Privacy Policy

隐私政策

Pre-publication draft. The source document is an internal draft and is not a publicly issued version (内部起草初稿,非对外正式发布版本). This English rendering is provided for review; the finalized public version (which prevails on conflict) is pending legal review and completion of the bracketed placeholders below.

Status: Ready (pre-publication — pending Legal Lead final review + placeholder fill)

Contracting entity: Velarum Labs LLC (Wyoming, USA)

Governing law: GDPR / UK GDPR / CCPA / PIPL / PDPA aligned

Last updated: 2026-05-27

Effective date: Pending legal finalization

§1Summary (60-second read) · 摘要
§2Controller Identity & Contact · 控制者身份与联系方式
§3Data We Collect · 我们收集的数据类别
§4Cross-Border Transfers · 跨境数据传输
§5Data Retention · 数据保留期
§6Your Rights · 您的权利
§7Per-Jurisdiction Notes (APAC focus) · 各辖区差异表
§8Automated Decision-Making (GDPR Art.22) · 自动化决策
§9Data Security · 数据安全
§10Cookies & Similar Technologies · Cookies 与类似技术
§11Changes to this Policy · 政策变更

§1 · Summary (60-second read) · 摘要

Key question	Short answer
What is Velarum?	A non-custodial payment protocol layer and developer infrastructure for the AI-agent economy. Velarum does not hold your funds, keys, or signing material (see ToS §3.2).
What do you collect by default?	Only six minimal PII items: email, username, API-key metadata, public wallet address, API call logs, IP address. Other sensitive data (IDs, passports) is collected at zero by default.
When is more data collected?	Only under the ADR-NC-008 4-tier triggers (L1 legal compulsion / L2 customer contract / L3 product gating / L4 never); IDs are handed by you directly to a trusted third-party Issuer — Velarum stores no raw data.
Do you sell my data?	No (see §2.5 and the CCPA/CPRA “Do Not Sell” section).
How do I exercise my rights?	Contact [VELARUM_PRIVACY_EMAIL] or submit via the DSAR SOP; reply within 30 days.
Where is data stored?	Primarily in the EU ([CLOUD_REGION_EU]); cross-border transfers use SCCs. See §4.
How long is it retained?	See §5 and the Data Retention Spec.

§2 · Controller Identity & Contact · 控制者身份与联系方式

2.1 Data controller

Company: Velarum Labs LLC (Wyoming, USA).
Registered address: Wyoming, USA — full address [PENDING-REGISTRATION].
Registration number: [PENDING-REGISTRATION] (filled after the Wyoming SOS Articles of Organization).
Website: [PENDING-REGISTRATION] (filled after domain registration).

Tier C reminder: Velarum Labs LLC is a Wyoming LLC; although registered in the USA, the USA itself remains Tier C pending-exclusion (ADR-NC-010 + ToS §13). Velarum, via its charter and ToS, expressly refuses service to US / Japan / Mainland China / Russia Tier C customers — an operational action independent of the LLC’s place of registration.

2.2 Data Protection Officer (DPO)

Email: [VELARUM_DPO_EMAIL].
Appointment status: [DPO_APPOINTMENT_STATUS].

2.3 EU representative (GDPR Art.27)

As Velarum is not established in the EU, we have appointed [VELARUM_REPRESENTATIVE_EU] as our EU representative to handle inquiries from EU data subjects and regulators. Representative: [VELARUM_REPRESENTATIVE_EU]; Address: [VELARUM_REPRESENTATIVE_ADDR]; Email: [VELARUM_REPRESENTATIVE_EMAIL].

2.4 General contact

Privacy matters: [VELARUM_PRIVACY_EMAIL].
Security incidents: [VELARUM_SECURITY_EMAIL].
Data-subject requests (DSAR): [VELARUM_PRIVACY_EMAIL] or via the DSAR SOP.

2.5 No sale of data

Velarum does not sell your personal information. Under CCPA / CPRA, “sale” means disclosure for monetary or other valuable consideration; Velarum does not do this. Velarum also does not “share” your personal information for cross-context behavioral advertising.

