Legal

Privacy Policy

Last updated: May 28, 2026

1. Introduction

Velogics provides AI-powered customer-engagement services — including an AI chatbot, web-form orchestration, automatic booking, inbound voice answering, outbound voice and email, review follow-up, and related AI features — to service businesses. This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and the rights available to you. It applies to the Velogics marketing site (velogics.ai), the operator portal (app.velogics.ai), and any communication Velogics sends on behalf of a business that uses our platform.

2. Definitions

  • Operator — a business customer that subscribes to Velogics and uses the platform to engage with its own customers and leads.
  • End User — a lead, prospect, customer, or other individual whom an Operator engages through Velogics (for example, a person who fills out an Operator's contact form, calls the Operator's phone line, or receives an outbound email from an Operator's campaign).
  • Visitor — anyone who browses the Velogics marketing site without signing in.
  • Personal Information / Personal Data — information that identifies, relates to, describes, or could reasonably be linked to a particular individual or household.

3. Our Roles (Controller vs. Processor)

Velogics acts in two different roles depending on whose data is at issue:

  • As a controller — for personal information about Operators and Visitors (signup data, account profile, billing data, support conversations, marketing-site analytics). We determine the purposes and means of processing this data.
  • As a processor / service provider— for End-User data that an Operator routes through Velogics (chatbot conversations, form submissions, call recordings and transcripts, outbound campaign content, review interactions). The Operator is the controller of that data and determines why and how it is used; Velogics processes it on the Operator's documented instructions through the platform.

Operators that need a formal Data Processing Agreement can review and execute our standard DPA at velogics.ai/legal/dpa or email admin@velogics.ai.

4. Information We Collect

From Operators (account holders)

  • Identifiers: name, business name, email, phone, billing address.
  • Account credentials and authentication tokens.
  • Billing data: payment-method details (processed by our payment processor; we do not store full card numbers), invoices, plan history.
  • Knowledge-base content the Operator uploads (FAQs, services, pricing, brand voice samples, scripts).
  • OAuth tokens for connected third-party services (CRM, calendar, Google Business Profile, Search Console, etc.).
  • Support communications, feedback, and feature requests.
  • Usage telemetry: feature use, login times, error logs, IP addresses, user-agent strings.

From End Users (on behalf of Operators)

  • Contact details submitted to a form or chatbot: name, email, phone, address, service requested.
  • Chat-conversation transcripts.
  • Inbound and outbound voice-call audio recordings and transcripts (see §6).
  • SMS message content sent and received through the platform.
  • Outbound email content and engagement metadata (sent, delivered, opened, clicked, replied, bounced, unsubscribed).
  • Appointment and booking details.
  • Review-request responses (sentiment, free-text feedback).
  • For outbound campaigns: prospect-list data provided or built for the Operator (name, role, company, business email, public profile information).

From Visitors (marketing site)

  • IP address, device and browser details, referrer URL, pages visited.
  • Information voluntarily submitted via contact forms or demo requests.
  • Cookies and similar technologies as described in §12.

5. How We Use Information

We process the data described above to:

  • Provide, operate, secure, and improve the platform and each AI employee Operators subscribe to.
  • Authenticate Operators and protect against unauthorised access.
  • Respond to End Users on Operators' behalf — including chatbot replies, voice answering, booking, follow-up SMS, outbound email sequences, and review requests.
  • Bill and collect payment.
  • Provide support and respond to inquiries.
  • Detect and prevent fraud, abuse, and violations of our Acceptable Use Policy.
  • Comply with legal obligations and respond to lawful requests.
  • Aggregate or de-identify data for analytics and product improvement (such data is no longer Personal Information).

Legal bases (GDPR / UK GDPR): where applicable, we rely on performance of contract (operating the platform for paying Operators), our legitimate interests (security, abuse prevention, product improvement), consent (where you have given it — for example, marketing communications), and compliance with legal obligations.

We do not sell Personal Information, and we do not use End-User chat, voice, SMS, or email content to train any general-purpose AI model.

