Velvr — Privacy Policy
Version: v1.0 (Beta) — effective 2026-05-27. Subject to update; see Section 13 (Changes to This Policy).
Velvr Privacy Policy
Effective Date: 2026-05-27 Last Updated: 2026-06-01
1. About This Policy
MAKOA LLC ("Velvr", "we", "us", "our"), a Florida limited liability company located at 3833 Powerline Rd, Suite 201, Fort Lauderdale, FL 33309, operates the software-as-a-service platform "Velvr" at velvr.app.
This Privacy Policy describes how Velvr collects, uses, discloses, and protects personal information in connection with the Service. It should be read together with our Terms of Service, Data Processing Agreement (DPA), and Acceptable Use Policy.
Critical Distinction — Two Roles:
Velvr operates in two distinct privacy roles depending on whose data is processed:
(a) For our direct customers (Creators using the Service): Velvr is the Data Controller of your account, billing, support, and usage data. This Policy primarily addresses that relationship.
(b) For end-user data processed via the Service (Fans on Fanvue, etc.): Velvr acts strictly as a Data Processor on behalf of our Customer (the Creator), in accordance with the DPA. If you are a Fan whose data is processed by a Creator using Velvr, your primary point of contact for privacy rights is that Creator. We assist Creators in responding to such requests as set forth in the DPA.
2. Geographic Availability
The Service is offered to creators in the United States and the European Union/EEA, and is intended for that audience.
EU/EEA users. For Customers and Fans in the EU/EEA, Velvr processes personal data under the safeguards described in this Policy and the DPA, including Standard Contractual Clauses (SCCs) under EU Commission Decision 2021/914 for transfers to the United States, and an EU Representative designated under Article 27 GDPR (named in Section 14). Fan data processed via the Service may include EU/EEA residents subscribing to a Creator on Fanvue; for that processing Velvr acts as Data Processor and the Creator is the Data Controller. Availability in further regions (such as the United Kingdom or Switzerland) will follow once local representation is in place.
3. Information We Collect
3.1 As Data Controller (Direct Customer Data)
We collect the following categories of personal information about our Customers (Creators):
| Category | Examples |
|---|---|
| Identity & Contact | Name, email, account credentials, business contact information |
| Account & Profile | Account preferences, persona configurations, support ticket history |
| Financial & Transaction | Subscription tier and status. For Fanvue App Store plans, Fanvue is merchant-of-record and processes payment data — Velvr does not receive or store card numbers. (Off-Fanvue Enterprise plans are billed via Stripe; Velvr stores only a customer identifier, not card numbers.) |
| Usage & Technical | IP address, browser type, operating system, device identifiers, login data, pages visited, features used, error logs |
| Communications | Support requests, feedback, communication preferences |
3.2 As Data Processor (Fan Data via Customer's Use of the Service)
When Customers use the Service to process data of their fans (via Fanvue OAuth connection), the following categories of personal data may be processed:
| Category | Examples |
|---|---|
| Fanvue Account Data | Fanvue handles, display names, nicknames, avatar URLs, registration timestamps |
| Conversation Data | Inbound and outbound message contents, timestamps, attachment metadata |
| Behavioral Data | Read/unread status, online status, response patterns |
| Transactional Data | PPV purchase history, tipping data, subscription state, spending lifetime aggregates |
| Analytical Data | AI-generated predictive scores (spending propensity, funnel-stage), conversion attribution |
| Content Data | Media files in the Vault, captions, message templates |
| Special Categories (GDPR Art. 9) | Information about sex life or sexual orientation insofar as voluntarily disclosed by fans through their Fanvue interactions |
For Fan data processing, Velvr acts on the documented instructions of the Customer (Creator), as set forth in the DPA. The Customer is responsible for maintaining a valid lawful basis under applicable data protection laws.
3.3 Aggregated and Anonymized Data
We may generate aggregated, anonymized, or irreversibly de-identified data from our Service operations for internal analytics, security, fraud prevention, and product improvement. This data does not identify individuals and is not subject to Data Subject rights. See DPA Annex IV for details.
4. How We Use Information
4.1 As Data Controller (Direct Customer Data)
We use Customer personal information for:
(a) Performance of Contract — to register your account, provide the Service, process payments, generate analytics, and provide customer support; (b) Legitimate Interest — to maintain Service security, prevent fraud, improve features, and study product usage trends in aggregated form; (c) Legal Compliance — to comply with tax, accounting, regulatory, and law-enforcement obligations; (d) Communications — to send Service-related notifications, billing notices, and (with your consent) marketing communications.
