Privacy policy.

01Who we are

Veliro Inc. is a Delaware C-corporation with its headquarters at 525 Market Street, 23F, San Francisco, CA 94105, United States. We provide network tokenization infrastructure (the Veliro Platform) to merchants, marketplaces, processors, acquirers, and issuers.

For personal information collected through our marketing surfaces (veliro.com, sales interactions, events, and customer support), Veliro acts as a data controller. For personal information processed inside the Veliro Platform on behalf of a contracted customer, Veliro acts as a data processor under the terms of the Data Processing Addendum signed with that customer.

Our Data Protection Officer is reachable at privacy@veliro.com. EU and UK representatives are designated in the DPA appendices.

02Scope of this policy

This policy describes how Veliro handles personal information across three surfaces: the marketing site at veliro.com, the Veliro Platform (API, Console, SDKs), and our sales and support interactions with prospective and contracted customers.

This policy does notgovern how Veliro processes cardholder data, network tokens, cryptograms, or other PAN-derived material inside a customer’s vault. That processing is performed under the Data Processing Addendum signed with the customer; the customer remains the controller and Veliro is the processor. If you are a cardholder whose card has been tokenized on the Platform by a Veliro customer, the relevant privacy notice is your merchant’s notice, not this one.

03Categories of personal information we collect

For controller activities, we collect the following categories of personal information. Categories are described using the taxonomy in the California Privacy Rights Act (CPRA) for portability across jurisdictions.

Identifiers

Name, business email address, employer, job title, and where you proactively share it, a phone number for sales follow-up.

Commercial information

Products you have inquired about, demos attended, downloads requested, and content of sales conversations summarized in our CRM.

Internet activity

Pages viewed on veliro.com, referring URLs, device and browser metadata, and aggregated session analytics (PostHog, configured with input masking and IP truncation).

Inference

Marketing-segment categorization derived from the above: for example, the inferred buying stage and the team you are likely on.

Professional information

For contracted users of the Veliro Platform: your role, named access scopes, and last sign-in timestamp. Provided by your employer when your account is created.

We do not intentionally collect special categories of personal information (race, religion, health, biometric identifiers, precise geolocation, or contents of personal communications) through the marketing site or the Platform Console.

04Sources of personal information

We receive personal information from four sources:

• You, when you submit a form, request a demo, sign a contract, attend an event we host, or correspond with our sales or support teams.
• Your employer, when they provision a Platform account for you under their contracted tenant.
• Third-party enrichment providers, including Clearbit and ZoomInfo, to confirm employer, industry, and publicly listed role.
• Third-party identity providers, where you choose to authenticate to the Veliro Console using an OAuth flow (Google Workspace, Microsoft Entra ID, or Okta).

We do not buy personal information from data brokers, and we do not engage in any activity that meets CCPA’s definition of selling personal information.

05How we use personal information

We use personal information for narrowly defined purposes. Each purpose maps to one of the legal bases listed in the next section.

• Deliver the Platform. Provision tenants, authenticate users, deliver the API and Console, and operate the support channel.
• Respond to inquiries. Reply to contact, demo, and sales requests, and route them to a named account team.
• Transactional communications. Send service notices, security advisories, status-page updates, subprocessor change notifications, billing notices, and other communications necessary to the contract.
• Marketing communications. Send curated marketing email only where you have consented or where soft-opt-in rules under the applicable jurisdiction permit. One-click unsubscribe in every message.
• Fraud and security analytics. Detect abuse, rate-limit hostile traffic, investigate suspected account takeover, and respond to security incidents.
• Legal obligations. Tax, accounting, anti-money-laundering screening for paid contracts, and response to lawful government requests.
• Aggregated analytics. Improve the Platform and the marketing site using aggregated, anonymized metrics. We do not use these for individual decisions.

06Legal bases under GDPR / UK GDPR

Where the GDPR or UK GDPR applies, we rely on the following legal bases for our controller processing activities:

Consent · Art. 6(1)(a)

For marketing communications, optional analytics cookies, and any data processing you have proactively opted into. You may withdraw consent at any time.

Contract performance · Art. 6(1)(b)

For provisioning Platform access, authenticating users, and operating the support channel for contracted customers.

Legitimate interests · Art. 6(1)(f)

For aggregated analytics, fraud and security monitoring, and proportionate B2B sales outreach to professional contacts. We document the balancing test for each use and adjust the processing if your rights override our interest.

Legal obligation · Art. 6(1)(c)

For tax, accounting, AML screening, and other obligations arising under applicable law.

