Skip to content

Legal

Data Processing Agreement

Last updated: May 2026

Overview

This Data Processing Agreement describes how Veln.ai processes personal data on your behalf under Article 28 of the EU General Data Protection Regulation (Regulation (EU) 2016/679). When an evaluator (incubator, accelerator, angel, fund, bank, or grant body) uses Veln.ai to collect founder applications, Veln.ai acts as a data processor and the evaluator is the data controller. When a founder uses Veln.ai on their own account, the founder is the controller of their own data and Veln.ai remains the processor.

Scope and subject matter

Veln.ai processes the personal data you submit through the platform solely to deliver the contracted service: structured founder interviews, scorecards, generated documents (deck, one-pager, memo, grant draft), data-room sharing, and analytics. We do not process your data for any other purpose. We do not sell your data. We do not use your data to train third-party AI models. Processing continues for the duration of your subscription and the retention period you configure (default 30 days after account closure).

Subprocessors

We rely on a small set of EU-friendly subprocessors. Supabase (Frankfurt, EU) hosts your Postgres database and file storage. OpenAI processes prompts under their enterprise terms (zero data retention, no training on customer data). Pinecone (EU region) stores document embeddings used for grounded retrieval. Perplexity is only invoked when an evaluator explicitly enables web-grounded market research. Resend sends transactional email. Stripe processes payments. We will notify you in advance of any subprocessor change and provide a reasonable window to object.

Security, breach notification, and data-subject rights

All data is encrypted in transit (TLS 1.2+) and at rest. Access is gated by row-level security on every table. We will notify you of any confirmed personal-data breach affecting your records without undue delay and in any case within 72 hours of confirmation. You can export or delete your data from inside the app at any time. We respond to data-subject access, rectification, erasure, restriction, and portability requests within 30 days. On contract termination, your data is deleted within 90 days unless a longer period is required by law.

Contact

For DPA questions, a signed counterpart, or to invoke a data-subject right, contact privacy@veln.ai. We respond to every request within five business days.