Privacy Policy

Overview

Velaro, Inc. ("Velaro," "we," "us," or "our") operates a B2B customer engagement platform - including live chat, AI chatbots, and contact center software - used by businesses to communicate with their own customers. This Privacy Policy explains what personal data we collect, how we use it, and what rights you have with respect to your information.

This policy covers:

Customers - businesses that subscribe to Velaro's platform
End users - individuals who interact with Velaro-powered chat widgets on customer websites
Visitors - people who visit velaro.com

If you are an end user seeking help with a specific chat conversation, your primary relationship is with the business that deployed Velaro, not with Velaro directly. Please contact that business to exercise data rights related to your conversation history.

Data We Collect

Account & Registration Information

When a business creates a Velaro account, we collect:

Company name, address, and billing information
Account owner name, email address, and phone number
Agent user names, email addresses, and role assignments
Payment method details (processed by PCI-compliant payment processors; we do not store raw card numbers)

Chat & Conversation Data

When visitors interact with a Velaro-powered chat widget, we process:

Chat transcripts - the full text of conversations between visitors and agents or bots
Visitor-provided information (name, email, phone) if collected during the chat flow
Timestamps, session duration, and channel metadata (live chat, SMS, email, social)
CSAT ratings and survey responses
Bot interaction logs, intent classifications, and escalation events

Usage & Platform Data

As part of delivering and improving the service, we collect:

Agent activity logs (login times, conversations handled, response metrics)
Platform configuration data (routing rules, widget settings, automation workflows)
API call logs and integration activity
Error logs and performance telemetry

Visitor & Website Data

When you visit velaro.com, we collect standard web analytics data:

IP address (anonymized after processing), browser type, and operating system
Pages visited, time on site, and referring URL
Form submissions (demo requests, contact inquiries)

How We Use It

Service Delivery

The primary use of all data collected through the platform is to deliver the service you subscribed to - routing conversations, operating bots, generating transcripts, and enabling agent workflows. We do not use customer conversation data for any purpose other than operating and improving the service.

Product Improvement

We analyze aggregated, de-identified usage patterns to improve the platform - understanding which features are used, where agents encounter friction, and how bot performance can be improved. This analysis does not identify individual users.

Communications

We use your account email to send:

Transactional messages (receipts, password resets, service alerts)
Product updates and release notes
Renewal reminders and billing notifications

Marketing emails are opt-in. You can unsubscribe at any time using the link in any marketing email or by emailing privacy@velaro.com.

Security & Compliance

We use access logs and activity data to detect abuse, investigate security incidents, and meet our legal obligations.

We do not sell your data. Velaro has never sold personal data and does not intend to. We do not share personal data with third parties for their own marketing or advertising purposes.

We share data only in the following circumstances:

Service Providers

We use a limited set of third-party vendors to operate the platform - cloud infrastructure (Microsoft Azure), payment processing, email delivery, and error tracking. These vendors are contractually bound to process data only on our behalf and may not use it for their own purposes. A current sub-processor list is available on request at privacy@velaro.com.

Legal Requirements

We will disclose personal data if required by law, subpoena, court order, or government request - or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Velaro, our customers, or the public. We will notify affected customers promptly when legally permitted to do so.

Business Transfers

In the event of a merger, acquisition, or sale of assets, customer data may be transferred to the successor entity. We will notify affected customers via email and provide 30 days' notice before any such transfer completes.

Data Retention

Default data retention for conversation transcripts, contact records, and usage data is 2 years from the date of creation. Customers may configure shorter or longer retention periods within their account settings, subject to the following:

Growth and Professional plans: Minimum 90 days, maximum 3 years
Enterprise plans: Fully configurable, including indefinite retention or automatic purge on custom schedules

When a subscription ends, customer data is retained for 60 days to allow for data export, then permanently deleted. Account billing records are retained for 7 years as required by law.

You may request early deletion of your data at any time. See Your Rights below.

Your Rights

Your rights vary by jurisdiction. We honor the following regardless of where you are located:

📋

Access

Request a copy of the personal data we hold about you, in a portable format.

🗑️

Deletion

Request deletion of your personal data. We will comply within 30 days, subject to legal retention requirements.

✏️

Correction

Request correction of inaccurate or incomplete personal data we hold about you.

📦

Portability

Receive your data in a structured, machine-readable format (JSON or CSV) for transfer to another provider.

🚫

Objection

Object to processing of your data for certain purposes, including direct marketing.

⏸️

Restriction

Request that we restrict processing of your data while a dispute or request is being resolved.

GDPR (European Users)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation (GDPR) or equivalent legislation. Our lawful basis for processing is typically performance of a contract (for service delivery), legitimate interests (for product improvement and security), or consent (for marketing). You also have the right to lodge a complaint with your local data protection authority.

