Privacy Policy

Version 7 — Effective: July 8, 2026

1. Data Controller

Vellu.AI
Business ID: 3618524-6
Email: privacy@vellu.ai
Address: Holkkitie 2, 40530 Jyväskylä, Finland

2. Legal Basis for Processing

We process your personal data based on the following legal grounds under GDPR Article 6:

  • Contract performance (Art. 6(1)(b)): Processing necessary to provide the Service, including account management, content processing, and AI analysis
  • Legitimate interest (Art. 6(1)(f)): Service improvement, security monitoring, abuse prevention, pseudonymous usage analytics, error diagnostics, delivering gift vouchers to the recipients designated by a buyer, and measuring the effectiveness of our own marketing campaigns through first-party attribution recorded once at signup
  • Consent (Art. 6(1)(a)): Optional features that require your consent, such as marketing email communications (see section 10) and marketing and advertising conversion tracking via Meta and Google, which are applied only if you opt in
  • Legal obligation (Art. 6(1)(c)): Compliance with Finnish and EU legal requirements

3. Data Collected

We collect and process the following categories of personal data:

  • Account data: Name, email address, profile image (from authentication provider)
  • Audio recordings: Audio files you upload or record through the Service
  • Transcriptions: Text generated from your audio recordings via AI transcription
  • Images: Photos, drawings, or other images you upload to chapters, and images generated or edited for you by AI at your request
  • Generated content: Chapters, summaries, storylines, and other content generated by the AI
  • Gift recipient data: If you purchase a gift voucher for another person, the recipient's email address and name, your chosen sender name, and any personal message you provide, used to deliver the gift on your behalf
  • Marketing attribution data: If you arrive via our marketing site or an advertising campaign, the campaign parameters carried in the link you followed (UTM tags and the Google gclid / Meta fbclid click identifiers), the referring site, the landing page, and the product you selected on our marketing site, recorded once on your account at signup
  • Usage data: Service interactions, feature usage, and error logs
  • Analytics data: Page views and feature-usage events collected through our analytics provider (Umami), associated with your IP address and a pseudonymous hashed identifier. This analytics is cookieless and does not store identifiers on your device
  • Error data: When an error occurs, technical error reports and a masked replay of the affected session (all text and inputs are masked and media is blocked before the replay leaves your browser), collected through our error-monitoring provider (Sentry)
  • Correspondence: Emails you send to us (for example support requests) and our replies, retained as part of your customer record
  • Technical data: IP address, browser type, device information (collected automatically)
  • Billing data: billing name and address, country, tax identification number (if provided), transaction and invoice history, and a reference to your Stripe customer. Card details are handled directly by Stripe and are not received or stored by us.
  • Order and shipping data: If you order a printed book, the delivery recipient's name, postal address, country, and phone number you provide at checkout, together with the order details (product options, quantity, amounts, and order status). To produce and deliver the book, the shipping address and the print-ready file of your book are shared with our print-on-demand partner (see section 5)

4. AI Processing Disclosure

In accordance with the EU AI Act (Regulation (EU) 2024/1689), we disclose the following AI processing:

  • OpenAI Whisper: Your audio recordings are processed by OpenAI's Whisper API for transcription. Audio data is sent to OpenAI's servers for processing and is subject to OpenAI's Privacy Policy. OpenAI does not use API data for training.
  • Anthropic Claude: Your transcriptions and content are processed by Anthropic's Claude API for text generation, analysis, and summarization. Text data is sent to Anthropic's servers and is subject to Anthropic's Privacy Policy. Anthropic does not use API data for training.
  • OpenAI image generation: When you generate or edit an image, your image description (refined into an image prompt by Anthropic Claude, as above) and — when you edit an existing image — that source image are sent to OpenAI's image API for processing. This data is subject to OpenAI's Privacy Policy. OpenAI does not use API data for training.

No automated decision-making with legal or similarly significant effects is performed. All AI outputs are presented as suggestions for your review.