§3 · Data We Collect · 我们收集的数据类别

3.1 Default collection (6 minimal PII items)

Whether you are a developer, enterprise admin, or individual user, Velarum holds only the following six items by default:

Data	When collected	Purpose	Legal basis (GDPR Art.6)
Email	Required at registration	Verification, password reset, notifications, security alerts	(b) contract
Username	Required at registration	Login & UI display	(b) contract
API-key metadata (hash + label + scope)	Required at API-key creation	SDK authentication	(b) contract
Public wallet address	When you connect a wallet	On-chain event subscription matching	(b) contract; public on-chain anyway
API call logs	Auto-generated	SLA reports, webhook delivery tracking, risk baseline	(f) legitimate interest
IP address	Auto-generated	Geo-blocking (SG/OFAC/US/JP), security audit	(c) legal obligation; (f) legitimate interest

3.2 Triggered collection (only under the ADR-NC-008 4-tier triggers)

Trigger	May collect	Collected by	Legal basis
L1 Legal compulsion	VC signature digest (raw ID handed by you directly to a trusted Issuer, never via Velarum)	You / Issuer	(c) legal obligation
L2 Customer contract	VC digest; metadata within the contract scope	You / Issuer	(b) contract (Enterprise)
L3 Product gating	KYB-VC digest	You / VC Issuer	(a) consent
L4 Never triggered	None	—	—

Key point (mandatory, may not be weakened): even when triggered, Velarum does not store raw ID data; it consumes only the Issuer-signed VC trust assertion and never acts as a KYC-collection intermediary.

3.3 On-chain data (public, not Velarum’s private data)

All transactions you initiate on-chain (sender, recipient, amount, contract call) are permanently public and immutable. Velarum indexes them to update your payment-intent status, provide webhook notifications, and generate observable audit logs. This passive observation does not constitute additional PII collection — on-chain data is already public.

3.4 Cookies & similar technologies

See §10.

3.5 Third-party data (data we obtain from elsewhere)

OFAC / FATF / sanctions-list providers — for address-level deny-list hooks; no PII.
On-chain analytics providers (if enabled) — for risk scoring, consuming only anonymous on-chain addresses; none of your PII.
Payment processors (Stripe / Coinbase Commerce) — subscription-payment confirmation; your payment details are held directly by the processor, and Velarum receives only success/fail status and the last 4 card digits.

3.6 Developer docs site (docs.velarumai.com)

The public docs site requires no login and processes only limited request metadata and search behavior. In-site search is processed by Algolia DocSearch (index region us-east / eu-west, not Singapore — HC-NC-2); without Algolia, Nextra’s built-in local search keeps queries in your browser. Hosting via Hetzner Online (Falkenstein, Germany — not Singapore, HC-NC-2) and reverse-proxy + WAF via Cloudflare (for SG geo-block) process access logs (IP/UA). All three are listed in the Sub-processor List and never touch your wallet / private keys / signing material (HC-NC-1).

§4 · Cross-Border Transfers · 跨境数据传输

4.1 Primary storage location

Velarum’s primary data is stored in [CLOUD_REGION_EU] (default AWS / GCP EU region).

4.2 Transfer safeguards

Safeguard	Applies to	Instrument
EU SCCs (Standard Contractual Clauses)	EU → third countries (no adequacy decision)	EU Commission SCC 2021
UK IDTA / Addendum to SCCs	UK → third countries	UK ICO IDTA
Adequacy decision	EU → Switzerland / UK / Japan (since 2019), etc.	EU Commission adequacy decision
Customer consent (GDPR Art.49(1)(a))	Fallback only, with explicit risk notice	Not relied on as a primary path

4.3 PIPL note (Mainland China)

Velarum does not proactively collect Mainland-China residents’ personal information (Mainland China is Tier C pending-exclusion in ToS §13). If a user bypasses the IP / nationality / KYC barriers in violation: Velarum stores no long-term record; short-term logs follow the PIPL breach procedure (72-hour disclosure); Velarum does not apply to the CAC for a cross-border data security assessment (no business connection in that jurisdiction).

