Privacy Policy

When you create a Vela account, we collect your email address and a password (stored securely via Supabase authentication). You may optionally provide a display name. We do not collect your legal name, phone number, or home address unless you voluntarily provide them.

Vela connects to your bank accounts through Plaid, a third-party financial data platform. When you choose to link a bank account, we receive and store:

• Bank account names and institution names
• Transaction history, including dates, amounts, merchant names, and spending categories
• Account identifiers required to refresh your transaction data

We do not receive or store your full bank account numbers, login credentials, or card numbers. Plaid handles authentication with your financial institution directly. You can review Plaid's privacy practices at https://plaid.com/legal/.

Vela uses RevenueCat to manage in-app subscriptions. When you subscribe, RevenueCat processes your payment through Apple or Google and provides us with your subscription status (active, expired, etc.) and a pseudonymous subscriber ID. We do not receive your full payment card details. RevenueCat's privacy policy is available at https://www.revenuecat.com/privacy/.

We use Sentry, a crash reporting tool, to identify and fix technical errors in the app. Sentry may collect device information (device model, operating system version), error logs, and app state at the time of a crash. Before any data is sent to Sentry, we automatically remove sensitive financial information such as transaction amounts, account numbers, and merchant names.

If you contact us for support (e.g. by emailing admin@velaawareness.com), we will receive and retain your name, email address, and the contents of your message.

We share information with the following third-party service providers, each of which processes data only as necessary to provide their services to us:

• Supabase (database and authentication infrastructure) — supabase.com/privacy
• Plaid (bank connectivity) — plaid.com/legal
• RevenueCat (subscription management) — revenuecat.com/privacy
• Apple / Google (payment processing for subscriptions) — subject to their respective privacy policies
• Sentry (crash reporting) — sentry.io/privacy

We may disclose your information if we are required to do so by law, court order, or governmental authority, or if we believe in good faith that disclosure is necessary to protect the rights or safety of any person.

We do not sell, rent, or trade your personal information to third parties for their marketing or commercial purposes.

We retain your personal information only for as long as necessary to provide the Service and fulfill the purposes described in this policy.

• Account data (email address, display name, authentication credentials): retained for the lifetime of your active account.
• Financial and transaction data retrieved via Plaid: retained for the lifetime of your active account, and used solely to power the spending summaries and category views within the app.
• Subscription status records: retained for the lifetime of your active account and for a reasonable period thereafter as required for billing dispute resolution.
• Support correspondence: retained for up to two (2) years from the date of the most recent message in the thread.
• Crash and diagnostic reports (Sentry): subject to Sentry's own retention policies, typically 90 days. We do not control retention of data once transmitted to Sentry.

We do not retain financial transaction data for any purpose beyond providing the Service to you. We do not sell, license, or otherwise use retained data for secondary commercial purposes.

You may request permanent deletion of your account and all associated data at any time. To do so, navigate to your Profile within the Vela app and select the account deletion option. The deletion process works as follows:

• Your Plaid bank connections are immediately unlinked. All Plaid access tokens and item credentials stored in our system are revoked and deleted as part of this flow, using Plaid's item removal API. This prevents any further transaction syncing from your financial institution.
• All transaction data, spending summaries, account identifiers, and user profile information stored in our database are permanently deleted.
• Your Supabase authentication record is removed, invalidating all active sessions.
• Your RevenueCat subscriber record is anonymized; we do not retain a link between your deleted account identity and any prior subscription history.

Deletion is permanent and cannot be undone. Following account deletion, residual copies of your data may persist in encrypted Supabase database backups for up to 30 days before those backups are rotated and purged. During this window your data is not accessible to us in the normal course of operations. After 30 days, no recoverable copy of your personal data will remain in our systems.

If you are unable to access the in-app deletion flow, you may also request deletion by emailing admin@velaawareness.com. We will process verified deletion requests within 30 days.

We review this Privacy Policy at least once per calendar year to ensure it accurately reflects our data practices. We also review and update this policy promptly whenever we make a material change to how we collect, use, or share personal information — for example, if we add a new data processor, introduce a new product feature that involves personal data, or change our retention practices.

The "Last Updated" date at the top of this policy reflects the date of the most recent review or revision. When we make material changes, we will notify you by updating that date and, where appropriate, by in-app notice or email. Your continued use of the Service after any update constitutes acceptance of the revised policy.

Under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and Alberta's Personal Information Protection Act (PIPA), you have the right to access the personal information we hold about you, request corrections, and withdraw your consent to our use of your information (subject to legal and contractual restrictions). To exercise these rights, contact us at admin@velaawareness.com.

If you are a resident of California, you may have additional rights under the California Consumer Privacy Act (CCPA/CPRA), including the right to know what personal information we collect, the right to request deletion, and the right to opt out of the sale of your personal information. We do not sell personal information. To submit a request, contact us at admin@velaawareness.com.

Regardless of your location, you may contact us at any time to access, correct, or delete your information, or to ask questions about how we handle your data.