Privacy Policy

Last Updated:

VELUM Labs ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform and services.

1. Information We Collect

Our Privacy-First Approach

VELUM Labs is built on a privacy-first architecture. We collect only the minimum information necessary to provide our services and protect your privacy through homomorphic encryption.

Personal Information

We collect personal information that you voluntarily provide to us when you:

•Register for an account
•Use our homomorphic encryption (FHE) services
•Submit training jobs or datasets
•Contact our support team
•Subscribe to our newsletter or communications (optional)

This information is limited to:

•Account Information: Email address, name (optional), username
•Authentication: Securely hashed passwords (we never store plaintext passwords)
•Organization Details (Optional): Company name, role
•Billing Information: Processed by our payment processor (Stripe); we do not store full credit card numbers
•Support Communications: Only when you contact us for assistance

Automatically Collected Information

We minimize automatic data collection. When you access our platform, we collect only essential technical information:

•Technical Data: IP address (anonymized after 30 days), browser type, operating system
•Usage Data: Pages visited, features used (aggregated and anonymized)
•Security Logs: Access times, error logs, API calls (retained for security purposes only)
•Essential Cookies: Only cookies necessary for authentication and security (no tracking or advertising cookies)

Encrypted Data and Model Information

When you use our FHE platform:

•We process encrypted data on your behalf without decrypting it
•We store metadata about your training jobs and models
•We collect performance metrics and computational statistics
•We maintain logs of API requests and system interactions

Important: Due to the nature of homomorphic encryption, we cannot access the content of your encrypted data. Your data remains encrypted end-to-end.

2. How We Use Your Information

We use your information only for specified, legitimate purposes and practice strict data minimization:

Service Delivery (Primary Purpose)

•Provide, operate, and maintain our FHE platform
•Process your computational jobs on encrypted data (we cannot access plaintext)
•Authenticate and manage your account securely
•Provide customer support when you request it

Service Improvement (Aggregated Data Only)

•Analyze aggregated, anonymized usage patterns to improve performance
•Develop new features based on anonymized feedback
•Optimize computational efficiency using non-personal metrics
•Conduct privacy-preserving research (no personal data used)

Essential Communications Only

•Send critical security alerts and service updates
•Provide technical notifications affecting your account
•Respond to your inquiries and support requests
•Marketing: Only with explicit opt-in consent (you can opt-out anytime)

Legal and Security (When Required)

•Comply with legal obligations only when legally required
•Enforce our terms to protect the platform and users
•Prevent fraud and unauthorized access
•Maintain system security and integrity

We do not:

•Sell your personal information (ever)
•Use your data for advertising
•Share your information with third parties except as explicitly stated
•Process your encrypted computational data (cryptographically impossible)

3. Data Sharing and Disclosure

We do not and will never sell your personal information.

We share your information only in limited circumstances and with strict protections:

Service Providers (Minimal and Necessary)

We share information only with carefully vetted service providers who are essential for our services:

•Amazon Web Services (AWS) - Cloud infrastructure (your encrypted data is stored; plaintext is cryptographically inaccessible)
•Stripe - Payment processing only (we do not store full payment card data)

These providers are:

•Contractually bound to protect your information
•Prohibited from using your data for any other purpose
•Subject to strict security and privacy requirements
•Regularly audited for compliance

We do not use:

•Marketing or advertising platforms
•Data brokers or analytics services that access personal information
•Social media tracking or third-party cookies

Legal Requirements (Only When Legally Compelled)

We may disclose your information only when legally required:

•Valid legal processes only: Court orders, warrants, or subpoenas with proper jurisdiction
•Notice to you: We will notify you of legal requests unless prohibited by law
•Minimum disclosure: We disclose only what is legally required, nothing more
•Transparency: We challenge overly broad or improper requests
•Encrypted data protection: Your encrypted computational data cannot be decrypted by us or law enforcement

We will exhaust all legal options to protect your privacy before disclosing information.

Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity, subject to the same privacy protections.

With Your Consent

We may share your information for other purposes with your explicit consent.