4.4 OFAC note (Russia)

Velarum’s entity, operating entities, Anchor integrations, and banking counterparties are screened in real time against OFAC / EU CFSP / UK OFSI lists; Velarum does not contract with any entity registered or primarily operating in Russia.

§5 · Data Retention · 数据保留期

Summary (see the Data Retention & Deletion Spec §2):

Data	Retention	Deletion trigger
Email / username	30 days after a deletion request	Self-closure + 30-day cooling-off
API-key metadata	Same as the account	Account closure + 30 days
Public wallet address	Public on-chain; index retained in the Velarum DB	—
API call logs	7-year aggregate; identifiable fields anonymized after 30 days	Automatic
IP address	30-day rolling; aggregated data retained de-identified	Automatic
KYC trigger records (if L1)	Retained permanently for audit	—
Audit logs (financial, compliance)	5–7 years	Legal obligation
Breach investigation records	5 years	Legal obligation

§6 · Your Rights · 您的权利

6.1 GDPR / UK GDPR rights

Under GDPR Art.15–22 you have the following rights (we respond within 30 days unless noted):

Right to access — a copy of the personal data we hold about you.
Right to rectification — correct inaccurate or outdated data.
Right to erasure / to be forgotten — delete data no longer necessary (with exceptions for legal obligations and disputes).
Right to restriction of processing — in certain circumstances.
Right to data portability — receive your data in a structured, common, machine-readable format.
Right to object — to processing based on legitimate or public interest.
Right to withdraw consent — effective immediately, without affecting prior lawful processing.
Rights regarding automated decision-making — not to be subject to solely automated decisions (Art.22, see §8).
Right to complain — to a supervisory authority (EU users: your country’s DPA).

6.2 CCPA / CPRA (California — currently Tier C pending-exclusion)

Note: the USA (including California) is currently on the ToS §13 Tier C pending-exclusion list, and Velarum does not yet serve California residents. If service is opened after a Phase-1 trigger and an ADR-NC-010 re-review, this section takes effect and grants the rights to know, delete, correct, opt-out of sale/sharing, limit use of sensitive PI, and non-discrimination.

6.3 Other jurisdictions

Jurisdiction	Key rights	Timeline
Switzerland nFADP	GDPR-like; access / rectify / delete / object	30 days
Brazil LGPD	GDPR-like	15 days
Canada PIPEDA	Access / correct	30 days
Australia Privacy Act	Access / correct	30 days

6.4 How to exercise your rights

Submit a request to [VELARUM_PRIVACY_EMAIL] or via the DSAR SOP.
Velarum acknowledges receipt within 5 business days.
Identity verification is performed (to prevent impersonation).
Processing is completed within 30 days (extendable to 90 for complex cases, with prior notice).
Free of charge (manifestly unfounded or repetitive requests are handled per GDPR Art.12(5)). If dissatisfied, you may complain to [YOUR_DPA].

§7 · Per-Jurisdiction Notes (APAC focus) · 各辖区差异表

Velarum’s stance per Asia-Pacific jurisdiction:

