Privacy Policy

1. Information We Collect

We collect information that you provide directly to us, information automatically collected through your use of the Platform, and information from third-party sources. The categories of information we collect include:

• Personal Identification Information: Name, email address, phone number, job title, business address, company name, user profile information, and account credentials (username and encrypted password).
• Business and Organizational Information: Company registration details, Tax Registration Number (TRN), billing information, organizational structure, department hierarchies, team member roles, and subscription plan details.
• Usage and Activity Data: Workflow designs and configurations, document uploads and processing history, API usage patterns, feature utilization metrics, login timestamps, IP addresses, session durations, and user interactions with the Platform.
• Technical and Device Information: Browser type and version, operating system, device identifiers, screen resolution, language preferences, time zone settings, cookies and tracking technologies, referral URLs, and network connection details.
• Communications and Support Data: Customer support tickets, chat transcripts, email correspondence, feedback submissions, survey responses, and any other information you provide when contacting us.
• Payment and Financial Information: Credit card details (processed securely through PCI-DSS compliant payment processors), billing addresses, transaction histories, invoices, and VAT/tax information. Note: We do not store full credit card numbers on our servers; payment processing is handled by certified third-party payment gateways.

2. How We Use Your Information

We use the information we collect for the following legitimate business purposes:

• Service Delivery and Performance: To provide, operate, maintain, improve, and optimize the VeloProcess Platform; to execute workflows, process documents, run AI models, generate analytics, and deliver all features and functionalities you have subscribed to.
• Account Management and Authentication: To create and manage your user account, verify your identity, authenticate login sessions, process subscriptions, manage billing and payments, send transactional emails (account confirmations, password resets, subscription renewals, invoices), and enforce our Terms of Service.
• Customer Communication and Support: To respond to your inquiries, provide technical support, troubleshoot issues, notify you of Platform updates or maintenance schedules, send important security alerts, and communicate changes to our policies or services.
• Platform Enhancement and Development: To analyze usage patterns, identify feature preferences, conduct A/B testing, develop new functionalities, optimize AI model performance, improve user experience, and prioritize our product roadmap based on customer needs.
• Security and Fraud Prevention: To detect, investigate, and prevent fraudulent transactions, unauthorized access, security breaches, misuse of the Platform, violations of our Acceptable Use Policy, and other malicious or illegal activities.
• Legal and Regulatory Compliance: To comply with applicable laws, regulations, and legal processes; to respond to lawful requests from public authorities, courts, and law enforcement agencies; to enforce our legal rights and defend against claims; to ensure compliance with UAE PDPL, KSA PDPL, GDPR, AML/CTF regulations, and other applicable data protection and financial regulations.
• Analytics and Business Intelligence: To generate aggregated, anonymized statistics and insights about Platform usage, performance metrics, industry trends, and benchmarking data that do not identify individual users or organizations.

3. Legal Basis for Processing (UAE PDPL / KSA PDPL / GDPR Compliance)

Our legal basis for collecting and processing your personal information depends on the specific context and purpose. We process your data based on one or more of the following legal grounds:

• Contractual Necessity: Processing is necessary to perform our contract with you (the Terms of Service), including account setup, service delivery, billing, and customer support.
• Your Consent: You have given explicit, informed consent for specific processing activities, such as marketing communications, optional feature usage, or data sharing with third-party integrations you authorize.
• Legal Obligation: Processing is necessary to comply with legal and regulatory obligations under UAE PDPL, KSA PDPL, tax laws, financial regulations, AML/CTF requirements, court orders, or other applicable laws.
• Legitimate Interests: Processing is necessary for our legitimate business interests, such as improving the Platform, ensuring security, preventing fraud, conducting analytics, and optimizing operations, provided such interests are not overridden by your fundamental rights and freedoms.

4. Data Sharing and Disclosure

We do not sell, rent, or lease your personal information to third parties for marketing purposes. We may share your information only in the following limited circumstances:

• Trusted Service Providers and Sub-Processors: We engage carefully vetted third-party service providers who assist us in operating the Platform, including cloud infrastructure (Amazon Web Services - AWS UAE Region), authentication services (Clerk), payment processors (Stripe, PayTabs), email delivery (SendGrid, Amazon SES), monitoring and logging (Datadog, Sentry), and customer support tools (Intercom). These providers are contractually bound to process your data only as directed by us and in compliance with equivalent data protection standards. A complete list of sub-processors is available in your account dashboard.
• Business Transfers and Corporate Transactions: In the event of a merger, acquisition, asset sale, reorganization, bankruptcy, or other corporate transaction involving VeloProcess, your information may be transferred to the acquiring or successor entity, subject to the same privacy protections outlined in this policy. We will notify you of any such transfer and provide you with choices regarding your data.
• Legal and Regulatory Authorities: We may disclose your information to government authorities, regulators, courts, law enforcement agencies, or other third parties when required by law, legal process, court order, subpoena, or when we believe disclosure is necessary to: (a) comply with legal obligations; (b) protect the rights, property, or safety of VeloProcess, our users, or the public; (c) detect, prevent, or investigate fraud, security breaches, or illegal activities; (d) enforce our Terms of Service and other agreements.
• With Your Consent: We may share your information with third parties when you explicitly authorize us to do so, such as when integrating third-party applications, exporting data to external systems, or participating in joint marketing initiatives.

