Privacy Policy

Last updated: February 24, 2026

1. Introduction

Veluvanto s.r.o. ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and protect your personal data when you use Veluvanto services, in accordance with the General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) and Czech Act No. 110/2019 Coll. on Personal Data Processing.

2. Data Controller

The data controller for your personal data is:

Veluvanto s.r.o.
Registered office: Korunní 2569/108, Vinohrady, 101 00 Praha 10
IČO: 249 15 122
Email: privacy@veluvanto.com

Data Protection Officer (DPO): We have determined that appointment of a Data Protection Officer is not mandatory under Article 37 GDPR given the nature and scale of our processing activities (we do not process special categories of data at scale, are not a public authority, and do not carry out large-scale systematic monitoring). For all privacy matters, contact us at privacy@veluvanto.com.

3. Personal Data We Collect

We collect the following categories of personal data:

3.1 Account Data

  • Email address, name, and profile picture (from your Google account when you sign in via Google OAuth or your Microsoft account when you sign in via Microsoft OAuth)
  • Account settings and preferences

3.2 Document Data

  • Files you upload to the service (documents, invoices, contracts, etc.)
  • Metadata extracted from documents (dates, entities, amounts, tags)
  • AI-generated summaries, translations, and categorizations of your documents

3.3 Usage Data

  • Features used, actions taken, and interactions with the service
  • AI credits consumed and subscription status

3.4 Technical Data

  • IP address, browser type and version, device type and operating system
  • Session identifiers and access logs
  • Timestamps of actions for security and audit purposes

3.5 Payment Data

  • Billing address and transaction records (payment card details are processed directly by Paddle.com Market Limited, our Merchant of Record, and are not stored by us)

Obligation to provide data (Art. 13(2)(e) GDPR): Providing your email address and account data is a contractual requirement — without it, you cannot create an account or use the service. Providing payment data is required to access paid plans. Providing document content is voluntary; you choose what to upload. You are not legally obliged to provide any of the above, but failure to provide required data will mean we cannot provide the service to you.

4. Legal Bases for Processing

We process your personal data on the following legal bases under Article 6 GDPR:

Purpose Legal Basis GDPR Article
Providing and operating the service Performance of a contract Art. 6(1)(b)
User authentication (Google OAuth) Performance of a contract Art. 6(1)(b)
User authentication (Microsoft OAuth) Performance of a contract Art. 6(1)(b)
Payment processing and billing Performance of a contract Art. 6(1)(b)
Sending service-related communications Performance of a contract Art. 6(1)(b)
Security, fraud prevention, access logging Legitimate interests Art. 6(1)(f)
Service improvement and analytics Legitimate interests Art. 6(1)(f)
Legal obligations (tax records, etc.) Legal obligation Art. 6(1)(c)
Marketing communications (if you opt in) Consent Art. 6(1)(a)

5. AI Processing of Your Documents

Your documents are processed using AI technology to provide features including automatic categorization, full-text search, metadata extraction, summarization, translation, and the AI chat assistant.

Your documents are never used to train AI models. AI processing is performed solely to provide the service to you. Our AI provider (Google LLC via Vertex AI) acts as our data processor under a Google Cloud Data Processing Addendum and is contractually prohibited from using your data to train or improve its AI models.

EU data residency for AI processing: AI inference for document analysis, semantic search, translation, summarization, and AI chat is performed via Google Cloud Vertex AI, configured to use EU data center regions (europe-west). Document content sent for AI processing does not leave the European Economic Area.

AI processing constitutes automated processing of personal data. For consumers using for your documents. For consumers using Veluvanto for personal use, Veluvanto s.r.o. acts as the data controller for your documents. For business customers who upload documents containing personal data of third parties (e.g., employee data, customer invoices), Veluvanto s.r.o. acts as a data processor on the Controller's behalf. See our Data Processing Agreement for details on B2B processing arrangements.

For further information about our AI systems, see our AI Transparency Notice.