4.2 As Data Processor (Fan Data)
We process Fan data solely for the purposes set forth in the DPA and the Customer's documented instructions, which typically include:
(a) Hosting, storing, and securing the data on our infrastructure; (b) Executing the AI Auto-Reply Feature for personas where the Customer has enabled the master switch, subject to per-conversation mute control; (c) Generating analytics, segmentation, and conversion-tracking insights for the Customer; (d) Providing the Composer Feature with AI-assisted reply suggestions; (e) Maintaining audit logs for compliance and dispute-resolution purposes; (f) Complying with applicable laws or valid legal process.
We do not use Fan data for our own marketing, profiling, or for any purpose unrelated to the Customer's instructions.
5. Disclosure of Information
We may share personal information with the following categories of third parties:
5.1 Service Providers (Sub-Processors). We engage third-party service providers to operate the Service. A complete list is maintained at app.velvr.app/legal/operational-defaults §6 and includes (without limitation):
- Infrastructure: Vercel Inc., Supabase Inc., Cloudflare Inc., Inngest Inc.
- AI / Machine Learning: xAI Corp.
- Payments: Fanvue (merchant-of-record for App Store plans); Stripe Inc. (off-Fanvue Enterprise plans only)
- Communications: Resend Inc.
- Observability: Sentry (Functional Software Inc.), PostHog Inc.
All Sub-Processors are bound by data protection obligations substantially equivalent to those in our DPA.
5.2 Third-Party Platforms (You-Authorized). When you connect a third-party platform (e.g., Fanvue), data flows between Velvr and that platform pursuant to your OAuth authorization. Such transfers are governed by the third-party platform's privacy policy.
5.3 Legal and Regulatory. We may disclose information to: (a) comply with law, regulation, or valid legal process (subpoena, court order); (b) protect Velvr's legal rights, property, or safety; (c) cooperate with law enforcement when reasonably necessary; (d) respond to claims of intellectual property infringement.
5.4 Corporate Transactions. In the event of a merger, acquisition, dissolution, or sale of assets, your information may be transferred to the successor entity, subject to commitments under this Policy.
5.5 No Sale of Personal Information. Velvr does not sell personal information as defined under the California Consumer Privacy Act (CCPA) or similar laws. Velvr does not share personal information for cross-context behavioral advertising.
6. International Transfers
Personal data may be transferred to and processed in countries other than your country of residence, including the United States and other jurisdictions where our Sub-Processors operate. Where required, we apply safeguards including Standard Contractual Clauses (SCCs) and analogous mechanisms. Details are set forth in the DPA Section 8.
7. Data Retention
We retain personal information for the following periods (subject to extension under legal hold as set forth in the DPA):
| Data Type | Retention |
|---|---|
audit_log (Customer-level events) | 24 months |
fan_offer_log (full row, Fan-data) | 12 months |
fan_offer_log (anonymized aggregates) | 5 years |
chat_messages | Lifetime of account + 30 days after termination |
| Login / Auth events | 12 months |
| Failed-payment events | 6 years (US accounting standard) |
| Encrypted OAuth tokens | Lifetime of account, deleted on cascade |
Upon termination of your account: 30-day soft-delete window with recovery option, followed by hard-delete cascade. Exceptions for compliance-mandatory retention (DPA/ToS acknowledgments, audit logs) are pseudonymized and archived separately.
8. Data Security
We implement appropriate technical and organizational measures to protect personal data, including:
- Encryption in transit: TLS 1.3 for all external connections
- Encryption at rest: AES-256 database encryption; AES-GCM encryption for sensitive fields (OAuth tokens, encryption keys)
- Access controls: Role-based access (RBAC), need-to-know principle, multi-factor authentication for administrative access
- Audit logging: All security-relevant events logged with retention per Section 7
- Vulnerability management: Regular dependency scanning, security patching
- Backups: Encrypted daily backups with disaster recovery procedures
Full Technical and Organizational Measures (TOMs) are described in the DPA Annex II.
Despite our efforts, no security system can be guaranteed to be 100% secure. In the event of a security incident affecting personal data, we will notify affected Customers and relevant authorities as required by law.