5. Sub-Processors and International Transfers

We use the following sub-processors who may process data outside the EEA:

  • Amazon Web Services EMEA SARL (Luxembourg) — Cloud hosting, database, and file storage for the Service, including your audio recordings and images. Your data is hosted in the EEA (AWS Europe region). An optional email-address validation check at signup may be processed by AWS in the United States; transfer mechanism for any US processing: Standard Contractual Clauses (SCCs) via the AWS Data Processing Addendum
  • OpenAI, Inc. (USA) — Audio transcription and AI image generation and editing. Transfer mechanism: Standard Contractual Clauses (SCCs)
  • Anthropic, PBC (USA) — Text generation and analysis. Transfer mechanism: Standard Contractual Clauses (SCCs)
  • Umami Software, Inc. (USA) — Cookieless product analytics (page views and feature events linked to a pseudonymous hashed identifier). Transfer mechanism: Standard Contractual Clauses (SCCs)
  • Functional Software, Inc. (Sentry) (USA) — Error monitoring and masked session replay used for debugging. Transfer mechanism: Standard Contractual Clauses (SCCs)
  • Authentication providers (Google, Facebook) — Account authentication only
  • Stripe Payments Europe, Ltd (Ireland, with processing also in the United States under Stripe's group DPA) — Payment processing, invoicing, and tax calculation. Transfer mechanism for any US processing: Standard Contractual Clauses (SCCs) and Stripe's binding corporate rules, as described in Stripe's Privacy Center https://stripe.com/legal/privacy-center.
  • Plus Five Five, Inc. (operator of Resend; 2261 Market Street #5039, San Francisco, CA 94114, USA) — Delivery of transactional, notification, and marketing emails, including sign-in codes, account and billing notifications, gift-voucher delivery to recipients, and marketing messages you have consented to receive. Transfer mechanism: Standard Contractual Clauses (SCCs)
  • Lulu Press, Inc. (USA; print production for EU/EEA orders is carried out in France) — Print-on-demand production and shipping of printed books you order. Receives the shipping address you provide at checkout and the print-ready file of your book, used solely to print and deliver your order. Transfer mechanism for any US processing: Standard Contractual Clauses (SCCs)
  • Meta Platforms Ireland Limited (Ireland, with transfers to Meta Platforms, Inc. in the USA) — Advertising and conversion measurement (server-side Conversions API), only where you have opted in to marketing tracking. Transfer mechanism: Standard Contractual Clauses (SCCs)
  • Google Ireland Limited (Ireland, with transfers to Google LLC in the USA) — Advertising and conversion measurement (Google Ads), only where you have opted in to marketing tracking. Transfer mechanism: Standard Contractual Clauses (SCCs)

All international data transfers are protected by appropriate safeguards in accordance with GDPR Chapter V.

6. Data Subject Rights

Under GDPR Articles 15–22, you have the following rights:

  • Right of access (Art. 15): Request a copy of your personal data
  • Right to rectification (Art. 16): Correct inaccurate data
  • Right to erasure (Art. 17): Request deletion of your data ("right to be forgotten")
  • Right to restriction (Art. 18): Restrict processing of your data
  • Right to data portability (Art. 20): Receive your data in a structured, machine-readable format
  • Right to object (Art. 21): Object to processing based on legitimate interest
  • Right to withdraw consent (Art. 7(3)): Withdraw consent at any time where processing is based on consent

If you are the recipient of a gift voucher and we have processed your contact details to deliver it, you may exercise these rights — including asking us to erase your details — by contacting us as set out below.

To exercise these rights, contact us at privacy@vellu.ai. We will respond within 30 days.

