions and our Data Processing Agreement.

3. Information We Collect

Account information: When you register, we collect your name, email address, and organisation name via our identity and authentication provider.

Team role and profile data: When you join a workspace — either by creating an account or accepting a team invitation — we collect your assigned job function within your organisation (Seller, CRO, or PDM). This is used to personalise your platform experience, including AI-generated briefings, daily summaries, and deal recommendations tailored to your role. Your job role may be updated by a workspace administrator; any such change takes effect immediately across all personalised features.

Billing information: Payment details (card number, billing address) are collected and stored directly by Paddle.com, our PCI DSS compliant payment processor. We do not store payment card numbers, CVV codes, or other sensitive card data on our systems. Paddle operates as a Merchant of Record and is certified to PCI DSS Level 1, the highest level of payment card security compliance.

CRM and pipeline data: When you connect a CRM integration, your platform authorises read/write access on your behalf. OAuth tokens are encrypted before storage. We access only the data scopes you explicitly authorise.

AI conversation history: Conversations you have with the Insights Assistant are stored on our servers to enable conversation continuity. You may delete individual conversations at any time from within the platform.

Support conversations: If you contact us via our support chat widget, those conversations are stored by our support chat provider and may be reviewed by our team to resolve your query.

Usage data: We collect anonymised data about features accessed, pages visited, and actions taken. This data cannot identify you individually and is used solely to improve the platform.

4. How We Use Your Information

• Providing, maintaining, and improving the Vela platform
• Authenticating your identity and managing your account
• Processing subscription payments and sending billing related notices
• Sending transactional notifications (funding expiration alerts, sync status)
• Responding to support requests and resolving technical issues
• Generating anonymised, aggregated analytics to improve product features
• Complying with applicable laws and legal obligations

We do not sell, rent, or trade your personal information to any third party for marketing purposes.

4a. Lawful Basis for Processing (GDPR)

Where the General Data Protection Regulation (GDPR) applies, we rely on the following lawful basis and legal bases to process your personal data:

• Contractual necessity (Article 6(1)(b)): Processing required to provide the platform, manage your account, and fulfil subscription obligations
• Legitimate interests (Article 6(1)(f)): Fraud prevention, security monitoring, platform improvement through anonymised analytics, and communicating relevant product updates
• Legal obligation (Article 6(1)(c)): Retention of financial records required by applicable tax and accounting law
• Consent (Article 6(1)(a)): Where explicitly required, such as for optional marketing communications, withdrawable at any time

5. Subprocessors and Third Parties

We engage trusted third party subprocessors to operate the platform, covering the following categories: identity and authentication, cloud infrastructure and storage, payment processing, AI and machine learning, and customer support. Each subprocessor is bound by a data processing agreement and may only process your data for the specific purpose for which they are engaged.

A current and complete list of our subprocessors, including each provider's name, role, and data processing details, is published at usevela.io/sub-processors. We will give you at least 14 days' notice of any material addition or replacement of a subprocessor, by updating that page and notifying you via email or a notice in the platform.

We do not share your data with any other third parties except where required by law.

6. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, and no longer than required by applicable law. The following table sets out our default retention periods by data category:

If you cancel your subscription or request account deletion, your personal data is permanently removed from our systems within 30 days of closure, except where a longer retention period is required by law (for example, Vela's internal revenue accounting records required for Israeli corporate tax compliance).

In the event of a corporate transaction such as a merger, acquisition, or asset sale, your data may be transferred to the successor entity. We will provide notice before your data becomes subject to a different privacy policy.

6a. International Data Transfers

Our infrastructure and subprocessors may process your data in countries outside the European Economic Area (EEA) or the United Kingdom. Where such transfers occur, we ensure appropriate safeguards are in place in accordance with GDPR Chapter V (and equivalent UK provisions). The following table identifies each provider, their country of data processing, and the applicable transfer mechanism:

You may request a copy of the applicable Standard Contractual Clauses or details of supplementary safeguards by contacting privacy@usevela.io.

7. Data Security

We implement industry standard technical and organisational measures to protect your data. All data is encrypted in transit and at rest. Access to production systems is restricted to authorised personnel only. However, no system is completely immune to risk.

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of affected individuals, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by Article 33 of the GDPR and the equivalent provision of the Israeli Privacy Protection Law 5741-1981 (as amended). Where a breach is likely to result in a high risk to individuals, we will also notify affected users without undue delay. Our full breach classification and response procedure — including escalation paths and regulatory notification steps — is maintained in our internal Incident Response Plan, which is available to enterprise customers and regulatory authorities upon request.

Where processing of personal data is likely to result in a high risk to individuals, such as large scale CRM data processing or automated AI queries, we conduct a Data Protection Impact Assessment (DPIA) before commencing that processing, in accordance with Article 35 of the GDPR.

7a. AI-Powered Features — EU AI Act Transparency

Certain features of the Vela platform are powered by artificial intelligence, including large language models provided by Anthropic. These features include the Insights Assistant, daily briefing summaries, VELA-SCORE™ opportunity enrichment, and automated deal recommendations.

In accordance with Article 52 of the EU AI Act (Regulation (EU) 2024/1689, transparency obligations applicable from 2 August 2026), we inform you that:

• When you interact with the Insights Assistant or receive AI-generated outputs, you are interacting with an AI system, not a human
• AI Outputs are generated by machine learning models and do not represent the professional judgement or views of Vela Cloud Ltd personnel
• AI features do not make legally binding or consequential automated decisions about you — all outputs are informational and require human review before action
• Your data is not used to train Anthropic's models; data submitted to AI features is not retained by Anthropic beyond the immediate request, in accordance with our data processing agreement with Anthropic

For the full terms governing AI features and limitations of liability for AI Outputs, see Section 7 of our Terms of Use.