6. Data Storage and Security

We take the security of your data seriously:

  • All documents and data are stored on Backblaze B2 object storage in EU data centers (Amsterdam, Netherlands); Backblaze holds SOC 2 Type II certification
  • Application servers run on Hetzner Online GmbH infrastructure in EU data centers (Germany/Finland); Hetzner holds ISO/IEC 27001:2022 certification (valid 2025–2028)
  • Data is encrypted in transit (TLS 1.2+) and at rest (AES-256)
  • We implement strict access controls and audit logging
  • Regular security assessments and updates
  • Access to personal data is restricted to authorized personnel on a need-to-know basis

Personal Data Breach Notification (Art. 33 and 34 GDPR)

a) Notification to the Supervisory Authority (Art. 33 GDPR)
In the event of a personal data breach, we will notify the competent supervisory authority without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.

b) Notification to Data Subjects (Art. 34 GDPR)
Where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, we will notify the affected individuals without undue delay. The notification will be described in clear and plain language and will contain at least information about the nature of the breach, its likely consequences, and the measures taken or proposed to mitigate its effects. Where individual notification would require disproportionate effort, we will ensure equally effective communication by means of a public announcement or similar measure.

7. Data Sharing and Sub-Processors

We do not sell your personal data. We may share your information only in the following cases:

7.1 Sub-Processors

We use the following third-party service providers that may process your personal data:

  • Google LLC — Identity provider (Google OAuth login); data transfers to the US are covered by Standard Contractual Clauses (SCCs)
  • Microsoft Corporation — Identity provider (Microsoft OAuth login); data processing governed by Microsoft's Data Protection Addendum
  • Paddle.com Market Limited — Payment processing and billing (Merchant of Record); data transfers to the UK are covered by the UK Adequacy Decision
  • Google LLC (Vertex AI) — AI model inference (Gemini models) for document processing, semantic search, AI chat, translation, and summarization; processing configured to remain within EU Google Cloud regions (europe-west); subject to Google Cloud Data Processing Addendum; API data not used for model training by default
  • Backblaze, Inc. (B2 Cloud Storage) — Primary object storage for documents and backups; data stored exclusively in the EU (Amsterdam, Netherlands); SOC 2 Type II certified; Backblaze Privacy Policy
  • IDrive, Inc. (e2 Cloud Storage) — Disaster recovery object storage for documents and backups; data stored exclusively in the EU (Frankfurt, Germany); SOC 2 certified; no minimum storage duration
  • Hetzner Online GmbH — Cloud infrastructure and application servers; data stored exclusively in the EU (Germany/Finland); ISO/IEC 27001:2022 certified
  • Collabora Online — Document viewing and rendering software deployed on our own infrastructure (WOPI protocol); document content is processed entirely within our servers and never leaves our infrastructure; Collabora Productivity Ltd. has no access to your data; no international data transfer occurs
  • Cloudflare, Inc. — Content delivery network (CDN) and security services (DDoS protection, performance optimization); processes HTTP request metadata (IP address, user-agent, timestamps); data transfers to the US are covered by Standard Contractual Clauses (SCCs)

7.2 Legal Requirements

We may disclose your data if required to do so by law, court order, or governmental authority, or when we believe disclosure is necessary to protect our rights or the safety of others.

7.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your personal data may be transferred. We will provide notice before your personal data is transferred and becomes subject to a different privacy policy.

8. International Data Transfers

We store and process your data primarily within the European Union. The table below describes the data residency for each sub-processor:

  • Backblaze, Inc. (B2 Cloud Storage — primary storage): All documents, user data, and backups are stored on Backblaze B2 in the EU (Amsterdam, Netherlands). No international transfer.
  • IDrive, Inc. (e2 Cloud Storage — disaster recovery storage): Backup copies of documents and data are stored on IDrive e2 in the EU (Frankfurt, Germany). IDrive, Inc. is a US company; data transfers are covered by Standard Contractual Clauses (SCCs).
  • Hetzner Online GmbH (infrastructure): Application servers and compute infrastructure are hosted exclusively in Germany/Finland. No international transfer.
  • Google LLC (Vertex AI — AI processing): Document content is processed via Google Cloud Vertex AI configured to EU regions (europe-west). No transfer outside the EEA occurs for AI inference.
  • Google LLC (OAuth authentication): Your email and Google profile are shared with Google during sign-in. Transfer to the US is covered by Standard Contractual Clauses (SCCs, Commission Implementing Decision (EU) 2021/914).
  • Paddle.com Market Limited (payments): Billing address and transaction data are shared with Paddle for payment processing. Transfer to the UK is covered by the UK Adequacy Decision.
  • Cloudflare, Inc. (CDN / security): HTTP request metadata (IP address, user-agent, timestamps) is processed by Cloudflare. Transfer to the US is covered by SCCs.
  • Collabora Online (document rendering): Collabora Online is deployed and operated entirely on our own infrastructure in the EU. Document content is processed locally for in-browser rendering and never leaves our servers. Collabora Productivity Ltd. has no access to your data. No international data transfer occurs.

