01Introduction
Veltrum Technologies Pvt. Ltd. ("Veltrum", "we", "our", or "us") operates the Veltrum.io commerce orchestration platform — a software-as-a-service product that helps brands unify their commerce stack and deploy AI agents to run operational workflows. This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and the rights you have over it.
This policy applies to veltrum.io, our customer dashboard, our APIs, and any product, page or interaction that links to it. It does not apply to third-party services we integrate with — those are governed by their own privacy policies.
02Who we are
Veltrum Technologies Pvt. Ltd. is incorporated in India (CIN pending), with its registered office in Hyderabad, Telangana. For the purposes of EU/UK GDPR, we act as a data controller with respect to information collected through our marketing site and account onboarding, and as a data processor with respect to data processed inside our customers' Veltrum workspaces on their behalf.
03Data we collect
We collect information in three categories:
3.1 Information you give us
- Waitlist & account data: name, work email, phone number, brand name, GMV bracket, team size.
- Billing data: billing contact, GST/VAT number, billing address, last four digits of payment instrument (full instrument is held by our payment processor).
- Communications: emails, support tickets, calls and any content you send us.
3.2 Information generated when you use Veltrum
- Workspace data: agent configurations, workflow definitions, audit logs, KPI snapshots and review documents.
- Connector data: the data you authorise Veltrum to read from connected systems (Shopify, Meta Ads, Shiprocket, GA4, Razorpay, etc.) — only the fields needed to run the agents you have deployed.
- Telemetry: page views, feature usage, browser type, IP address, device identifiers, error reports.
3.3 Information from third parties
- Identity providers (Google, Microsoft) when you sign in via SSO — name, email, profile photo.
- Enrichment vendors (e.g. Apollo, Clearbit) for company-firmographic information used in our sales process.
04How we use data
| Purpose | Examples |
|---|---|
| Provide the service | Run agents, sync connectors, generate weekly reviews, render dashboards. |
| Improve the service | Aggregated, de-identified analytics; debugging; A/B tests of UI changes. |
| Communicate | Onboarding emails, product updates, security advisories, billing notices. |
| Sales & marketing | Reach out to prospects who applied to the waitlist; targeted advertising for lookalike audiences. |
| Compliance | Anti-abuse, anti-fraud, audit trails, responding to lawful requests. |
We do not use customer workspace data to train foundation models, and we do not sell personal data to third parties.
05Legal basis (EEA / UK)
Where GDPR applies, we rely on the following lawful bases:
- Contract — to deliver Veltrum to you under our customer agreement.
- Legitimate interest — to keep Veltrum secure, prevent abuse, and improve the product.
- Consent — for non-essential cookies, marketing emails to non-customers, and any sensitive processing where consent is required.
- Legal obligation — to comply with tax, accounting, or court orders.
06Sharing & disclosure
We share data only with the following categories of recipients, and only when needed:
- Sub-processors who run parts of our infrastructure (see section 7).
- Connectors you authorise. When you connect Shopify, Meta Ads, etc., Veltrum reads from and writes to those services on your behalf.
- Professional advisers (lawyers, auditors, accountants) under confidentiality.
- Acquirers in the event of a merger, acquisition or asset sale — with prior notice and equivalent protection.
- Authorities when compelled by valid legal process, with the narrowest scope possible and notice to you where lawful.
07Sub-processors
An always-current list of our sub-processors is available from info@veltrum.io on request. Today they include:
| Vendor | Purpose | Region |
|---|---|---|
| Amazon Web Services | Hosting, compute, storage | ap-south-1, us-east-1 |
| Cloudflare | CDN, DDoS, WAF | Global |
| Stripe / Razorpay | Payments | US / IN |
| Anthropic, OpenAI | LLM inference | US |
| Postmark | Transactional email | US |
| Sentry | Error monitoring | US |
| PostHog | Product analytics | EU |
08Retention
- Account data: retained while your workspace is active and for 90 days after deletion.
- Connector data: refreshed continuously; cached up to 30 days after disconnect.
- Audit logs: 12 months by default, configurable up to 7 years on Enterprise plans.
- Marketing leads: 24 months from last interaction.
- Tax & billing records: as long as required by Indian tax law (currently 8 years).
09Security
We aim to keep Veltrum to the standard of the most security-conscious teams that use it. Controls include:
- Encryption in transit (TLS 1.2+) and at rest (AES-256).
- SSO + SCIM, MFA enforcement, role-based access control.
- Dedicated VPC, network segmentation, private subnets for data plane.
- Annual third-party penetration tests; SOC 2 Type II in progress.
- 24/7 security monitoring with on-call rotation; documented incident response plan.
If you suspect a vulnerability, please email info@veltrum.io. We aim to acknowledge reports within 24 hours.
10International transfers
Veltrum is operated from India and the United States. When personal data leaves your country of residence, we rely on Standard Contractual Clauses, the UK IDTA, and equivalent transfer mechanisms. A copy of the relevant clauses is available on request.
11Your rights
Depending on where you live, you may have the right to:
- Access the personal data we hold about you.
- Correct inaccurate or incomplete data.
- Delete your data ("right to be forgotten").
- Object to or restrict certain processing.
- Port your data to another provider.
- Withdraw consent at any time.
- Lodge a complaint with your supervisory authority.
To exercise any of these, email info@veltrum.io. We aim to respond within 30 days.
12Cookies & tracking
We use first-party cookies for essential functions (auth, CSRF, session) and a small set of third-party analytics tools (PostHog, Google Analytics) to understand how the product is used. You can opt out via the cookie banner on first visit, or by adjusting your browser settings.
We do not run third-party advertising trackers inside the authenticated Veltrum dashboard.
13Children's privacy
Veltrum is a B2B product not directed at children. We do not knowingly collect data from anyone under 18. If you believe a minor has used our service, please contact us and we will delete the relevant information.
14Changes to this policy
We may update this policy as the product evolves. Material changes will be communicated by email to active customers at least 30 days before they take effect. The version and "last updated" date at the top of this page will always reflect the current revision.
15Contact
For any privacy questions, requests, or concerns, contact our Data Protection team:
- Email: info@veltrum.io
- Postal: Veltrum Technologies Pvt. Ltd., Hyderabad, Telangana, India