Privacy

• Gmail (readonly + metadata): we list threads from the last 180 days. We extract the From/To/Cc, the subject, and the date. We do not store message bodies.
• Calendar (events.readonly): we list events for the same window. We extract the title, attendees, start/end. We do not store agendas, descriptions, or attachments.
• iMessage (Mac only, opt-in): our local helper queries ~/Library/Messages/chat.db for handle (phone/email), message count, and last-message timestamp per contact. The body of any message is never read by the helper, never sent over the network, and never written back to disk.

• Contacts (display name, emails, phones, your notes).
• Interactions (channel, direction, when, weight). No body. No preview.
• Reach-outs (the AI-drafted opener and your edits).
• Data-source refresh tokens, encrypted at rest with AES-256-GCM using a key held in the deploy environment, not the database.

• Email bodies, subjects of messages tagged sensitive, calendar agendas, iMessage content, attachments.
• Anything in incognito mode (toggle per contact).

While your account is active. Delete your account from Settings → Delete account and we hard-delete immediately and revoke Google access; backups are rotated within 30 days.

Download everything we hold — contacts, interactions, reach-outs, reminders — as JSON or CSV any time from Settings → Export your data.

These are US-incorporated companies; we are migrating each one's data region into the Swiss + EU perimeter. Transfers to non-EU regions rely on the EU Standard Contractual Clauses (and the FDPIC's Swiss SCC addendum) under each provider's DPA until the migration completes. Live region status is tracked in our hosting & nLPD policy.

• Vercel — application hosting. Functions configured for EU regions (Frankfurt fra1 / Paris cdg1). US entity, EU SCC.
• Supabase — Postgres database. Target region EU-Central (Frankfurt); migration in progress. US entity, EU SCC.
• Clerk — authentication. Target region EU; migration in progress. US entity, EU SCC.
• Stripe — payments. Stripe entity (EU / Swiss / US) selected by merchant and customer country; card data stays inside Stripe's PCI-DSS perimeter, never on Vellaci servers.
• Resend — transactional email. Target region EU; migration in progress. US entity, EU SCC.
• Anthropic, via the Vercel AI Gateway — reach-out opener generation. Zero-Data-Retention mode; prompts are not retained or used for training. US entity, EU SCC.
• PostHog — product analytics. Target region EU; migration in progress. IP truncation enabled.

privacy@vellaci.ch · Editor identity and registered address: Impressum.