07Disclosures of personal information

Personal information is disclosed to three groups of recipients, in each case under contract and only for the purposes listed above:

• Subprocessors listed in full on the subprocessors page. Each is bound by our DPA and is reviewed annually.
• Professional advisors (legal, accounting, audit) under non-disclosure agreements, where their work requires limited access to personal information.
• Government authorities, only when we are legally compelled by a binding order issued under valid jurisdiction, and only after we have reviewed the request against our published government-request policy.

We do not sell personal information as that term is defined under CCPA, CPRA, or similar US state laws. We do not share personal information for cross-context behavioral advertising. We do not provide personal information to third parties for their independent marketing use.

08International transfers

Veliro is headquartered in the United States. Personal information collected through the marketing site and the Console is processed in the United States, as documented on the encryption and data residency page.

For transfers out of the European Economic Area and the United Kingdom, we rely on the EU Standard Contractual Clauses (Module 2 or 3 as appropriate), the UK International Data Transfer Addendum, and, where applicable, the EU-US Data Privacy Framework and its UK Extension.

For transfers out of APAC jurisdictions, we use standard contractual clauses aligned to local guidance (PDPC for Singapore, OAIC for Australia). Cardholder data processed in the Veliro vault is governed separately under the DPA.

09Retention

We retain personal information only as long as necessary for the purpose for which it was collected, then delete or de-identify it. Specific retention schedules:

Marketing contacts

24 months from your last engagement (email open, site visit, or sales conversation), then deleted.

Platform telemetry

13 months in identifiable form for capacity planning and security investigations, then aggregated.

Signed lifecycle events

Per the customer contract; the default is 7 years to support cardholder dispute and tax-audit windows.

Support tickets

36 months from ticket close, then anonymized.

Deletion requests

Verified requests are honored within 30 days, except where retention is required by law or to enforce our agreements.

10Your rights

Under GDPR, UK GDPR, and similar regimes, you have the right to access, rectify, erase, restrict the processing of, and port your personal information, as well as to object to processing carried out under our legitimate interests and to withdraw consent where processing is based on it.

Under the CCPA and CPRA, California residents have the right to know what personal information we hold, to delete it, to correct inaccuracies, and to opt out of the sale or sharing of personal information. Because Veliro does not sell or share personal information for cross-context behavioral advertising, no opt-out mechanism is required for this purpose. You may also designate an authorized agent to act on your behalf.

Submit a request at privacy@veliro.com or via the trust center. We will verify your identity using information already on file and respond within 30 days (extendable by a further 60 days for complex requests, with written notice).

11Children’s privacy

The Veliro marketing site and the Veliro Platform are directed at professional audiences in business contexts. We do not intentionally market to anyone under the age of 16, and we do not knowingly collect personal information from children. If you believe we have inadvertently collected personal information from a child, contact us at privacy@veliro.com and we will delete it promptly.

12Cookies and similar technologies

We use three categories of cookies and similar technologies, controlled through the consent banner on first visit and adjustable at any time via the cookie preference link in the footer.

• Strictly necessary. Session management, CSRF protection, and security. These cannot be disabled.
• Analytics. PostHog, configured with input masking, IP truncation, and session replay masking. We use this only on the marketing surfaces.
• Marketing. Conversion attribution and remarketing pixels, only on the marketing surfaces, never inside the Platform Console, and only when you have given consent.

We do not deploy advertising or analytics cookies inside the Veliro Platform Console. Customer telemetry is collected through our own infrastructure under the DPA.

13Security

Our security posture (compliance roadmap: SOC 2 Type II, PCI DSS v4.0 Level 1, and ISO/IEC 27001, all in progress; plus vault tenancy, encryption, and incident response) is documented in full on the Security & trust page. Personal information collected for controller purposes is held under the same security regime, with access restricted on a need-to-know basis and audited continuously.

14Changes to this policy

Material changes to this policy are announced at least 30 days before they take effect. Notice is given on this page and via a banner on veliro.com. Active customers and recipients of marketing communications also receive notice by email. Non-material changes (clarifications, typographical corrections) are made on the effective date and noted in the changelog at the bottom of this page.

15Contact

For any privacy-related question or request, including the exercise of your rights described above, contact our Data Protection Officer at privacy@veliro.com. Postal correspondence may be addressed to:

Veliro Inc.
Attn: Data Protection Officer
525 Market Street, 23F
San Francisco, CA 94105
United States

If you are in the EU, you have the right to lodge a complaint with your local supervisory authority. If you are in the UK, the supervisory authority is the Information Commissioner’s Office. We would, of course, prefer to address any concern with you first.