7. Right to Complain

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Finnish Data Protection Ombudsman (Tietosuojavaltuutetun toimisto):

Office of the Data Protection Ombudsman
P.O. Box 800, 00531 Helsinki
Email: tietosuoja@om.fi
Website: tietosuoja.fi

8. Data Retention

  • Account data: Retained for the duration of your account, deleted within 30 days of account deletion
  • Audio recordings: Retained until you delete them or your account is deleted
  • Images: Uploaded and AI-generated images, including images kept in a chapter's image gallery for re-use, are retained until you delete them or your account is deleted
  • Generated content: Retained until you delete it or your account is deleted
  • Gift recipient data: Retained as part of the gift voucher record for as long as necessary to deliver the gift and to handle redemption, refunds, and related support; purchase records are also subject to the statutory accounting retention period below
  • Printed-book orders: Order records, including the shipping address and fulfilment details, are retained as part of your customer record for as long as needed to fulfil the order and handle reprints, returns, and related support; purchase and payment records are also subject to the statutory accounting retention period below
  • Print files: The print-ready PDF files generated for a printed-book order are retained for 90 days after payment (to allow for reprints and support), then deleted from our file storage
  • Usage logs: Server and application logs retained for 30 days for security and debugging purposes
  • Error data: Error reports and masked session replays retained for 90 days in our error-monitoring system
  • Correspondence: Support and account-related email correspondence retained for the duration of your account and deleted with it, except where a longer statutory retention applies
  • Unconfirmed accounts: Accounts that never accept the Terms of Service are deleted approximately 30 days after creation
  • Backup data: Removed from backups within 30 days of deletion from live systems
  • Invoices and payment records: retained for at least six (6) years from the end of the fiscal year they relate to, as required by the Finnish Accounting Act (kirjanpitolaki 1336/1997). This applies even after account deletion, to the extent required for legal compliance.

9. Cookies

The Service uses strictly necessary and functional cookies, which do not require consent, for:

  • Session management and authentication
  • Language preference
  • Interface preferences (such as remembering whether the sidebar is open)
  • Remembering the product you selected on our marketing site so we can show it to you after signup (vellu_intent, kept for at most 24 hours and removed once shown)
  • Carrying the campaign parameters from the link you followed until signup completes (vellu_attr, kept for at most 30 days and removed at signup)

Our product analytics (Umami) is cookieless: it does not set cookies or store identifiers on your device.

With your consent, the Service also uses advertising and conversion-measurement technologies to measure the effectiveness of our marketing:

  • Google Ads: loads Google's gtag.js and sets Google Ads conversion-linker cookies
  • Meta (Facebook) Conversions API: reports conversion events to Meta server-side; if Meta's _fbp and _fbc cookies are present in your browser (for example after clicking one of our ads), we include them in those events

The advertising partners we use, the specific conversion events we report to each, and the parameters shared are set out in our Ads Measurement Notice. These technologies are applied only if you opt in to marketing tracking. You can give or withdraw this consent at any time from Settings → Analytics & advertising. Withdrawing consent stops further tracking, although it cannot retract data already sent.

10. Marketing Communications

If you opt in to marketing emails, we send them on the basis of your consent (Art. 6(1)(a)). These messages are grouped into categories you can choose between — such as promotional offers and product news, occasional reminders, and educational tips — so that you can receive some kinds and not others. The categories currently available, and your choices for each, are shown in your account settings.

Some of these messages may be prompted by the recent activity of your own account — for example, a reminder that a book you started has been inactive for a while. This does not involve automated decision-making that produces legal or similarly significant effects.

We send these emails only if you have given marketing consent, and you remain in control at all times. You can:

  • withdraw your marketing consent entirely from Settings, which stops all marketing emails; or
  • choose which categories you receive from Settings, while continuing to receive the others; or
  • unsubscribe directly from any marketing email, using the unsubscribe link in its footer or your email client's one-click unsubscribe button.

Withdrawing consent or unsubscribing does not affect the service messages we need to send to operate your account — such as sign-in codes, billing and payment notices, credit-expiry reminders, legal-update notifications, and replies to your support requests. We send those on the basis of contract performance or legal obligation, regardless of your marketing preferences.

11. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

  • Encryption in transit (TLS/HTTPS)
  • Encrypted storage for sensitive data
  • Access controls and authentication
  • Regular security reviews

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified through the Service with a 30-day review period.

13. Contact

For privacy-related inquiries:
Vellu.AI
Email: privacy@vellu.ai
Address: Holkkitie 2, 40530 Jyväskylä, Finland