Privacy Policy

Last updated: May 26, 2026

Veilo ("we", "us", "our") is a privacy-first vault app for photos, videos, and files. This Privacy Policy explains what we collect, how we use it, and the choices you have.

1. What we collect

  • Account data: email address and password (hashed). Optional recovery email.
  • Vault content: photos, videos, and files you import. Encrypted on your device before upload.
  • Subscription data: plan, status, and receipts from the App Store or Google Play. We never see your card details.
  • Security events: failed PIN attempts and optional intruder selfies stored inside your vault.
  • Diagnostic data: crash reports and basic device info (OS version, app version, device model) to fix bugs.

2. What we do not collect

  • We do not view, scan, or share the contents of your vault.
  • We do not sell your data to anyone.
  • We do not use third-party advertising or tracking SDKs.

3. How we use your data

  • To operate the app, sync your vault, and authenticate you.
  • To process subscriptions and restore purchases.
  • To provide customer support when you contact us.
  • To improve reliability and fix crashes.

9. Device permissions

Veilo only requests the permissions strictly needed for the features you use. You can revoke any permission at any time from your device settings; the related feature will simply stop working.

  • Photos / Media library: required to import photos and videos into your vault.
  • Camera: required to capture intruder selfies and to scan documents directly into the vault.
  • Face ID / Touch ID / Biometric authentication: used locally on-device to unlock the vault. We never see or store biometric data — iOS and Android keep it in the secure enclave.
  • Notifications: optional, used for backup completion, break-in alerts, and subscription reminders.
  • Network access: required to sync your encrypted vault to cloud storage on paid plans.

10. Service providers (sub-processors)

Veilo uses a small number of trusted providers strictly for operating the service. They process data on our behalf under contract:

  • Lovable Cloud (managed backend, hosted on Supabase / AWS EU regions) — stores your account, encrypted vault metadata, and support tickets.
  • RevenueCat — manages subscription receipts and entitlements from the App Store and Google Play.
  • Apple App Store / Google Play — process subscription payments.
  • Crash reporting (built-in platform diagnostics) — anonymous crash logs only, no vault content.

4. Encryption

Your vault content is encrypted on your device. Only you, using your PIN or biometric unlock, can decrypt it. If you lose your recovery phrase and recovery email, your data cannot be recovered.

11. Legal basis for processing (EU/UK)

If you are in the EU, EEA, UK, or Switzerland, we process your personal data on these legal bases under GDPR/UK-GDPR:

  • Performance of a contract — to provide the vault, sync, and subscription you signed up for.
  • Legitimate interests — to keep the service secure, prevent fraud, and fix bugs.
  • Consent — for optional features such as crash reporting or marketing emails (where applicable). You can withdraw consent at any time.
  • Legal obligation — to comply with tax, accounting, and lawful requests.

12. International data transfers

Your data is primarily stored in EU data centers. When data must leave the EU/EEA (for example, App Store/Google Play receipts), we rely on the European Commission's Standard Contractual Clauses (SCCs) or equivalent safeguards.

5. Data retention

We keep your account and vault data for as long as your account is active. Deleted files stay in Trash for 30 days, then are permanently removed. Closing your account erases your data within 30 days.

6. Your rights

You can access, export, or delete your account at any time from in-app Settings, or by emailing us at support@veilo.link. Residents of the EU, UK, and California have additional rights under GDPR/CCPA which we honor on request.

7. Children

Veilo is not intended for children under 13. We do not knowingly collect data from minors.

8. Changes

We will notify you of material changes in-app or by email. Continued use of Veilo after changes means you accept the updated policy.

13. App Store & Google Play

When you purchase a subscription, Apple (App Store) or Google (Google Play) processes the payment and shares a receipt with us. Veilo never receives your full payment details. Their handling of your data is governed by:

  • Apple — see Apple's Privacy Policy at apple.com/legal/privacy.
  • Google — see Google's Privacy Policy at policies.google.com/privacy.
  • On iOS, Veilo does not use the Advertising Identifier (IDFA) and does not perform App Tracking. No App Tracking Transparency prompt is shown.
  • On Android, Veilo does not use the Advertising ID and does not include advertising or analytics SDKs beyond what is needed for crash reporting.

14. Google Play Data safety summary

For transparency with Google Play's Data Safety requirements, here is what Veilo collects and how:

  • Data collected: email address, encrypted vault files, subscription receipts, crash diagnostics.
  • Purposes: account management, app functionality, fraud prevention, analytics (crash only).
  • Data is encrypted in transit (TLS 1.2+) and encrypted at rest. Vault content is additionally end-to-end encrypted on your device before upload.
  • Data is NOT shared with third parties for advertising or sold.
  • You can request your data to be deleted at any time from in-app Settings or via veilo.link/contact.

15. Account & data deletion

You can delete your Veilo account and all associated data at any time from in-app Settings → Account → Delete account, or by visiting veilo.link/contact and requesting deletion. Account deletion permanently removes your encrypted vault, profile, and subscription record within 30 days. This satisfies the Google Play account deletion requirement.

16. Contact

Questions? Contact us or email support@veilo.link.