Privacy Policy
Last updated: 26 June 2026
This policy explains what personal data Veyllo processes when you use our Service, why, on what legal bases, and the rights you have. Please also see our Terms of Service.
1. Controller and contact
The controller responsible for the processing of your personal data within the meaning of the General Data Protection Regulation (GDPR) is:
Veyllo GmbH
Pappelallee 78
10437 Berlin, Germany
Email: info@veyllo.ioWe have not appointed a data protection officer, as we are not legally required to do so. For any questions about data protection or to exercise your rights, please contact us at the address above.
2. Categories of data we process
- Account data: name, email address, hashed password, and account settings.
- Usage data: API calls and metadata: capability used (chat / vision / TTS / STT), token counts, timestamps, and the identifier of the API key used.
- Content data: the inputs you send to the API (text prompts, images, audio) and the outputs returned. This content is processed only transiently to fulfil your request and is not stored by us afterwards.
- Billing data: credit balance, transactions, invoice data, and a payment-method reference held by our payment processor. We do not store full payment-card numbers.
- Technical data: IP address, browser/device information, and server and security logs.
3. Purposes and legal bases of processing
We process personal data for the following purposes and on the following legal bases:
- Providing the Service and your account (authentication, serving API requests, metering, support): to perform our contract with you, Art. 6(1)(b) GDPR.
- Billing and payment processing: to perform the contract, Art. 6(1)(b) GDPR, and to comply with legal retention obligations, Art. 6(1)(c) GDPR.
- Security, abuse prevention, and ensuring stable operation: our legitimate interest in protecting and operating the Service, Art. 6(1)(f) GDPR.
- Compliance with legal obligations (e.g. tax and commercial-law retention): Art. 6(1)(c) GDPR.
- Service communications (e.g. confirmation, security, and account notices): contract performance or legitimate interest, Art. 6(1)(b)/(f) GDPR.
- Where we ask for your consent (e.g. any optional communications): Art. 6(1)(a) GDPR; you may withdraw consent at any time with effect for the future.
4. Recipients and processors
We use carefully selected service providers who process personal data on our behalf as processors under data-processing agreements pursuant to Art. 28 GDPR. The main recipients are:
- Supabase: authentication and database hosting (account and application data), hosted within the European Economic Area (or the United Kingdom, which benefits from an EU adequacy decision).
- Stripe: payment processing and storage of payment-method data (Stripe Payments Europe, Ltd. / Stripe, Inc.).
- Vercel: hosting and content delivery of the website and application (Vercel Inc.).
- OpenAI: vision capability: the image and related text inputs you submit are forwarded to the OpenAI API for processing. EEA, UK, and Swiss users are served by OpenAI Ireland Ltd., Dublin, Ireland; processing also takes place in the United States.
- Chat capability (DeepSeek open-weight model): your text prompts are processed using the open-weight DeepSeek model. We run it either on our own infrastructure within the EEA (self-hosted) or through Fireworks AI, Inc. (United States) as our inference hosting provider.
- Providers for speech-to-text (STT) and text-to-speech (TTS) are not yet finalized; this list will be updated before those capabilities go live.
We only disclose data to other third parties (e.g. authorities) where we are legally obliged to do so or where it is necessary to assert, exercise, or defend legal claims.
5. Transfers to third countries
Some of our processors are based in, or process data in, countries outside the European Economic Area (EEA):
- United States: for example OpenAI, Stripe, Vercel, and Fireworks AI (our inference hosting provider, where chat is served via Fireworks rather than our own EEA infrastructure). For these transfers we rely on appropriate safeguards, in particular the European Commission’s Standard Contractual Clauses (Art. 46(2)(c) GDPR) and, where the recipient is certified, the EU–US Data Privacy Framework.
We do not transfer personal data to the People’s Republic of China. Although we use the open-weight DeepSeek model for chat, it is run only on our own EEA infrastructure or, via Fireworks AI, on US infrastructure, never via DeepSeek’s own services. Where chat is served from our self-hosted EEA infrastructure, no transfer outside the EEA takes place. A copy of the relevant safeguards can be requested from us at the contact address above.
6. Cookies and local storage
We use strictly necessary cookies and similar technologies (such as local storage) that are required to provide the Service, in particular to keep you signed in and to secure the application. The legal basis is Art. 6(1)(f) GDPR and § 25 (2) TTDSG, as these are technically necessary. We do not use non-essential tracking or advertising cookies.
7. Storage period
We store personal data only as long as necessary for the purposes described, or as required by law:
- Account data: until you delete your account, plus a short technical grace period.
- Billing and invoice data: for the statutory retention periods of up to 10 years (§ 147 AO, § 257 HGB).
- Usage and security logs: for up to 12 months, in line with our security and operational needs.
After the relevant period expires, the data is deleted or anonymized.
8. Your rights
Subject to the statutory requirements, you have the following rights regarding your personal data:
- right of access (Art. 15 GDPR);
- right to rectification (Art. 16 GDPR);
- right to erasure (Art. 17 GDPR);
- right to restriction of processing (Art. 18 GDPR);
- right to data portability (Art. 20 GDPR);
- right to withdraw consent at any time with effect for the future (Art. 7(3) GDPR).
To exercise your rights, contact us at info@veyllo.io.
9. Right to object
Where we process your data on the basis of our legitimate interests (Art. 6(1)(f) GDPR), you have the right to object to that processing at any time on grounds relating to your particular situation (Art. 21 GDPR). We will then no longer process the data unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing serves to assert, exercise, or defend legal claims.
10. Right to lodge a complaint
Without prejudice to any other remedy, you have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your habitual residence, place of work, or the place of the alleged infringement. The authority responsible for us is the Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit).
11. Security
We take appropriate technical and organizational measures to protect your data, including encryption in transit (TLS), access controls, and row-level isolation of account data. Our measures are reviewed and adapted in line with technological developments.
12. Obligation to provide data
Providing certain data (such as email and password) is necessary to create an account and use the Service. Without it, we cannot provide the Service. Otherwise, you are under no statutory or contractual obligation to provide data.
13. Automated decision-making
We do not use automated decision-making producing legal effects concerning you within the meaning of Art. 22 GDPR. The Service generates AI output at your request; this output is provided for your own assessment and is not an automated decision about you.
14. Children
The Service is not directed to children. You must be at least 18 years old to create an account. We do not knowingly process the personal data of children.
15. Changes to this Privacy Policy
We may update this Privacy Policy to reflect changes in our processing or in legal requirements. The current version is always available on this page with the date of the last update shown above.