6. Voice Calls — Recording and Transcription

AI Receptionist (inbound voice) and AI Sales Rep (outbound voice) record and transcribe every call in order to deliver the service. Operators are responsible for ensuring that the call-opening announcement complies with the consent law of the jurisdictions in which their callers and the called numbers are located (including U.S. states that require two-party consent and any applicable national laws). Velogics provides a configurable opening line and will not bypass it.

  • What we capture: the audio recording, a written transcript, caller phone number, call metadata (duration, time, disposition, transfer events), and any details captured during the call (name, requested service, appointment slot).
  • Why: to render the call to the Operator, populate CRM/calendar entries, train Operator-specific tuning, surface quality-control transcripts to the Operator, and respond to compliance or dispute investigations.
  • Who can access: the Operator and their authorised team members in the operator portal; Velogics personnel only when needed to support, secure, or investigate a specific issue.
  • Retention: recordings and transcripts are retained for the lifetime of the Operator's active subscription unless the Operator configures a shorter retention period; on Operator deletion request, both are purged within 30 days.
  • AI training: call content is not used to train any third-party general-purpose AI model.

7. AI Processing of Personal Information

Velogics uses third-party large language model providers (currently Anthropic) to power features such as chatbot replies, voice responses, outbound email drafting, content generation, and SEO recommendations. We send only the inputs needed for the specific feature in use — typically the Operator's configured brand and KB context, the current conversation fragment, and the specific item the AI is asked to draft. We do not send OAuth tokens, full profiles, or unrelated personal data. Our AI sub-processors are contractually bound not to use Velogics traffic to train their models.

8. SMS / Text Message Policy

By providing your phone number, you agree to receive SMS messages from Velogics or, where applicable, from a Velogics Operator using Velogics to communicate with you. These messages relate to your service inquiry, appointment confirmations, follow-up communications, and (where you have opted in) re-engagement campaigns.

  • Message frequency varies based on your interaction with our services.
  • Message and data rates may apply.
  • Reply STOP to any message to opt out of future SMS communications from that sender.
  • Reply HELP for assistance, or contact sales@velogics.ai.
  • Consent to receive SMS is not a condition of purchase.

All SMS traffic complies with A2P 10DLC registration requirements and the TCPA. Campaigns are registered with The Campaign Registry. Operators are responsible for obtaining and documenting consent before adding any phone number to a campaign that originates outside the standard inbound-reply flow.

9. Data Security

Data is encrypted in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent). Authentication uses industry-standard practices including hashed credentials and session management. OAuth tokens are encrypted with a per-deployment key before being written to the database. Access to production systems is restricted, logged, and reviewed. We host on cloud platforms that maintain SOC 2 Type II attestations (Vercel, Neon); Velogics itself does not currently hold a SOC 2 report — please contact us if your procurement process needs additional security documentation.

10. Data Sharing and Sub-Processors

We do not sell Personal Information. We share it only with: (i) the Operator whose service generated the data, (ii) sub-processors that help us operate the platform, (iii) authorities when required by law, and (iv) acquirers in the event of a merger, acquisition, or sale of assets.

A current list of sub-processors — including Vercel, Neon, Anthropic, Twilio, Postmark, Resend, Upstash, and Stripe — is maintained at velogics.ai/legal/sub-processors. We will update that page before engaging a new sub-processor that processes Operator or End-User data, and we will notify Operators in advance per the timelines in our DPA.

11. Google API Integration

Velogics integrates with Google services on behalf of Operators who connect their Google account via OAuth 2.0. This section describes what Google user data we access and how we handle it.

Scopes we request

  • Google Business Profile (business.manage) — read the Operator's verified GBP listings and publish Operator-approved weekly posts (updates, offers, events) to those listings on the Operator's behalf.
  • Google Search Console (webmasters.readonly) — read keyword + URL ranking data for the Operator's verified property to power SEO audits, recommendations, and rank-tracking dashboards. We never modify any data in Search Console; the scope is strictly read-only.