8. Cookies

We use only session cookies that are strictly necessary for authentication and platform functionality. We do not use advertising cookies, cross site tracking cookies, or third party analytics cookies. For full details, see our Cookie Policy.

9. Your Rights: GDPR (EEA and UK Users)

If you are located in the European Economic Area or the United Kingdom, you have the following rights under applicable data protection law:

• Access: Request a copy of the personal data we hold about you
• Rectification: Request correction of inaccurate or incomplete data
• Erasure: Request deletion of your personal data (right to erasure / "right to be forgotten")
• Portability: Receive your data in a structured, machine readable format
• Restriction: Request that we limit how we process your data
• Objection: Object to processing based on legitimate interests
• Withdraw consent: Where processing is based on consent, withdraw it at any time

To exercise any of these rights, email privacy@usevela.io. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

9a. Your Rights: Israeli Residents (PPPA)

If you are located in Israel, you have the following rights under the Israeli Privacy Protection Law (also known as the Protection of Privacy Law, PPPA 5741-1981) and its regulations:

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete personal information
• Deletion: Request deletion of personal information we are not legally required to retain
• Objection: Object to the use of your personal information for direct marketing purposes

Vela Cloud Ltd maintains a database of personal information as defined under the Privacy Protection Law. Database registration with the Registrar of Databases at the Israeli Privacy Protection Authority is required when a database holds 10,000 or more individuals or contains sensitive data categories. At this stage our database does not meet those thresholds (currently fewer than 10,000 individuals; no sensitive data categories) and database registration is therefore not yet required. We will complete database registration when and if those thresholds are met. To exercise any of your rights under the PPPA, contact privacy@usevela.io. We will respond within 30 days.

Israeli Privacy Protection Authority (PPA): If you believe your personal data has been processed in breach of the Israeli Privacy Protection Law, you may also lodge a complaint with the Israeli Privacy Protection Authority within the Ministry of Justice. Contact details: Israeli Privacy Protection Authority (Rashut Le'Haganat HaPratiut), 125 Begin Road, Tel Aviv 6701201, Israel. Website: gov.il/en/departments/the_privacy_protection_authority. Email: ppa@justice.gov.il.

10. Your Rights: CCPA (California Residents)

California residents have the right to know what personal information we collect, the right to request deletion, and the right to opt out of the sale of personal information. We do not sell personal information. To submit a request, email privacy@usevela.io. We will not discriminate against you for exercising your CCPA rights.

11. Marketing Communications

We may send you product updates and feature announcements by email. You can unsubscribe at any time by clicking the unsubscribe link in any email or by contacting privacy@usevela.io. Transactional emails (billing notices, security alerts) cannot be opted out of while your account is active.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or via a notice in the platform at least 14 days before the change takes effect. Your continued use of the platform after the effective date constitutes acceptance of the updated policy.

13. Contact and Data Protection Point of Contact

For privacy related questions or to exercise any of your rights under GDPR, the UK GDPR, the Israeli Privacy Protection Law, the CCPA, or any other applicable data protection law:

Vela Cloud Ltd, operating as Vela
28 HaArba'a St, Tel Aviv 6473925, Israel
Email: privacy@usevela.io

Data protection point of contact: At our current scale, Vela Cloud Ltd is not required to appoint a Data Protection Officer (DPO) under Article 37 GDPR (our core activities do not involve large-scale systematic monitoring or large-scale processing of special category data, and we do not meet the thresholds for mandatory database registration under the Israeli Privacy Protection Law). The privacy@usevela.io mailbox is monitored by our internal privacy lead and handles all data protection enquiries, Data Subject rights requests, and supervisory authority correspondence on Vela Cloud Ltd's behalf. We will appoint a formal DPO and publish their contact details if and when DPO appointment becomes mandatory under Article 37 GDPR or equivalent law.

Right to lodge a complaint: EEA users may lodge a complaint with their local supervisory authority. UK users may lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk. Israeli users may contact the Israeli Privacy Protection Authority (see Section 9a). California residents may contact the California Attorney General.

13a. Compliance Documentation

Vela Cloud Ltd maintains internal compliance documentation consistent with SOC 2 Trust Service Criteria, ISO 27001 principles, and GDPR requirements. This documentation includes:

• Information Security Policy — access control, encryption standards, and vulnerability management
• Risk Assessment — annual review of technical and operational risks with documented mitigation measures
• Business Continuity Plan — recovery time objective (RTO) ≤4 hours, recovery point objective (RPO) ≤24 hours, tested annually
• Incident Response Plan — P1–P4 incident classification, 72-hour GDPR supervisory authority notification procedure, breach notification templates, and tabletop exercise schedule
• Data Subject Rights SOP — procedures for handling access, erasure, rectification, and portability requests within statutory deadlines
• DPIA Process — Data Protection Impact Assessment template and trigger criteria for high-risk processing activities
• AWS Partner Compliance — compliance documentation for AWS Partner Central program obligations

These documents are maintained internally and are available to enterprise customers under NDA and to regulatory authorities upon request. To request access or further information, contact legal@usevela.io.