Privacy Policy

BOUNCY ALGORITHM - UNIPESSOAL LIMITADA, trading as Velqory ("Velqory," "we," "us"), is the entity responsible for personal data collected through our products, services, and websites (collectively, the "Platform"). This Privacy Policy explains what we collect, the lawful basis on which we process it, where it is processed, who it is shared with, and the rights available to you.

By using the Platform you acknowledge you have read this policy. If you disagree with any part, do not use the Platform.

We collect the following categories of personal data:

• Account data - name, work email, company name, and role when you register or contact us.
• Usage data - pages visited, features used, session duration, and interaction events from our first-party analytics. No third-party tracking pixels.
• Device data - browser type, operating system, and IP address (anonymized after 30 days). No cross-device fingerprinting.
• Customer content - documents, prompts, agent configurations, and integration data you upload or create. Stored as files in a per-tenant Obsidian vault on Velqory-operated EU infrastructure. Encrypted at rest (AES-256) and in transit (TLS 1.3).
• Payment data - name, billing address, and VAT number for invoicing. Card data is processed exclusively by Stripe; we never see or store card numbers or CVVs.

Under Article 6 of the GDPR, we process personal data on the following lawful bases:

• Contract (Art. 6(1)(b)) - to provision your account, deliver the Platform, process payments, and respond to support requests.
• Legitimate interest (Art. 6(1)(f)) - for security monitoring, fraud prevention, aggregate service improvement, and communication of essential service updates.
• Consent (Art. 6(1)(a)) - for optional analytics cookies, marketing communications, and any processing not necessary for the contract or covered by legitimate interest.
• Legal obligation (Art. 6(1)(c)) - for tax records, audit retention, and compliance with applicable law.

Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.

We process personal data for the following purposes:

• Service delivery - to provision your account, execute workflows, run agents, and maintain platform uptime.
• Security - to detect and prevent unauthorized access, fraud, and abuse.
• Service improvement - to analyze aggregated, anonymized usage patterns. Customer content is never used to train machine-learning models.
• Communication - to send transactional messages (invoices, security alerts) and, with your consent, product updates.

We do not sell personal data. We do not use customer content to train machine-learning models. We do not share personal data with advertisers.

AI inference (classification, retrieval, generation, vision, and analysis) is performed on Velqory-operated infrastructure within the European Union, hosted in Portugal. Customer content does not leave the EU during processing.

We do not transmit customer content, prompts, or agent inputs to OpenAI, Anthropic, Google, or any other third-party large-language-model provider. Our inference layer runs on self-hosted models on EU hardware under our direct operational control.

AI outputs are deterministic JSON validated against schema. We do not retain raw model outputs beyond the trace window required for observability and customer audit (default 90 days, configurable).

Each customer ("tenant") is isolated at the database, storage, and compute level:

• Database - Postgres schema-per-tenant or database-per-tenant for regulated customers.
• Storage - files live in a per-tenant Obsidian vault on the operator filesystem. No shared storage across tenants.
• Inference - no shared inference state between tenants. No embeddings, prompts, or trace data crosses tenant boundaries.
• Access - every API call carries a tenant scope verified at the gateway. Cross-tenant requests are rejected at the authorization layer.

We share personal data only with vetted sub-processors that are contractually bound to equivalent privacy and security standards. All sub-processors are EU-resident or process data exclusively under EU jurisdiction:

• Hosting - Velqory-operated EU infrastructure in Portugal. No US-region or non-EU hosting is used for customer content or personal data.
• Payments- Stripe Payments Europe, Ltd. (Ireland), PCI DSS Level 1 certified. Card data is processed under Stripe's DPA and never reaches Velqory systems.
• Email delivery - Amen.pt SMTP infrastructure (Portugal) for transactional and contact-form messages.
• Error monitoring - Sentry (EU region) for application-level diagnostics. No customer content is captured.

We may disclose data when required by applicable law, regulation, or court order issued by an EU member state authority.

Account data is retained for the duration of your active subscription plus 90 days after termination, then permanently deleted unless legal-obligation retention applies (e.g. tax records: 10 years under Portuguese law).

Usage and device data is anonymized after 30 days and retained in aggregate for up to 24 months.

Customer content is exportable on demand at any time during the subscription. After termination, you have 30 days to export. Following that window, customer content is permanently deleted from production systems within 30 days and from backups within 90 days.

As a data subject in the EU, you have the following rights under the GDPR:

• Access (Art. 15) - request a copy of the personal data we hold about you.
• Rectification (Art. 16) - correct inaccurate or incomplete data.
• Erasure (Art. 17)- request deletion (the "right to be forgotten").
• Restriction (Art. 18) - limit how we process your data.
• Portability (Art. 20) - receive your data in a structured, commonly-used, machine-readable format.
• Objection (Art. 21) - object to processing based on legitimate interest.
• Withdraw consent (Art. 7) - at any time, where consent is the lawful basis.
• Lodge a complaint - with the Portuguese supervisory authority (CNPD) or your local supervisory authority.

To exercise any right, contact [email protected]. We respond within 30 days.

In the event of a personal data breach likely to result in risk to the rights and freedoms of natural persons, we will notify the competent supervisory authority (Portugal: CNPD) within 72 hours of becoming aware, in accordance with Article 33 of the GDPR.

Where the breach is likely to result in high risk to data subjects, we will notify affected users without undue delay, with a description of the breach, the data categories involved, the likely consequences, and the measures taken or proposed to address it (Article 34).

We use strictly necessary cookies for authentication, session management, locale preference, and CSRF protection. These do not require consent under the ePrivacy Directive.

Optional analytics or marketing cookies are loaded only with your explicit consent via our cookie banner. You may revoke consent at any time from the Platform settings.

We do not use third-party advertising cookies. We do not participate in cross-site tracking.

Data location, storage, transfers, and subprocessors depend on the service, tenant configuration, DPA, and project scope. Where a cross-border transfer is required, it must rely on an appropriate legal basis and contractual safeguards.

Concrete subprocessors are identified in the applicable agreement, subprocessor list, or project documentation when they are relevant to the contracted service.

Velqory aligns its security and privacy program with the following frameworks:

• GDPR (Regulation EU 2016/679)- primary legal framework for processing of EU residents' personal data.
• NIS2 Directive (EU 2022/2555) - for cybersecurity risk management and incident reporting.
• ISO/IEC 27001 - information security management preparation and control mapping where applicable.
• SOC 2 - operational control preparation and evidence where applicable.

Relevant security or privacy documentation may be requested from [email protected], subject to customer status, scope, and confidentiality requirements.

We may update this policy periodically. Material changes will be announced via email and an in-Platform notification at least 30 days before they take effect.

For questions, requests, or concerns regarding this Privacy Policy:

• Email: [email protected]
• Administrative details are provided in formal documents where required.

You may also lodge a complaint with the Portuguese data protection authority: Comissão Nacional de Proteção de Dados (CNPD), www.cnpd.pt.