Privacy Policy

Veld AI ("Veld," "Company," "we," "our," or "us") is a product of Wavestar Holdings LLC, a company incorporated in the State of Delaware, United States. This Privacy Policy explains how we collect, use, disclose, retain, and safeguard your personal information when you access or use the Veld AI platform, website (veldai.io), APIs, SDKs, documentation, and any related services (collectively, the "Service").

By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you are using the Service on behalf of an organization, you represent that you have authority to bind that organization.

2.1 Information You Provide Directly

• Account Registration: Full name, work email address, company name, job title, team size, and industry.
• Billing Information: Payment method, billing address, and invoice history (processed via Stripe; we do not store card numbers).
• Communications: Messages sent via contact forms, support tickets, or email correspondence.
• User Preferences: Agent configurations, notification settings, and dashboard customizations.

2.2 Information Collected via Microsoft 365 Integration

With your explicit OAuth 2.0 consent, Veld accesses the following via the Microsoft Graph API:

• Email Metadata: Sender, recipient, subject line, timestamps, categories, and importance flags. We do not store raw email body content.
• Calendar Events: Meeting titles, attendees, start/end times, and location data.
• Meeting Transcripts: VTT/DOCX transcripts from Teams meetings are processed in-memory for action item extraction, then discarded.
• Organizational Data: Directory information (user display names, department) for intelligent task routing.

2.3 Information Collected Automatically

• Device & Browser Data: IP address, browser type and version, operating system, device type, and screen resolution.
• Usage Analytics: Pages visited, features used, session duration, click patterns, and referral source.
• Log Data: Server request timestamps, API call metadata, error logs, and performance metrics.
• Cookies & Similar Technologies: Essential cookies for authentication, preference cookies for UI settings, and analytics cookies (with consent). See Section 9.

• Core Service Delivery: Process and classify signals from connected data sources, generate tasks, summaries, draft replies, and action items via our 23 AI agents.
• Service Improvement: Analyze aggregate, anonymized usage patterns to improve agent accuracy, platform stability, and user experience.
• Account Management: Set up and maintain your account, process billing, and provide customer support.
• Communications: Send transactional emails (account confirmations, password resets, billing receipts), security alerts, and product update notifications.
• Security & Fraud Prevention: Monitor for unauthorized access, detect anomalous activity, enforce rate limits, and maintain audit logs.
• Legal Compliance: Comply with applicable laws, respond to lawful requests, and enforce our Terms of Service.

Veld AI uses large language models (LLMs) for intent classification, draft reply generation, meeting note extraction, and pattern detection. Our AI architecture is designed with privacy by default:

• Zero Data Retention by LLM Providers: All LLM inference calls are stateless. Our LLM providers (Azure OpenAI) are contractually prohibited from storing, logging, or using your data for model training.
• In-Memory Processing: Raw email content and meeting transcripts are processed in-memory. Only structured outputs (classifications, tasks, draft replies) are persisted — never the raw source material.
• Tenant Isolation: Each organization's data is logically isolated with separate encryption contexts, database schemas, and access control policies. No cross-tenant data access is possible.
• No Model Training: Your data is never used to train, fine-tune, or improve any AI/ML models, whether ours or third-party.
• Human-in-the-Loop: DraftReplyAgent creates draft emails that require explicit user approval before sending. No automated emails are ever sent on your behalf.

We do not sell, rent, or trade your personal information. We share data only in the following circumstances:

• Infrastructure Providers: Microsoft Azure (hosting, database, blob storage), Azure OpenAI (LLM inference), Stripe (payment processing), and PostHog (anonymized analytics).
• Legal Requirements: When required by law, subpoena, court order, or government request.
• Business Transfers: In connection with a merger, acquisition, or sale of assets, your data may be transferred to the successor entity with equivalent privacy protections.
• With Your Consent: Any sharing beyond what is described here requires your explicit opt-in consent.

All third-party providers are contractually obligated to protect your data and are prohibited from using it for their own purposes.

• Signal & Task Data: Retained for 90 days by default. Enterprise customers may configure retention periods from 30 to 365 days.
• Account Data: Retained for the duration of your active account plus 30 days after account deletion.
• Audit Logs: Retained for 1 year for security and compliance purposes.
• Billing Records: Retained for 7 years as required by applicable tax and financial reporting laws.
• Marketing Data: Retained until you unsubscribe or request deletion.

You may request immediate deletion of your data at any time by contacting privacy@veldai.io. Deletion requests are processed within 30 business days.

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate or incomplete data.
• Erasure: Request deletion of your personal data ("right to be forgotten").
• Restriction: Request restriction of processing in certain circumstances.
• Data Portability: Receive your data in a structured, machine-readable format (JSON/CSV).
• Object: Object to processing based on legitimate interests or direct marketing.
• Withdraw Consent: Revoke your Microsoft 365 OAuth consent at any time via Azure AD or the Veld dashboard.
• Non-Discrimination: We will not discriminate against you for exercising any of these rights.

To exercise your rights, contact privacy@veldai.io. We respond within 30 days (or the timeframe required by applicable law).

Your data is primarily stored and processed in the United States (Azure US regions). For EU/EEA users, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission to ensure adequate protection for cross-border data transfers. Enterprise plans may elect EU-only data residency.

• Essential Cookies: Required for authentication, session management, and CSRF protection. Cannot be disabled.
• Preference Cookies: Store your UI preferences (theme, sidebar state, dashboard layout).
• Analytics Cookies: Used with your consent to understand aggregate usage patterns. We use PostHog (self-hosted) with IP anonymization enabled.

We do not use third-party advertising cookies or tracking pixels. You can manage cookie preferences in your browser settings.

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will delete it immediately.

We implement industry-standard security measures including TLS 1.3, AES-256 encryption at rest, RBAC, MFA enforcement, audit logging, and regular third-party penetration testing. For comprehensive details, see our Security page.

We may update this Privacy Policy periodically. Material changes will be communicated via email notification and/or in-app banner at least 30 days before taking effect. The "Last reviewed" date at the top indicates when this policy was last updated. Continued use of the Service after changes constitutes acceptance.

For privacy inquiries, data requests, or complaints: