VeyroLegal
ende

Legal

Privacy Policy

How we collect, use and protect personal data, and your rights under the GDPR.

Last updated: 1 June 2026

1. Overview

This Privacy Policy explains how TODO: Veyro GmbH (“we”, “us”) processes personal data when you visit Veyro, create an account, or use our service. We process personal data only in accordance with the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG) and other applicable law.

Two roles: For your own account data we are the “controller”. For the personal data inside the mailboxes, stores and chatbot conversations you connect — which belongs to your end customers — we act only as a “processor” on your behalf, governed by our Data Processing Agreement. This policy concerns the data for which we are the controller.

2. Controller

The controller responsible for data processing on this website is:

TODO: Veyro GmbHTODO: Musterstraße 1TODO: 10115 TODO: BerlinGermanyEmail: TODO: hello@veyro.app

3. Data protection contact

We have not appointed a Data Protection Officer, as we are not required to do so. For any privacy matter you can contact us at TODO: privacy@veyro.app.

4. What data we process, why, and on what legal basis

a) Account and contract data

When you register and use the service we process your email address, name, password (stored only as a salted hash), company/organisation details, role, team membership and your settings and content within the product.

Purpose: to create and operate your account, provide the service, and fulfil our contract with you. Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

b) Billing and payment data

For paid plans we process your subscription, plan, invoices and billing status. Card and payment details are collected and processed directly by our payment provider, Stripe; we do not store full card numbers.

Purpose: to bill the subscription, prevent fraud, and meet statutory retention duties. Legal basis: Art. 6(1)(b) GDPR (contract) and Art. 6(1)(c) GDPR (legal obligation, e.g. tax and commercial-law retention).

c) Connected mailboxes, store and chatbot data

When you connect a Gmail or Outlook mailbox, a Shopify store, or run the chatbot widget, we process the resulting messages, orders, customer records and conversation transcripts in order to provide the inbox, AI-reply, automation and store-context features.

For this data we act as your processor; the legal basis for our processing is our data processing agreement with you (Art. 28 GDPR). You are responsible, as controller, for having a lawful basis to process your end customers’ data.

d) AI features

To generate suggested replies, run the chatbot and search your knowledge base, relevant message content is sent to our AI sub-processor (OpenAI) for inference. This content is processed under data-processing terms and is not used to train the provider’s models. Legal basis: Art. 6(1)(b) GDPR (contract) and, for end-customer data, the data processing agreement (Art. 28 GDPR).

e) Server log files

Our hosting infrastructure automatically records technical access data (IP address, date and time, requested resource, referrer, browser/OS identifiers) for security, stability and abuse prevention.

Purpose: to operate the service securely and detect and defend against attacks. Legal basis: Art. 6(1)(f) GDPR (our legitimate interest in a secure, functioning service).

f) Support communications

If you contact our support, we process the contents of your request and your contact details to handle it. Legal basis: Art. 6(1)(b) GDPR (contract) and Art. 6(1)(f) GDPR (legitimate interest in responding to enquiries).

5. Cookies and local storage

We use only strictly necessary cookies and local storage — for example to keep you signed in, maintain your session, remember your theme preference and protect forms against cross-site request forgery. These are required for the service to function and do not require consent under § 25(2) TTDSG. We do not use advertising, tracking or analytics cookies. See our Cookie Policy for the full list.

6. Recipients and sub-processors

We share personal data only with service providers who process it on our behalf under Art. 28 GDPR, and only as needed to operate the service. Each is bound by a data processing agreement. Our current sub-processors are:

ProviderPurposeLocationTransfer safeguard
Supabase, Inc.Authentication, primary application database, file storage and realtime messaging.European Union (project region) / United States (company)EU Standard Contractual Clauses (DPA)
Stripe, Inc. / Stripe Payments Europe, Ltd.Subscription billing, payment processing and invoicing.Ireland / United StatesEU Standard Contractual Clauses + EU–US Data Privacy Framework
OpenAI, L.L.C. / OpenAI Ireland Ltd.AI model inference for chatbot replies, suggested answers and embeddings. Submitted content is not used to train OpenAI models (API data).United States / IrelandEU Standard Contractual Clauses (DPA)
Google Ireland Ltd. (Gmail / Google Workspace APIs)Connecting a customer’s Google/Gmail mailbox to sync and send support email, only when the customer authorises it via OAuth.Ireland / United StatesEU Standard Contractual Clauses + EU–US Data Privacy Framework
Microsoft Ireland Operations Ltd. (Outlook / Microsoft Graph)Connecting a customer’s Outlook/Microsoft 365 mailbox to sync and send support email, only when the customer authorises it via OAuth.Ireland / United StatesEU Standard Contractual Clauses + EU–US Data Privacy Framework
Shopify International Ltd.Reading order, customer and product context from a connected Shopify store, only when the merchant authorises it.Ireland / CanadaEU Standard Contractual Clauses (Canada has an EU adequacy decision for commercial organisations)

We may also disclose data where legally required (e.g. to authorities under a valid order) or to enforce our terms and protect our rights.

7. International data transfers

Some sub-processors are located in or transfer data to countries outside the European Economic Area, including the United States. Where this happens, the transfer is safeguarded by the European Commission’s Standard Contractual Clauses, an adequacy decision and/or certification under the EU–US Data Privacy Framework, as indicated in the table above. You may request a copy of the relevant safeguards from us.

Our primary production data is hosted in TODO: the European Union (Supabase, eu-central region).

8. How long we keep data

  • Account and product data: for the duration of your account, and deleted within 90 days after account closure unless longer retention is legally required.
  • Billing records and invoices: retained for up to 10 years to meet German commercial and tax-law obligations (§ 257 HGB, § 147 AO).
  • Connected mailbox / store / chatbot data: kept only while the connection is active and deleted on disconnection or account closure, subject to the DPA.
  • Server log files: retained for a short period (typically up to 30 days) and then deleted or anonymised, unless needed longer to investigate a specific incident.

9. Your rights

Under the GDPR you have the right to:

  • access your personal data (Art. 15) and receive a copy;
  • rectification of inaccurate data (Art. 16);
  • erasure of your data (Art. 17);
  • restriction of processing (Art. 18);
  • data portability (Art. 20);
  • object to processing based on legitimate interests (Art. 21); and
  • withdraw consent at any time, with effect for the future, where processing is based on consent (Art. 7(3)).

To exercise any of these rights, contact us at TODO: privacy@veyro.app.

10. Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority. The authority competent for us is: TODO: Berliner Beauftragte für Datenschutz und Informationsfreiheit (TODO: https://www.datenschutz-berlin.de). You may also contact the authority of your habitual residence or place of work.

11. Is provision of data required?

Providing the account and billing data needed to enter into and perform the contract is required to use the service; without it we cannot provide the service. All other processing is either necessary to deliver requested features or based on our legitimate interests.

12. Automated decision-making

We do not use automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you within the meaning of Art. 22 GDPR. AI features generate suggestions that a human reviews and decides to use.

13. Data security

We use appropriate technical and organisational measures to protect personal data, including encryption in transit (TLS), access controls, isolation of customer data, hashed passwords and least-privilege access for staff. No method of transmission or storage is completely secure, but we continuously work to protect your data.

14. Changes to this policy

We may update this Privacy Policy to reflect changes to the service or the law. The current version is always available on this page with its effective date. We will notify you of material changes.

This document is provided for transparency. It is not legal advice. Please consult a qualified lawyer for your specific situation.

← All legal documents