5. Data Security Measures

We implement comprehensive technical, administrative, and physical security measures designed to protect your information from unauthorized access, disclosure, alteration, and destruction. Our security controls include:

• Encryption: All data is encrypted at rest using military-grade AES-256 encryption and in transit using TLS 1.3 protocol. Database connections, API communications, and inter-service communications are encrypted end-to-end.
• Access Controls: We enforce strict role-based access controls (RBAC), principle of least privilege, multi-factor authentication (MFA) for administrative access, regular access reviews, and immediate revocation of access for terminated employees or contractors.
• Security Monitoring: We deploy Web Application Firewall (WAF), Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), Security Information and Event Management (SIEM), real-time anomaly detection, continuous vulnerability scanning, and 24/7 security operations center (SOC) monitoring.
• Data Backup and Recovery: We maintain regular automated backups with encryption, geographically distributed backup storage within the Middle East region, point-in-time recovery capabilities, and tested disaster recovery procedures with defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO).
• Incident Response: We maintain a comprehensive incident response plan, conduct regular security drills, perform annual penetration testing by certified third-party security firms, and have established procedures for breach notification in compliance with UAE PDPL Article 10 (notification within 72 hours).

6. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, comply with legal obligations, resolve disputes, and enforce our agreements. Specifically: (a) Active Account Data: Retained for the duration of your active subscription plus 30 days post-cancellation to allow data export; (b) Billing and Transaction Records: Retained for 7 years to comply with UAE tax and financial regulations; (c) Support and Communication Logs: Retained for 3 years for quality assurance and dispute resolution; (d) Aggregated Analytics: Anonymized, non-identifiable data may be retained indefinitely for statistical and research purposes; (e) Legal Hold Data: Data subject to legal proceedings, regulatory investigations, or litigation holds will be retained until the matter is fully resolved. After the applicable retention period expires, we securely delete or anonymize your information in accordance with industry best practices and data protection regulations.

7. Your Data Protection Rights (UAE PDPL / KSA PDPL / GDPR)

Under applicable data protection laws, you have the following rights regarding your personal information:

• Right to Access: You have the right to request a copy of the personal information we hold about you, including details about how we collect, use, and share your data. We will provide this information in a structured, commonly used, machine-readable format (JSON, CSV, or PDF) within 30 days of your request.
• Right to Rectification: You have the right to request correction of inaccurate, incomplete, or outdated personal information. You can update most information directly through your account settings, or contact us for assistance.
• Right to Erasure (Right to be Forgotten): You have the right to request deletion of your personal information when: (a) the data is no longer necessary for the purposes for which it was collected; (b) you withdraw consent and there is no other legal basis for processing; (c) you object to processing and there are no overriding legitimate grounds; (d) the data has been unlawfully processed; (e) erasure is required to comply with legal obligations. Note: We may retain certain information when required by law or for legitimate business purposes (e.g., financial records for tax compliance).
• Right to Restriction of Processing: You have the right to request that we limit how we use your data when: (a) you contest the accuracy of the data; (b) processing is unlawful but you prefer restriction over deletion; (c) we no longer need the data but you require it for legal claims; (d) you have objected to processing pending verification of our legitimate grounds.
• Right to Data Portability: You have the right to receive your personal information in a structured, commonly used, machine-readable format and to transmit that data to another service provider without hindrance, where technically feasible.
• Right to Object: You have the right to object to processing of your personal information based on legitimate interests or for direct marketing purposes. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
• Right to Withdraw Consent: Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing conducted prior to withdrawal.
• Right to Lodge a Complaint: You have the right to lodge a complaint with the UAE Data Office (udo@uae.gov.ae), Saudi Data & Artificial Intelligence Authority (SDAIA), or your local supervisory authority if you believe your data protection rights have been violated.

8. International Data Transfers

All customer data is stored exclusively within Amazon Web Services (AWS) data centers located in the United Arab Emirates (AWS UAE Region - me-central-1), ensuring full compliance with GCC data localization requirements. We do not transfer your personal data outside the Middle East region unless: (a) you explicitly request such transfer in writing; (b) transfer is necessary to provide services you have authorized (e.g., integration with third-party tools hosted outside the region); (c) required by law or court order. When cross-border transfers are necessary, we implement appropriate safeguards such as Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or other legally recognized transfer mechanisms to ensure your data receives equivalent protection.

9. Cookies and Tracking Technologies

We use cookies, web beacons, pixels, local storage, and similar tracking technologies to enhance your experience, analyze usage patterns, and improve the Platform. The types of cookies we use include:

• Essential Cookies: Strictly necessary for the Platform to function properly, including session management, authentication tokens, security features, and load balancing. These cookies cannot be disabled without affecting core functionality.
• Analytics and Performance Cookies: Used to collect information about how users interact with the Platform, including page views, feature usage, error rates, and performance metrics. We use tools such as Google Analytics, Mixpanel, and Datadog RUM (Real User Monitoring) with IP anonymization enabled.
• Functionality Cookies: Remember your preferences, settings, language selection, theme choices, and other customization options to provide a personalized experience.
• Marketing and Advertising Cookies: Used to deliver relevant advertisements, track campaign effectiveness, and measure marketing ROI. We may use Google Ads, LinkedIn Ads, and Facebook Pixel for retargeting campaigns. You can opt out of personalized advertising through your account settings or browser settings.

10. Children's Privacy

The VeloProcess Platform is designed for business and enterprise use and is not intended for individuals under the age of 18. We do not knowingly collect, use, or disclose personal information from children under 18 years of age. If we become aware that we have inadvertently collected personal information from a child under 18, we will take immediate steps to delete such information from our systems. If you believe we have collected information from a child under 18, please contact our Data Protection Officer at privacy@veloprocess.app immediately.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, industry standards, or Platform features. We will notify you of material changes by: (a) posting the updated Privacy Policy on our website with a revised "Last Updated" date; (b) sending email notification to the address associated with your account at least 30 days prior to the effective date of changes; (c) displaying an in-platform notification upon your next login. Your continued use of the Platform after the effective date of any modifications constitutes your acceptance of the revised Privacy Policy. We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

12. Contact Information and Data Protection Officer