Home

Privacy Policy

How velixir Ltd handles personal data - what we collect, why, where it lives, and what rights you have over it.

Last updated . Operated by velixir Ltd (company no. 17240244, registered in England & Wales).

1. Who we are

velixir Ltd (“velixir”, “we”, “us”) is the data controller for this website (velixir.net) and the velixir deployment platform. We're a company registered in England & Wales under company number 17240244, with our registered office at Office 2, Risebridge Farm, Peasley Lane, Cranbrook, England, TN17 1HP.

For privacy questions, email [email protected]. For account-related queries, [email protected].

2. What we collect

Account data

  • Email address (sign-in identifier, billing notifications, service messages).
  • Display name (chosen by you).
  • Hashed password (we never see the plaintext - ASP.NET Identity PBKDF2).
  • OAuth subject identifier if you sign in with GitHub or Google (no profile data beyond the identifier and email).
  • Two-factor authentication secrets (if enabled) and recovery codes.

Billing data

  • Stripe customer ID, card brand and last four digits, billing address.
  • Transaction history (amounts, timestamps, status).
  • We do not store full card numbers, CVCs, or bank details - Stripe handles that under PCI-DSS Level 1 compliance.

Service data

  • Names you assign to apps, projects, teams, databases and caches.
  • Environment variables you set (encrypted at rest using ASP.NET Data Protection).
  • Deployment logs, build logs, runtime logs, runtime metrics (CPU/RAM/HTTP samples).
  • API key hashes (the raw key is shown once at creation and discarded).
  • Audit log of admin actions on your team.

Communications

  • Support tickets and email correspondence.
  • Email-delivery metadata (Resend message IDs, delivery status).

Technical

  • IP address (logged on sign-in attempts, deployments, and security events).
  • User-agent strings on dashboard access.
  • Cookies for the authentication session and anti-forgery tokens (see Cookie Policy).

3. Why we collect it (legal bases under UK & EU GDPR)

PurposeLegal basis
Operating your account, deploying your apps, sending service emailsPerformance of contract
Charging the agreed fees, sending tax invoices, fraud preventionPerformance of contract / legitimate interests / legal obligation (tax law)
Security, abuse prevention, audit loggingLegitimate interests
Marketing emails (only after explicit opt-in)Consent
Responding to support requestsLegitimate interests

4. Where data lives - processors and sub-processors

Your workload data (the apps you deploy, the databases you provision, and the backups we take of them) is hosted in the region you choose at deployment time. We currently offer regions in the European Union (Germany, Finland), the United States (Virginia, Oregon), and the Asia-Pacific region (Singapore). Account data (your email, billing address, audit log) is held in our European Union region regardless of which region(s) you deploy workloads to. We use the following sub-processors to deliver the service. A current list is maintained alongside our Data Processing Agreement:

  • Hetzner Online GmbH (Germany, Finland, Virginia & Oregon) - compute infrastructure for K3s clusters, object storage for backups in EU and US regions.
  • OVH SAS (Singapore) - compute infrastructure for the Asia-Pacific region.
  • Stripe Inc. (Ireland for EU customers, US for others) - payment processing.
  • Resend Inc. (United States) - transactional email delivery. Covered by EU-US Data Privacy Framework.
  • Cloudflare Inc. (United States, with global PoPs) - DNS, anti-DDoS, edge caching. Covered by EU-US Data Privacy Framework + SCCs.
  • hCaptcha (Intuition Machines Inc., United States) - anti-bot on signup. Covered by SCCs.
  • GitHub Inc. / Google LLC - only if you sign in with their OAuth providers.

We do not sell personal data, and we do not use it for advertising profiling.

5. International transfers

Your account data (the data we hold about you, separate from the workload data your apps process) is held in our European Union region. Workload data is held in the region(s) you choose at deployment time - EU, US, or Asia-Pacific. We do not replicate workload data between regions unless you've explicitly opted in to a cross-region feature such as warm-standby HA or cross-region backup. Sub-processors with US infrastructure (Resend, Cloudflare, hCaptcha) are governed either by the EU-US Data Privacy Framework or by Standard Contractual Clauses (SCCs) as published by the European Commission.

6. How long we keep data

  • Account data - while your account is active and for 30 days after you delete it (window during which deletion can be reversed).
  • Billing data - six years after the last transaction, to satisfy HMRC record-keeping requirements.
  • Service data (apps, databases, caches, env vars) - deleted within 30 days of account deletion or resource deletion.
  • Logs and metrics - typically 30 days. Aggregate metrics may be retained longer for capacity planning, with no personal identifiers.
  • Audit logs - retained while your account is active so you can review admin actions on your team.

7. Your rights

Under UK GDPR and EU GDPR you have the right to:

  • Access - request a copy of your personal data.
  • Rectification - correct inaccurate data (most of which you can edit in your dashboard).
  • Erasure - delete your account and associated data (subject to the six-year billing retention above).
  • Portability - receive your data in a machine-readable format.
  • Objection - object to processing based on legitimate interests.
  • Restriction - ask us to limit processing while a dispute is resolved.
  • Withdraw consent - where processing relies on consent (e.g. marketing emails), at any time.

Email [email protected] to exercise any of these. We respond within 30 days. You also have the right to complain to the UK Information Commissioner's Office (ico.org.uk) or your national data protection authority.

8. Security

We use industry-standard measures including TLS in transit, AES-256 at rest, hashed passwords (PBKDF2 with random salts), encrypted environment variables (ASP.NET Data Protection), optional two-factor authentication, signed session cookies, anti-forgery tokens on every state-changing form, hCaptcha on sign-up, and rate limiting on authentication endpoints. Production infrastructure is administered through hardware-key-secured SSH; the database is firewalled from the public internet.

9. Children

velixir is not directed at children under 16. We don't knowingly collect data from anyone under 16; if we learn that we have, we'll delete the account.

10. Changes to this policy

We'll update this page when we materially change how we handle data. The “Last updated” date above tracks revisions. If we make a change that significantly affects you, we'll send a service email before it takes effect.

11. Contact

velixir Ltd
Office 2, Risebridge Farm, Peasley Lane
Cranbrook, England, TN17 1HP
[email protected]