Jurisdiction	Governing law	Velarum stance
Vietnam (PDPL 2023)	Decree 13/2023/ND-CP (eff. 2023-07-01)	Served — opened per ADR-NC-050 (2026-06-07), superseding the Tier C pending-exclusion of ADR-NC-019. PDPL Decree 13/2023 obligations apply; final pre-public-launch legal review pending.
Indonesia (UU PDP 2022)	UU PDP No.27/2022 (full impl. 2024)	Tier W legal-watch; full service; tracked via the Risk Register; may escalate to Tier C if legislation turns adverse.
Thailand (PDPA 2019)	PDPA B.E.2562 (full 2022-06-01)	Default zero-KYC does not trigger a mandatory DPO.
Malaysia (PDPA 2010/2024)	PDPA 2010 (2024 amendments)	Velarum’s place of registration is on the allowed list.
Philippines (DPA 2012)	RA 10173	Default zero-KYC does not trigger.
Japan (APPI)	APPI (2003/2017/2022)	Tier C pending-exclusion (ADR-NC-011); not actively served; APPI fully applies if reopened.
South Korea (PIPA)	PIPA (2011/2020)	Tier W legal-watch; full service; Virtual Asset User Protection Act (2024-07) non-custodial grey area tracked; transfers under PIPA Art.17 consent.
Taiwan (PDPA)	PDPA (2010/2015)	Served; explicitly separated from the Mainland-China exclusion (ADR-NC-012); cross-border via SCC-equivalent.
Hong Kong (PDPO)	PDPO (1995/2021)	Served; Velarum will not transfer HK user data directly to Mainland China.
UAE (PDPL 2022)	Federal Decree-Law No.45/2021	Default zero-KYC.

§8 · Automated Decision-Making (GDPR Art.22) · 自动化决策

8.1 Automated tools we use

Address-level deny-list hook — automatic screening of on-chain addresses against OFAC / FATF lists; shows a warning only, does not force-block (ADR-NC-008 §2.4).
API rate limiter — based on your subscription tier and historical call patterns.
Risk scoring (enterprise add-on) — risk scores from your agent’s behavior to assist your compliance decisions; Velarum makes no final block decision.
Geo-blocking — automatic region detection from IP / nationality declaration / KYC residence; if your region is on the ToS §13 exclusion list, access is automatically refused.

8.2 Your rights

Under GDPR Art.22 you have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal or similarly significant effects, and to obtain human intervention, express your view, and contest the decision. If you believe an automated decision (especially geo-blocking) is unjust, request human review at [VELARUM_PRIVACY_EMAIL].

§9 · Data Security · 数据安全

Velarum implements the following technical and organizational measures to protect your data:

Encryption in transit — TLS 1.3 for all API, webhook, and web traffic.
Encryption at rest — field-level database encryption (AES-256) with hardware KMS / HSM key management. Note: the HSM here is used only for Velarum’s own operational data (e.g., server DB encryption keys, API-key signing keys) and never holds user private keys / mnemonics / MPC shares (HC-NC-1).
Access control — RBAC + MFA + least-privilege; staff and contractors under NDA.
Audit logs — immutable append-only, retained 5–7 years.
Threat modeling, disaster recovery / BCP, and incident response per the respective specs.
Breach notification — within 72 hours per GDPR Art.33.

§10 · Cookies & Similar Technologies · Cookies 与类似技术

10.1 Cookies we use

Type	Purpose	Consent
Essential (login session / CSRF / basic function)	Required to run the service	No consent needed (permitted by law)
Functional (language / theme)	Improve experience	Off by default; you may enable
Analytics (de-identified aggregates, e.g., Plausible)	Improve the service	Off by default; opt-in
Marketing / third-party tracking	Not used	—
Social embeds	Only on docs article pages (optional Twitter/GitHub embeds)	Opt-in

10.2 Your choices

EU users (GDPR + ePrivacy): all non-essential cookies are off by default; opt-in on first visit; change anytime via the cookie banner.
California users (CCPA; currently Tier C pending): a “Do Not Sell or Share My Personal Information” link will be provided once service is opened.
Other jurisdictions: non-essential cookies off by default (the most conservative approach).

10.3 Browser Do Not Track (DNT)

Velarum’s website respects the browser DNT signal: when DNT=1, non-essential cookies are disabled even if you previously opted in.

§11 · Changes to this Policy · 政策变更

Velarum may update this Policy from time to time. Material changes (affecting your substantive rights and obligations) are notified 30 days in advance via email + dashboard banner.
Non-material changes (typos, link updates, formatting) take effect immediately.
Prior versions are available at [VELARUM_PRIVACY_HISTORY_URL] (legal obligation).