Privacy Policy

This policy applies to personal data processed when you use Velour, including when you sign in, create characters, enter profile details, purchase a paid plan, or exchange chat messages.

Depending on how you use the Service, we may process:

• account and authentication data, including identifiers received through Google sign-in;
• profile data, such as username, appearance notes, preferences, kinks, and limits;
• character, session, and message data that you create in the Service;
• technical and usage data, such as request logs, device/browser signals, IP-based rate-limiting data, and timestamps;
• billing and subscription status data from Stripe, such as payment status and subscription state;
• local device data, such as cookies, local storage settings, draft text, and temporary session tokens.

Velour is an adult-oriented product. Information you choose to provide in chats, profile fields, kinks, limits, or similar personalization fields may reveal intimate or sensitive information, including information about your sex life or sexual preferences.

Please do not submit sensitive personal data unless you want it processed for the Service. Where required by applicable law, we rely on your explicit consent to process sensitive data you voluntarily provide for personalization and operation of the Service. You can withdraw that consent at any time by deleting the relevant content, deleting your chats, or deleting your account, without affecting prior processing carried out lawfully before withdrawal.

Do not provide sensitive data about other people unless you have a lawful basis to do so.

We process personal data for the following purposes:

• to provide the Service, authenticate users, save chats, and generate AI responses;
• to process payments, maintain subscriptions, and prevent billing abuse;
• to secure the Service, prevent fraud, enforce limits, and investigate misuse;
• to remember product settings and device-side preferences;
• to comply with legal obligations, tax requirements, and legitimate requests from authorities;
• to improve reliability, debug errors, and monitor performance.

Under the GDPR, our main legal bases are: performance of a contract with you, compliance with legal obligations, our legitimate interests in operating and securing the Service, and, where applicable, your consent.

Chat and profile content stored in our systems is designed to be encrypted at rest. However, to generate responses, content you choose to send through the Service must be processed server-side and may be shared with the AI model providers we use to produce outputs.

In other words: stored content may be encrypted in our systems, but prompts and conversation context can still be processed by service providers when needed to generate replies.

We may share personal data with processors and service providers that help us run the Service, including:

• Supabase for authentication and certain account/profile storage;
• Convex for realtime session and message infrastructure;
• Stripe for checkout, subscription management, and payment processing;
• Google, if you choose Google sign-in;
• AI providers and routing providers, including Infermatic and/or OpenRouter, and upstream model providers used through them;
• hosting, infrastructure, analytics-free observability, and security service providers used to operate the Service.

We do not sell your personal data. We do not share chat content for advertising targeting.

Some processors may process data outside Belgium or the EEA. Where required, we rely on appropriate safeguards such as Standard Contractual Clauses, adequacy decisions, or other lawful transfer tools.

We keep data only as long as reasonably necessary for the purposes described above, including:

• account data until you delete your account or we need it for legal compliance;
• chat, session, and companion data until you delete it, your account is deleted, or automatic retention rules remove it;
• billing records for the period required by tax, accounting, and legal obligations;
• logs and security data for a limited period needed for abuse prevention, diagnostics, and incident handling;
• local drafts and device settings until you clear them or your browser/app removes them.

Velour uses essential authentication cookies and device-side storage such as localStorage or sessionStorage for settings, draft persistence, and temporary access tokens. These technologies are used primarily to operate the Service you request.

Subject to applicable law, you may have the right to access, rectify, erase, restrict, object to, or port your personal data, and to withdraw consent where processing is based on consent.

You can exercise many of these rights directly in the product by editing your settings, deleting chats, or deleting your account. You may also contact us at [your email].

If you are in Belgium, you also have the right to lodge a complaint with the Belgian Data Protection Authority (Autorite de protection des donnees / Gegevensbeschermingsautoriteit), without prejudice to any other administrative or judicial remedy available to you.

Velour uses automated systems to generate responses, enforce technical limits, and personalize the experience. We do not use solely automated decision-making that produces legal effects or similarly significant effects about you in the sense of Article 22 GDPR.

We use technical and organizational measures intended to protect personal data, including access controls, encryption measures, and service-level safeguards. No system can be guaranteed perfectly secure, and you use the Service with that understanding.

Velour is not intended for minors. We do not knowingly offer the Service to anyone under 18. If you believe a minor has provided personal data, contact us so we can investigate and take action.

We may update this Privacy Policy from time to time. The latest version will be posted here with a revised effective date.

Privacy contact: [Your full legal name], [your email], [city], Belgium.