How we store this data

OAuth access and refresh tokens are encrypted at rest using AES-256-GCM with a per-deployment encryption key before being written to our database. The cached keyword rankings, audit scores, and recommendations are stored per-tenant and isolated by business — one Operator cannot access another Operator's connected-account data.

How we use this data

Google Business Profile data is used solely to render the Operator's own listings inside the Velogics dashboard and to publish Operator-approved posts to those listings. Search Console data is used to display the Operator's rankings inside the Velogics dashboard, to score per-page SEO health, and to draft fix proposals for recommendations the Operator chooses to action. We do not use Google user data for advertising, profiling, or analytics outside the Operator's own account, and we never share Google user data with any third party except the sub-processors listed below that we engage to provide the Operator-authorized features.

Use of AI sub-processors

To deliver the Operator-authorized features (drafting blog content, drafting SEO fix proposals, generating schema markup, expanding keyword research), Velogics sends targeted inputs to a third-party large language model provider (Anthropic Claude). The inputs are limited to: Operator-provided brand context (tone, do-say/don't-say, knowledge base), the specific Search Console keyword(s) and URL(s) relevant to the requested feature, and audit findings derived from public page HTML. We never send the Operator's OAuth access or refresh tokens, the full Google account profile, or Search Console data outside the scope of the requested feature. Anthropic processes these inputs as a sub-processor bound by its Commercial Terms, and does not train models on Velogics API traffic. This sub-processing falls within the Limited Use exception for transfers necessary to provide the user-facing features the Operator authorized.

Sub-processors that handle Google data

  • Vercel (United States) — application hosting and serverless function execution. Google user data passes through Vercel only in-memory during request handling.
  • Neon (United States) — managed Postgres database. Stores encrypted OAuth tokens and cached Search Console rankings, audit results, and recommendations.
  • Anthropic (United States) — large language model API for the AI sub-processor activity described above. Receives only the targeted inputs described in that section.

Data retention

OAuth tokens are retained for as long as the connection is active and are deleted within 24 hours of disconnect or revocation. Cached Search Console rankings, audit results, and recommendation rows are retained for the lifetime of the Operator's active subscription so that Operators can compare trends over time and resume work after a temporary disconnect. On account closure or on Operator request, all Google user data, derived cached data, and recommendation rows scoped to that Operator are permanently deleted within 30 days, subject to any legal retention requirements.

Limited Use disclosure

Velogics' use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, Velogics will not:

  • use Google user data for serving advertisements, including retargeting, personalized, or interest-based advertising;
  • transfer Google user data to any third party except as necessary to provide or improve user-facing features that the Operator has authorized, to comply with applicable law, or as part of a merger, acquisition, or sale of assets in which the receiving party agrees to honor the commitments in this policy;
  • allow humans to read Google user data, except (a) with the Operator's affirmative agreement for specific Operator-supplied data, (b) where necessary for security purposes such as investigating abuse, (c) where required to comply with applicable law, or (d) where the data has been aggregated and anonymized and is used for internal operations.

Revoking access and requesting deletion

  • From within Velogics: click Disconnect in the connection card on the SEO panel (app.velogics.ai/app/marketing/seo) or the equivalent control on the Google Business Profile setup tab. This revokes the refresh token at Google, deletes the stored OAuth tokens from our database within 24 hours, and stops all future API calls. Cached search data is preserved so the Operator can resume on reconnect; see "requesting full deletion" below if that is not desired.
  • From Google: visit myaccount.google.com/permissions, find "Velogics", and remove access. Velogics detects the revoked token on the next sync attempt and surfaces a reconnect prompt.
  • Requesting full deletion without closing the account: email admin@velogics.ai from the account email and we will permanently delete all OAuth tokens, cached Search Console data, audit history, ranking snapshots, and recommendation rows scoped to that Operator within 30 days, while keeping the rest of the Velogics account active.
  • On account closure: all Google user data, derived cached data, and recommendation rows scoped to the closed account are permanently deleted within 30 days of closure, subject to any legal retention requirements.