You may request a copy of the relevant transfer safeguards by contacting us at privacy@veluvanto.com.

9. Your Rights Under GDPR

Under GDPR (Chapter III), you have the following rights:

  • Right of Access (Art. 15): Request a copy of your personal data we hold
  • Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data
  • Right to Erasure / Right to be Forgotten (Art. 17): Request deletion of your data
  • Right to Data Portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format (JSON or ZIP archive containing your documents and metadata). Contact us to request an export.
  • Right to Object to legitimate interest processing (Art. 21(1)): Object to processing based on our legitimate interests (e.g. security, analytics). We will cease processing unless we demonstrate compelling legitimate grounds.
  • Right to Object to direct marketing (Art. 21(2)): You have an absolute right to object to processing of your personal data for direct marketing purposes at any time, with no exceptions. We will stop immediately upon objection.
  • Right to Restriction (Art. 18): Request limitation of processing in certain circumstances
  • Right to withdraw consent (Art. 7(3)): Withdraw consent at any time without affecting prior lawful processing
  • Right not to be subject to automated decision-making (Art. 22): See Section 10 below

To exercise any of these rights, contact us at privacy@veluvanto.com. We will respond within 1 month. We may need to verify your identity before fulfilling your request.

Your Right to Object to Legitimate Interest Processing (Art. 21(4) GDPR): Where we process your data on the basis of our legitimate interests (Art. 6(1)(f) GDPR — including security, fraud prevention, and service analytics), you have the right to object at any time. Upon objection, we will cease such processing unless we demonstrate compelling legitimate grounds that override your interests, rights and freedoms, or the processing is necessary for the establishment, exercise, or defence of legal claims. To exercise this right, contact privacy@veluvanto.com.

Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority. In the Czech Republic, this is:

Úřad pro ochranu osobních údajů (ÚOOÚ)
Pplk. Sochora 27, 170 00 Praha 7
Website: www.uoou.cz
Email: posta@uoou.cz

10. Automated Processing and Profiling

Veluvanto uses automated AI processing to identify and extract metadata (dates, entities, categories, amounts). This automated processing:

  • Is performed solely to provide the service to you
  • Does not produce legal effects or similarly significantly affect you
  • Does not constitute profiling for marketing or decision-making purposes

You can correct any inaccurate AI-generated metadata at any time in the document detail view. For more information on our AI systems and their limitations, see our AI Transparency Notice.

11. Data Retention

We retain your personal data for as long as your account is active or as needed to provide services. Specific retention periods:

  • Account data and documents: Retained until account deletion. Upon account deletion, data is permanently deleted within 30 days.
  • Billing records: Retained for 10 years as required by Czech accounting law (Act No. 563/1991 Coll.).
  • Security and access logs: Retained for 12 months.
  • Usage data (features used, AI credits consumed, interactions): Retained for 24 months, then aggregated or deleted.
  • AI-generated metadata (summaries, tags, extracted entities): Retained for the lifetime of the associated document. Deleted together with the document.
  • Marketing consent: Until you withdraw consent.
  • Accounts terminated due to storage overage: Accounts terminated due to prolonged storage overage (as described in Section 19 of the Terms of Service) — all personal data and documents are permanently deleted within 30 days of termination, in accordance with GDPR Article 17.

Documents moved to Trash are retained for 30 days before permanent deletion.

12. Cookies

We use cookies and similar technologies. We use only strictly necessary cookies required for the operation of the service (session management and authentication). We do not use tracking cookies or third-party advertising cookies. For detailed information, see our Cookie Policy.

13. Children's Privacy

Our service is not directed to children under 18 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us and we will delete it promptly.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by email and by posting the new policy on this page with an updated "Last updated" date, at least 30 days before the changes take effect. For significant changes to how we process your data, we will seek fresh consent where required.

15. Contact Us

For any questions about this Privacy Policy, to exercise your rights, or for any data protection concerns:

Veluvanto s.r.o.
Korunní 2569/108, Vinohrady, 101 00 Praha 10
Email: privacy@veluvanto.com