9. Your Rights
9.1 As a Direct Customer (Velvr as Controller)
You have the right to:
- Access — request a copy of personal information we hold about you
- Correction — request correction of inaccurate personal information
- Deletion — request deletion of personal information (subject to legal/contractual exceptions)
- Portability — request export of your data in a structured, machine-readable format
- Objection — object to processing based on legitimate interests
- Opt-Out of Marketing — opt out of marketing communications at any time
- Non-Discrimination — exercise rights without fear of discriminatory treatment
To exercise these rights, contact us at dpo@velvr.app. We will respond within 30 days (45 days for complex requests).
9.2 As a Fan (Indirect, via Customer Use)
If a Velvr Customer (Creator) processes your personal data via the Service, the Customer is the Data Controller. You should contact the Customer directly to exercise your rights. Velvr will assist Customers in fulfilling such requests as set forth in the DPA.
If you are unable to identify or reach the relevant Customer, you may contact us at dpo@velvr.app and we will assist in routing your request appropriately.
9.3 California Residents (CCPA / CPRA)
California residents have additional rights under the CCPA/CPRA, including the right to:
- Know what categories of personal information we collect and process
- Correct inaccurate personal information
- Delete personal information (subject to exceptions)
- Limit use of sensitive personal information
- Opt out of any sale or sharing for cross-context behavioral advertising (note: Velvr does not engage in either)
- Designate an authorized agent to exercise rights on your behalf
- Non-discrimination for exercising privacy rights
9.4 Florida Residents (FIPA)
Florida residents may have rights under the Florida Information Protection Act 2014, principally related to security-breach notifications. Velvr complies with FIPA breach-notification requirements as applicable.
9.5 Right to Lodge a Complaint
You may file complaints with applicable supervisory authorities, including the U.S. Federal Trade Commission (FTC), state attorneys general, or other regulators with jurisdiction.
10. Cookies and Tracking Technologies
The Service currently uses only strictly necessary cookies — required for core operation (authentication/session, OAuth state, security). Under applicable law these do not require consent.
We do not currently run analytics, advertising, or other non-essential tracking cookies. If we introduce them in the future, users in the EU/EEA will be asked for prior opt-in consent via a cookie banner and will be able to manage their preferences at any time. You can also control cookies through your browser settings; disabling strictly necessary cookies will impair Service functionality.
11. Children's Privacy
The Service is not intended for, and we do not knowingly collect personal information from, individuals under the age of 18. If we become aware that personal information of a person under 18 has been collected, we will delete such information and terminate the relevant account.
12. AI-Generated Content and Disclosure
The Service uses artificial intelligence ("AI") to assist Creators in generating messages and analyzing data. Important notes:
(a) Fan-Side Disclosure (EU AI Act Art. 50 Compliance): Where the AI Auto-Reply Feature is active in a conversation, Velvr's mechanical Disclosure Layer ensures that the first AI-generated reply in each new conversation contains a clear and distinguishable indication that AI is assisting the reply. This applies regardless of fan jurisdiction.
(b) Velvr Does Not Train AI Models on Customer Data. Personal data processed via the Service is not used to train generic AI models. Aggregated, anonymized data may be used for internal model fine-tuning and quality assurance (DPA Annex IV).
(c) AI Output Limitations. AI-generated content may contain inaccuracies. The Customer (Creator) remains solely responsible for content sent under their identity.
13. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email and/or in-Service notice with reasonable advance notice. Continued use of the Service after the effective date of changes constitutes acceptance.
The "Last Updated" date at the top of this Policy indicates the most recent revision.
14. Contact and Data Protection Officer
For privacy questions, rights requests, or complaints:
Email (Data Protection Officer): dpo@velvr.app General contact: hello@velvr.app
Postal: MAKOA LLC (operating Velvr) 3833 Powerline Rd, Suite 201 Fort Lauderdale, FL 33309 United States
EU Representative (Article 27 GDPR). For individuals in the EU/EEA, our designated representative under Article 27 GDPR — who may be contacted on any matter relating to the processing of your personal data — is:
iuro Rechtsanwälte GmbH t/a Prighter Schellinggasse 3, 1010 Vienna, Austria Contact / data subject requests: https://app.prighter.com/portal/15448555534
Version 1.0 (Beta) — subject to update. Questions: legal@velvr.app.