Privacy Policy — Vela

    Last updated: October 18, 2025

    1) Who we are

    Vela is an AI-powered scheduling agent that helps you coordinate meetings through email, SMS, and WhatsApp (the "Service"). Vela is operated by Apex Flux Inc., a Delaware C Corporation ("Apex Flux," "we," "us," or "our").

    2) Our promise on privacy & security (plain-English summary)

    We don't sell your data. Ever.

    Your scheduling content stays with us only for 7 days. We keep processing in our controlled infrastructure and only transmit the smallest necessary snippets to deliver messages (e.g., to your email or SMS/WhatsApp provider).

    Encryption everywhere. We use TLS in transit and AES-256 at rest. Keys are managed in a hardened KMS with strict access controls.

    No model training on your content. We do not use your emails, messages, or calendar details to train any third-party foundation models.

    Tight access. No human looks at your content unless you ask us for support or we need to investigate a security or abuse issue, in which case access is strictly logged and time-boxed.

    Minimal retention. We keep data only as long as needed to run the Service and then delete or irreversibly anonymize it.

    The details below are the legally operative policy.

    3) Scope

    This Policy covers personal data we process when you access our websites, connect accounts, or use the Service.

    4) Data we process

    4.1 You provide

    • Account details: name, email, phone (optional), time zone, hashed password.
    • Scheduling content ("Customer Content"): incoming and outgoing emails, SMS/WhatsApp messages, message headers/metadata, calendar entries (title, time, attendees, location, notes), and contacts you choose to involve.
    • Support content: tickets, screenshots, and feedback you send us.
    • Billing (if applicable): subscription status and transaction references (our payment processor handles full card data; we do not store it).

    4.2 Collected automatically

    • Device/usage telemetry: IP address, device/browser type, language, referring pages, diagnostics and performance logs.
    • Service events: authentication logs, API request IDs, delivery statuses, rate-limit counters, non-content analytics.

    4.3 From integrations you connect

    When you connect an email, calendar, or messaging channel, we receive scoped tokens and the minimum data necessary to provide the Service (for example, calendar free/busy to propose times, message bodies to draft/relay scheduling messages).

    5) How we use data (legal bases)

    • Provide the Service (contract necessity): authenticate you; read/write calendar events; send, receive, and organize scheduling messages; maintain reliable delivery; prevent abuse.
    • Communicate with you (contract necessity/legitimate interests/consent where required): transactional notices, service updates, support.
    • Safety and reliability (legitimate interests/legal obligation): fraud and abuse monitoring, incident response, service analytics, and capacity planning using aggregated and de-identified metrics.
    • Compliance (legal obligation): tax, accounting, regulatory requests.
    • Marketing (consent/legitimate interests): product news you can opt out of at any time.

    AI processing

    Vela's core scheduling logic runs in our controlled infrastructure. If we use a specialized third-party AI component to improve phrasing or slot suggestions, we: (i) send only the minimum context required; (ii) encrypt data in transit; (iii) prohibit data retention and training on your content; and (iv) strip or mask obvious personal identifiers where feasible.

    6) Messaging specifics (email, SMS, WhatsApp)

    Consent & opt-outs:

    • SMS: Reply STOP to end, HELP for help. Message & data rates may apply.
    • WhatsApp: Use the in-thread controls to opt out or mute; we honor settings immediately.
    • Email: Use the unsubscribe link or reply to let us know.

    Security notes:

    Email and our connections to providers are protected by TLS. SMS itself is not end-to-end encrypted; avoid sending sensitive information over SMS. WhatsApp provides end-to-end encryption in-app; upon delivery to a business via the official API, messages are transmitted to us over encrypted channels and stored encrypted at rest.

    Your responsibility:

    You must have permission to message participants you ask us to contact and you must comply with laws like TCPA/CAN-SPAM/ePrivacy.

    7) Sharing & disclosure

    We do not sell personal data and do not share it for cross-context behavioral advertising. We disclose data only to:

    • Essential service providers under contract (e.g., hosting, email/SMS/WhatsApp delivery, authentication, payments, logging). These providers get only what's necessary, receive data over TLS, store it encrypted at rest, and are not permitted to use it for their own purposes.
    • Legal/safety: to comply with valid legal processes or to protect users, our Service, or the public.
    • Business transfers: if we merge, acquire, or sell assets, your data remains protected under this Policy.

    All the above categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.

    8) International data movement

    We exclusively process and store data in the United States within reputable cloud data centers. If data must move across borders to deliver the Service (for example, to route a message to a recipient in another region), it travels over TLS-encrypted channels and is subject to contractual protections.

    9) Data retention

    • Scheduling content: retained only as long as needed for the event lifecycle and reliable delivery, then removed. As a default, message bodies and event details are pruned within 30 days after an event is completed unless you actively keep a thread.
    • System logs: retained 90–180 days for security, debugging, and abuse prevention.
    • Account deletion: on verified request, we begin deletion immediately and complete it within 30 days, with encrypted backups aging out on a rolling basis.

    10) Your rights

    Depending on your location, you may have rights to access, correct, delete, restrict, port data, or object to certain processing. You can exercise these rights by contacting us via the "Contact" options on our site or in-product. We will verify your request and respond within the time period required by law.

    California privacy (CPRA)

    We collect identifiers, internet activity, commercial information, and limited geolocation (coarse, IP-derived). We do not sell or share personal information as defined by the CPRA and we do not use sensitive personal information to infer characteristics.

    11) Security measures

    • Encryption: TLS 1.2+ in transit; AES-256 at rest; strong cryptographic key management with role-based access and rotation.
    • Access controls: least privilege; SSO/MFA for administrative access; immutable audit logs.
    • Isolation & hardening: network segmentation, secret vaulting, vulnerability scanning, and regular patching.
    • Incident response: 24/7 monitoring with rapid containment, user notification when legally required, and post-incident review.

    No system is 100% secure, but we design Vela so your data doesn't travel unnecessarily and is encrypted whenever it must move.

    12) Children

    Vela is not directed to children under 13, and we do not knowingly collect data from them.

    13) Changes to this Policy

    If we make material changes, we will provide reasonable notice (for example, in-product). Continued use after the effective date means you accept the updated Policy.

    14) Contact

    Questions about privacy or requests to exercise your rights can be made via the Contact link on our website or the in-product help channel.