CCPA (California Residents)

California residents have the right to know what personal information we collect and how it is used, the right to delete personal information, the right to opt out of the sale of personal information (we do not sell personal information), and the right to non-discrimination for exercising these rights.

To submit a CCPA request, email privacy@velaro.com with the subject line "CCPA Request." We will respond within 45 days.

How to Submit a Request

Email privacy@velaro.com with your name, account email, and a description of your request. We will verify your identity and respond within 30 days. Complex requests may take up to 60 days; we will notify you if additional time is needed.

Security

We take security seriously. Velaro is hosted entirely on Microsoft Azure and implements the following controls:

Encryption in transit: All data transmitted to and from the platform uses TLS 1.2 or higher
Encryption at rest: All stored data is encrypted using AES-256
Access controls: Role-based access control, multi-factor authentication for all internal systems, and least-privilege principles for service accounts
Vulnerability management: Regular penetration testing and automated dependency scanning
Incident response: Documented incident response plan with customer notification within 72 hours of confirmed breach affecting customer data
SOC 2 Type II: Audit in progress. Customers may request our current security documentation and controls summary by emailing privacy@velaro.com

We never store agent passwords in plain text. All credentials are hashed using bcrypt with a minimum cost factor of 12. API keys are stored as salted SHA-256 hashes and displayed only once at creation.

Cookies

Velaro uses cookies on velaro.com and within the chat widget. We use only the following categories:

Strictly Necessary

Required for the service to function - session management, authentication tokens, and CSRF protection. These cannot be disabled without breaking the service.

Analytics

We use first-party analytics to understand how visitors use velaro.com. This data is aggregated and not linked to individual identities. We do not use Google Analytics or any third-party analytics that track users across sites.

What We Do Not Use

We do not use advertising cookies, retargeting pixels, or any cookies that track your behavior across other websites. You will not see Velaro ads following you around the internet.

You can manage cookie preferences through your browser settings. Disabling analytics cookies does not affect platform functionality.

International Data Transfers

Velaro is headquartered in the United States. If you access the platform from outside the US, your data will be transferred to and processed in the United States. We ensure lawful transfer mechanisms are in place:

EU-US Data Privacy Framework: Velaro participates in the EU-US Data Privacy Framework for transfers from the European Economic Area
Standard Contractual Clauses (SCCs): For transfers not covered by the Data Privacy Framework, we use the European Commission's approved SCCs
UK transfers: Covered by the UK IDTA (International Data Transfer Agreement) addendum

Customers requiring a Data Processing Agreement (DPA) for GDPR compliance may request one at privacy@velaro.com.

Data Residency

By default, all customer data is stored in Microsoft Azure US East and US West data centers.

Customers on qualifying Enterprise plans may elect regional data residency:

European Union: Azure West Europe (Netherlands) and North Europe (Ireland)
United Kingdom: Azure UK South and UK West
Other regions: Available upon request - contact your account manager

Data residency options are configured at account provisioning. Migrations between regions are supported on request and typically complete within 30 business days.

HIPAA & Healthcare

Velaro's standard platform is not configured for HIPAA compliance by default. Healthcare organizations handling Protected Health Information (PHI) must use the HIPAA package described below.

Velaro offers a HIPAA-compliant package for healthcare customers. This package includes:

A signed Business Associate Agreement (BAA)
HIPAA-specific data handling controls including PHI field masking in transcripts
Audit logging meeting HIPAA administrative safeguard requirements
Restricted data retention configurations aligned with HIPAA requirements
Staff trained on HIPAA obligations for data access and handling

To request a BAA or learn more about the HIPAA package, contact privacy@velaro.com or call 800-983-5276.

Children's Privacy

Velaro's platform is not directed at children under the age of 13, and we do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us at privacy@velaro.com and we will delete it promptly.

Changes to This Policy

We may update this Privacy Policy as our practices change or as required by law. When we make material changes, we will:

Post the updated policy at velaro.com/privacy with a new "Last updated" date
Send a notification email to account owners at least 30 days before changes take effect
For material changes that expand our use of personal data, obtain consent where required

Your continued use of the platform after the effective date of changes constitutes acceptance. If you disagree with a change, you may terminate your subscription in accordance with the Terms of Service.

Contact Us

For privacy inquiries, data subject requests, or to request a DPA or BAA:

Email: privacy@velaro.com
Phone: 800-983-5276
Mail: Velaro, Inc., Attn: Privacy Team, 1 West Elm Street, Suite 300, Conshohocken, PA 19428

We aim to respond to all privacy requests within 2 business days and to resolve them within 30 days.