velsa
Privacy policy.
How Velsa collects, uses, and protects information. Written in plain language because legal documents shouldn't be impenetrable.
Last updated: 31 May 2026 · Effective: 31 May 2026
1. Who we are
Velsa is operated by Palladium Innovations, LLC (“Palladium,” “we,” “us”), a Florida limited liability company. This policy explains what information we collect about you and what we do with it.
For the purpose of data-protection laws including the EU and UK General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), Palladium Innovations, LLC is the data controller for personal information processed under this policy.
2. What this policy covers
This policy applies to:
- The marketing site at velsa.io (and subdomains we operate).
- The demo environment at demo.velsa.io.
- The Velsa Cloud hosted service when made available.
This policy does not cover the Velsa Community Edition (open-source, self-hosted) or Velsa Enterprise (customer-deployed private container). In those cases, the customer is the data controller for end-user data, and a separate agreement governs the relationship between Palladium and the customer.
3. Information we collect
Information you give us
- Account information. Name, email address, organization, and other details you provide when registering for the demo or for Velsa Cloud.
- Customer content. Data you enter into Velsa: bookings, contracts, contact records, financial transactions, operational notes, files, and similar.
- Communications. Messages you send to us (email, in-app forms) and our responses.
- Payment information. When Velsa Cloud paid plans become available, payment details are collected by a PCI-compliant payment processor; we do not store full card numbers.
Information collected automatically
- Usage data. Pages visited, features used, session duration, referrer URL.
- Device and network data. IP address, browser type and version, operating system, language preference.
- Cookies and similar technologies. Used for authentication, session continuity, and minimal analytics. We do not use third-party advertising cookies.
- Logs. Server logs containing the above are retained for operational and security purposes for a limited period.
Information from third parties
If you sign in via a third-party identity provider (e.g., Microsoft Entra, Google) when supported, we receive the identifiers and profile attributes that provider returns. We do not buy personal data from third parties.
4. How we use information
We use the information described above to:
- Provide, operate, and improve Velsa.
- Authenticate users and protect account security.
- Communicate with you about product updates, security advisories, and support requests.
- Detect, prevent, and respond to abuse, fraud, and security incidents.
- Comply with legal obligations and enforce our agreements.
- Conduct internal analytics about how Velsa is used, in aggregate or de-identified form.
We do not:
- Sell personal information.
- Use customer content to train artificial-intelligence models.
- Share personal information with third parties for their independent marketing.
5. Legal bases (GDPR)
If you are in the EU, UK, or another jurisdiction with comparable law, we process personal data on one of the following bases:
- Contract. Processing necessary to provide Velsa under our terms with you or your organization.
- Legitimate interest. Processing necessary for our legitimate interests in operating, securing, and improving the service, where those interests are not overridden by your rights.
- Consent. Where you have given consent, for example to receive optional marketing emails.
- Legal obligation. Where processing is required by law.
6. How we share information
Service providers (sub-processors)
We rely on a small number of third-party providers to operate Velsa. The current list is published on the Trust page. Sub-processors are bound by data-protection terms and process personal data only on our instructions.
Legal obligations
We may disclose information if required by law, subpoena, or other legal process. Where we are legally permitted to do so, we will notify the affected customer before disclosure.
Business transfers
If Palladium is involved in a merger, acquisition, financing, or sale of assets, personal information may be transferred as part of that transaction. We will provide notice and the opportunity to object where required by law.
7. Where information is stored
Velsa is hosted on Amazon Web Services in the United States (Northern Virginia region). Personal information is stored and processed there. Backup copies remain in the same region.
If you are in the EU, UK, or another jurisdiction outside the United States, your information will be transferred to and processed in the United States. We rely on appropriate safeguards for these transfers, including Standard Contractual Clauses where required.
8. How long we keep information
We keep personal information for as long as your account is active and for a reasonable period afterward to comply with legal obligations, resolve disputes, and enforce our agreements.
On account deletion, customer content is permanently removed within 30 days, except where retention is required by law (for example, tax records or audit logs subject to legal-hold requirements).
9. Your rights
Universal rights
- Access. Request a copy of the personal information we hold about you.
- Correction. Ask us to correct inaccurate or incomplete information.
- Deletion. Ask us to delete your personal information, subject to legal-retention exceptions.
- Portability. Request a copy of your data in a structured, machine-readable format.
- Withdraw consent. Where we rely on consent, you can withdraw it at any time.
If you are in the EU, UK, or Switzerland (GDPR)
In addition to the above, you have the right to object to processing, restrict processing, and lodge a complaint with your local data-protection authority.
If you are in California (CCPA / CPRA)
You have the right to know what categories of personal information we collect and the purposes for collection; to delete personal information; to correct inaccurate information; and to non-discrimination for exercising these rights. We do not sell or share personal information for cross-context behavioral advertising as those terms are defined under California law.
How to exercise rights
Send a request to privacy@velsa.io. We will respond within the timelines required by applicable law (typically 30 days under GDPR; 45 days under CCPA, extendable once). We may need to verify your identity before responding.
10. Security
We use commercially reasonable technical and organizational measures to protect personal information, including encryption in transit (TLS 1.2+) and at rest (AES-256), network isolation, access controls, monitoring, and least-privilege within the operating team. More detail is on the Trust page.
No system is perfectly secure. If a security incident affects your personal information, we will notify you within the timeframes required by law and within 72 hours of confirmed incident where practicable.
11. Children
Velsa is not directed to children under the age of 13 (or under 16 in the EU). We do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact us at privacy@velsa.io and we will delete it.
12. Third-party links
Velsa may link to third-party sites or services. We are not responsible for the privacy practices of those third parties. Review their policies before sharing information with them.
13. Changes to this policy
We may update this policy from time to time. When we do, we will update the “Last updated” date at the top of the page. If changes are material, we will provide more prominent notice (for example, by email to registered users or a banner on the service). Your continued use of Velsa after changes become effective constitutes acceptance.
14. Contact us
Privacy questions and rights requests: privacy@velsa.io.
Postal mail: Palladium Innovations, LLC · 341 Angela Lane · Mary Esther, FL 32569 · United States.