4. Data Security

We implement industry-standard security measures to protect your information:

•Encryption: Data in transit is encrypted using TLS 1.3; data at rest uses AES-256 encryption
•Access Controls: Role-based access controls and multi-factor authentication
•Infrastructure Security: Secure cloud infrastructure with regular security audits
•Homomorphic Encryption: Your computational data remains encrypted end-to-end
•Monitoring: Continuous monitoring for security threats and anomalies

Despite our efforts, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

5. Data Retention

We practice strict data minimization and delete data as soon as it's no longer needed:

•Account Information: Retained while your account is active; deleted within 30 days of account closure
•IP Addresses: Anonymized after 30 days
•Usage Data: Aggregated and anonymized within 90 days; personal identifiers removed
•Encrypted Computational Data: Under your complete control; deleted immediately upon request or within 30 days of account closure
•Support Communications: Deleted after 12 months unless ongoing issue requires retention
•Security Logs: Retained for 90 days for security purposes, then permanently deleted
•Backup Data: Deleted from backups within 60 days

Your Right to Deletion:

•Request deletion at any time by contacting privacy@velum-labs.com
•We will delete your data within 10 business days of verification
•You will receive confirmation of deletion with details of what was deleted
•Legal retention requirements (if any) will be clearly explained

6. Your Privacy Rights

We grant comprehensive privacy rights to all users, regardless of location:

Access and Portability

•Request access to all personal information we hold about you
•Download your data in structured, machine-readable format (JSON/CSV)
•Response time: Within 10 business days

Correction and Update

•Correct any inaccurate or incomplete information
•Update your account settings and preferences at any time
•Self-service: Most updates available through your account dashboard

Deletion ("Right to be Forgotten")

•Request deletion of all your personal information
•Account closure with complete data removal
•Processing time: Deletion within 10 business days
•Confirmation: Detailed deletion report provided

Restriction and Objection

•Restrict processing of your personal information
•Object to processing for specific purposes
•Opt-out of all marketing communications (one-click unsubscribe)
•No tracking: We don't use advertising or tracking cookies

Withdrawal of Consent

•Withdraw consent at any time for processing based on consent
•No penalties: Withdrawal will not affect service delivery

Data Export

•Export all your data including models, datasets, and metadata
•Standard formats for easy migration to other platforms

Privacy Dashboard

Access your privacy dashboard at any time to:

•View what data we hold about you
•Download your information
•Delete specific data categories
•Manage communication preferences
•Review data access logs

To exercise these rights: Email privacy@velum-labs.com or use your privacy dashboard.
Response time: 10 business days maximum
No fees: All privacy rights requests are free

7. International Data Transfers

Our services are operated in the United States. If you access our platform from outside the U.S., your information may be transferred to, stored, and processed in the U.S. or other countries.

We ensure adequate protections for international transfers through:

•Standard contractual clauses approved by relevant authorities
•Adherence to applicable data protection frameworks
•Organizational and technical security measures

8. Children's Privacy

Our services are not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If we discover that we have collected information from a child, we will promptly delete it.

9. Cookies and Tracking Technologies

We use minimal, essential cookies only and do not track you:

Essential Cookies Only

We use strictly necessary cookies for:

•Session management and secure authentication
•Security protection against CSRF and similar attacks
•User preferences (e.g., theme, language)

What We DON'T Use

We do not use:

•Advertising cookies - None, ever
•Tracking cookies - We don't track you across sites
•Analytics cookies - No third-party analytics that identify you
•Social media cookies - No Facebook, Google, or other social tracking

Cookie Control

•All our cookies are essential for security and functionality
•You can clear cookies through browser settings
•Disabling essential cookies will prevent login but we respect your choice
•No consent banner needed: We don't use tracking cookies

Transparency

Current cookies used:

•session_token - Authentication (expires after 24 hours)
•csrf_token - Security protection
•preferences - Your UI preferences (optional)

That's it. No hidden tracking.

10. Third-Party Links

Our platform may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies.

11. Changes to This Privacy Policy

We may update this Privacy Policy periodically. We will notify you of material changes by:

•Posting the updated policy on our website
•Updating the "Last Updated" date
•Sending email notifications for significant changes

Your continued use of our services after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy, please contact us:

VELUM Labs
Privacy Team: privacy@velum-labs.com
Data Protection Officer: dpo@velum-labs.com
Security: security@velum-labs.com

Response times:

•Privacy rights requests: Within 10 business days
•Security concerns: Within 24 hours
•General inquiries: Within 3 business days

We are committed to protecting your privacy and will respond promptly to all inquiries.