Velmora← Back

Privacy Policy

Last updated: 1 May 2026

Velmora ("Velmora", "we", "us") respects your privacy. This policy explains what data we collect, why we collect it, how we use it, and your rights under the General Data Protection Regulation (GDPR) and Swiss nFADP.

1. Who we are

Velmora is operated as an individual / small business. Contact: hello@getvelmora.net

2. Data we collect

  • Account data — email address and hashed password (via Supabase Auth).
  • Preferences — topics, tone, language, timezone, and optional onboarding context you enter.
  • Reflections — text you write in response to your daily letters. Stored to improve personalisation.
  • Feedback ratings — "Resonated / So-so / Didn't land" per letter.
  • Delivery metadata — email send status, timestamps, channel used.
  • Usage events — anonymous event log (letter read, feedback submitted, etc.).
  • Subscription data — plan status, billing period (managed by Stripe; we do not store card details).
  • Optional: phone number — only if you enable WhatsApp delivery.

3. How we use your data

  • Generating and delivering your daily personalised letter.
  • Improving letter quality over time through AI learning signals.
  • Processing subscription payments via Stripe.
  • Sending transactional emails (letters, account confirmation).
  • Operating and improving the service.

We do not sell your data. We do not use it for advertising.

4. AI processing

Your reflections and preferences are processed by OpenAI's API to generate personalised letter content and AI responses. Per OpenAI's data usage policy for API customers, your data is not used to train OpenAI models. Reflection content sent to OpenAI is truncated to 150 characters per entry.

5. Third-party processors

ProcessorPurposeLocation
SupabaseDatabase, authenticationEU (AWS eu-central-1)
OpenAIAI letter generationUSA
ResendEmail deliveryUSA/EU
StripePayment processingUSA/EU
VercelApplication hostingUSA/EU

6. Cookies

We use session cookies only — set by Supabase Auth to maintain your login session. No tracking cookies. No third-party advertising cookies.

7. Data retention

  • Your data is retained for as long as your account is active.
  • After account deletion, data is removed within 30 days.
  • Stripe may retain billing records for longer per their legal obligations.

8. Your rights (GDPR / nFADP)

You have the right to:

  • Access — request a copy of all data we hold about you.
  • Correction — update inaccurate data (most fields editable in Settings).
  • Deletion — delete your account and all associated data.
  • Portability — receive your data in a machine-readable format.
  • Objection — object to processing in certain circumstances.

To exercise any right, contact us at hello@getvelmora.net. We will respond within 30 days.

9. Security

All data is encrypted in transit (TLS) and at rest. Access is restricted by row-level security policies. Service credentials are never exposed to the client.

10. Changes to this policy

We may update this policy. Material changes will be communicated by email. Continued use of the service after changes constitutes acceptance.

11. Contact

Questions? Email us at hello@getvelmora.net.