12. Cookies and Tracking Technologies

Velogics uses a small number of cookies and similar storage technologies to operate the marketing site and operator portal:

  • Strictly necessary — session and authentication cookies on the operator portal; theme preference; CSRF protection.
  • Analytics — aggregated, IP-truncated usage metrics that help us understand how the platform is used. We do not use cross-site tracking pixels for advertising on this site.

You can clear or block cookies in your browser at any time; doing so may affect operator-portal sign-in.

13. International Data Transfers

Velogics is operated from the United States and most of our sub-processors are based there. If you are located in the European Economic Area, the United Kingdom, Switzerland, or another jurisdiction with cross-border data-transfer rules, your information will be transferred to and processed in the United States. Where required, we rely on the EU-U.S. Data Privacy Framework, the UK extension to it, the Swiss-U.S. Data Privacy Framework, and / or the European Commission's Standard Contractual Clauses to safeguard those transfers, together with the technical and organisational measures described in §9.

14. Data Retention

  • Operator account data: retained for the lifetime of the active subscription.
  • End-User data (chat, voice, SMS, email): retained for the lifetime of the Operator's active subscription unless the Operator configures a shorter retention period.
  • Backups: rolling backups are retained for up to 35 days.
  • Billing records: retained as required by tax and accounting law (typically seven years).
  • On Operator account closure: all Operator-scoped Personal Information (including End-User content the Operator routed through us) is permanently deleted within 30 days, subject to legal retention obligations.
  • On End-User request: Operators are the controllers of End-User data; we will assist Operators in fulfilling End-User deletion requests within commercially reasonable timeframes.

15. Your Rights

Depending on where you are located, you may have the following rights with respect to your Personal Information.

EEA / UK / Switzerland (GDPR / UK GDPR / FADP)

  • Access — request a copy of the Personal Information we hold about you.
  • Rectification — correct inaccurate or incomplete information.
  • Erasure — request deletion, subject to applicable legal exceptions.
  • Restriction — limit how we process certain data.
  • Portability — receive your data in a structured, machine-readable format.
  • Object — to processing based on legitimate interests, including profiling and direct marketing.
  • Withdraw consent — for any processing based on consent, at any time.
  • Lodge a complaint — with your local data-protection supervisory authority.

California (CCPA / CPRA)

  • Right to know — categories and specific pieces of Personal Information collected, sources, purposes, and recipients.
  • Right to correct — inaccurate Personal Information.
  • Right to delete — Personal Information we have collected, subject to legal exceptions.
  • Right to limit use of sensitive Personal Information.
  • Right to opt out of "sale" or "sharing" — Velogics does not sell or share Personal Information for cross-context behavioural advertising; this right is therefore not exercised through us in practice.
  • Right to non-discrimination for exercising any of the above.
  • Categories of personal information sold or shared in the past 12 months: none.

All Visitors and End Users

To exercise any of the above, email admin@velogics.ai from the email address associated with your contact, or use the SMS opt-out process described in §8. We respond to verified requests within 30 days. If you are an End User whose data was routed through Velogics by an Operator, please contact the Operator first; we will assist the Operator in responding.

16. Children's Privacy

Velogics is a business-to-business platform not directed at children. We do not knowingly collect Personal Information from anyone under 13 (or under 16 in the EEA / UK). If you believe we have inadvertently received such data, please contact admin@velogics.ai and we will delete it promptly.

17. Marketing Communications

Operators and Visitors who provide an email address may receive product updates, security notices, and occasional marketing from Velogics. Every marketing email includes an unsubscribe link; transactional and security emails (billing receipts, breach notices, account-critical alerts) cannot be opted out of while the account is active.

18. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of the page reflects the most recent revision. For material changes that affect how Operator or End-User data is processed, we will give Operators advance notice — at least 30 days where reasonably practicable — by email or in-product notice. Continued use of the service after the effective date constitutes acceptance of the revised policy.

19. Contact Us

For privacy questions, requests, or complaints:
Email: admin@velogics.ai
Phone: (844) 835-6442