Privacy Policy
Last updated: May 26, 2026
1. Who we are (Data Controller)
Virelta (“Virelta”, “we”, “us”) is the controller of personal data processed through virelta.io.
- Legal entity: TODO — your name or company name
- Address: TODO — postal address
- Email: privacy@virelta.io
2. What we collect and why
We collect the minimum needed to run the service:
| Data | Purpose | Legal basis (GDPR Art. 6) |
|---|---|---|
| Email address | Authenticate you; transactional emails | Contract (6(1)(b)) |
| Password hash (via Supabase) | Authenticate you | Contract (6(1)(b)) |
| Transcripts & generated content | Deliver the service; show your history | Contract (6(1)(b)) |
| Usage events (generation counts) | Enforce plan limits; fix bugs | Legitimate interest (6(1)(f)) |
| Stripe customer + subscription id | Process payment; manage your plan | Contract (6(1)(b)) |
| IP address (transiently, in logs) | Rate-limit abuse; security | Legitimate interest (6(1)(f)) |
We do not collect: card numbers (Stripe holds these), location data, device fingerprints, or any data from advertising trackers.
3. Sub-processors
We use the following sub-processors to run Virelta. Each operates under their own Data Processing Agreement and privacy terms.
| Provider | Purpose | Data region |
|---|---|---|
| Supabase | Database + authentication | Set per project — verify in your Supabase dashboard |
| Vercel | Application hosting | Global edge (US primary) |
| Stripe | Billing & payments | US (with EU data processing addendum) |
| Resend | Transactional email | US |
| Sentry | Error monitoring (no PII) | US |
| Upstash Redis | Rate limiting | User-selected region |
| OpenAI | AI generation | US |
| Anthropic | AI generation | US |
| Google (Gemini) | AI generation | US / Global |
| YouTube (Google) | Public-transcript fetch (when you paste a URL) | US |
| Publer (optional) | Scheduling posts (only if connected) | EU |
Transfers outside the EEA rely on Standard Contractual Clauses (SCCs) as required by GDPR Art. 46.
4. AI providers and model training
When you generate content, your transcript is sent to one or more of OpenAI, Anthropic, and Google Gemini under their respective API terms:
- OpenAI API: Does not use inputs for model training.
- Anthropic API: Does not use inputs for model training.
- Google Gemini API: Behavior depends on the API tier we operate. Paid-tier usage does not train Google’s models. Free-tier usage MAY be used by Google to improve their products. Our current tier is shown at the bottom of this section.
Current Virelta operation: Gemini free tier (training-eligible)
If model-training opt-out matters to you (regulated content, NDA material, attorney-client work), wait for our paid-tier transition or run the open-source version on your own keys.
5. Cookies
We use a small number of strictly-necessary cookies. We do not use advertising, analytics, or third-party tracking cookies.
| Cookie | Purpose | Set by | Duration |
|---|---|---|---|
| sb-*-auth-token | Authentication session | Supabase (first-party) | Session / refresh |
| workspace | Remember active workspace | Virelta (first-party) | 30 days |
| virelta-cookie-notice | Remember you saw the cookie notice | Virelta (first-party) | 365 days |
Strictly-necessary cookies do not require consent under ePrivacy Directive Art. 5(3). If we ever add analytics or marketing cookies, you will see a consent banner first.
6. Retention
- Active accounts: data is kept while the account exists.
- Inactive accounts: after 24 months with no sign-in, we may email you and then delete the account if you don’t return.
- Deleted accounts: personal data is purged within 30 days, except where retention is legally required (Stripe invoices for tax records, security/audit logs).
- Backup retention: encrypted backups roll off after 30 days.
7. Your rights (GDPR Chapter III)
If you are in the EEA, UK, or Switzerland, you have the right to:
- Access a copy of your data (Art. 15) — built into the app at Settings → Export.
- Rectify inaccurate data (Art. 16) — edit it in Settings or email us.
- Erase your account (Art. 17) — Settings → Delete account, or email us.
- Restrict processing (Art. 18) — email us.
- Object to processing based on legitimate interest (Art. 21) — email us.
- Portability of your data in a structured format (Art. 20) — the export is machine-readable JSON.
- Withdraw consent at any time, where consent is the legal basis.
We respond within 30 days. Email privacy@virelta.io.
Right to complain. If you believe we have mishandled your data, you can lodge a complaint with your local supervisory authority. A list is published at edpb.europa.eu.
8. California residents (CCPA / CPRA)
You have the right to know what personal information we collect, to delete it, to correct it, and to opt out of any “sale” or “sharing”. We do not sell or share personal information for advertising. To exercise these rights, email privacy@virelta.io.
9. Children
The Service is not directed to users under 16. If you become aware that a child has provided us with personal data without parental consent, contact us and we will delete it.
10. Security
Data is encrypted in transit (TLS) and at rest at our infrastructure providers. Passwords are hashed by Supabase (Argon2). We do not have access to your password. If we ever suffer a breach affecting your data, we will notify you in line with GDPR Art. 33-34.
Security reports: security@virelta.io (we publish a /.well-known/security.txt).
11. Automated decision-making
Virelta uses AI to generate content suggestions. These are suggestions for you to review and edit. We do not make automated decisions with legal or similarly significant effects on you (GDPR Art. 22 does not apply).
12. Changes
Material changes will be announced in-app or by email at least 7 days before they take effect. The “Last updated” date at the top of this page reflects the most recent revision.
13. Contact
Privacy questions: privacy@virelta.io
Security reports: security@virelta.io
Everything else: hello@virelta.io
This policy describes our practices honestly to the best of our knowledge. It is not a substitute for legal advice — have a qualified data-protection lawyer review it before launching publicly in regulated markets.