Velora Marketing is an outbound engine for benefit brokers. This policy explains what we collect, how we use it, who has access, and the rights you retain.

1. Who we are

Velora Marketing is a product of Velora Health, Inc.("Velora", "we", "our"). We provide marketing-automation software for employee-benefits brokers. This policy covers the Velora Marketing application, this marketing website, and our embedded integrations.

2. What we collect

Data you provide

Account data — name, email, agency name, role.
Target-list data — prospect contact records, target lists you upload, campaign content you author.
Communications data — emails sent via Velora, call recordings and transcripts, SMS threads, LinkedIn outreach activity, meeting bookings.

Data we collect automatically

Usage — pages visited, features used, session duration.
Device — browser, operating system, IP address, approximate location.
Audit trail — log of user and API actions, retained to support troubleshooting and future compliance work.

3. How we use your data

Provide, maintain, and improve the Velora Marketing platform.
Run agency-scoped AI workflows trained on your own data — never aggregated across agencies.
Process communications (email, SMS, calls, LinkedIn) on your behalf.
Generate audit logs for operational and security purposes.
Send transactional emails you opted into.

4. Who we share data with

We share data only with these categories of recipients, and only under contract:

Infrastructure sub-processors — Vercel, Neon, Cloudflare R2, Upstash.
AI sub-processors — Anthropic, OpenAI, Deepgram, ElevenLabs.
Communications sub-processors — Resend, Twilio, Retell, Drop Cowboy, Slybroadcast, Smartlead.
Your CRM integrations — only the systems you explicitly connect (Atlas, HubSpot, Salesforce, Gmail, Outlook).
Legal requirements — when required by subpoena or court order; we notify you unless prohibited.

We never sell your data. We never use your data to train cross-customer models.

5. Data retention

We retain your data for as long as your account is active, plus a grace period of 30 days after cancellation, after which your data is permanently deleted on request. Operational audit logs are retained for 24 months.

6. Your rights

Depending on your jurisdiction, you may have the right to access, correct, export, or delete your personal data. The fastest way to exercise these rights is the form below — it routes the request to our privacy team and starts the response timer (we use the stricter of GDPR's 30 days and CCPA's 45 days). You can also email privacy@velora.app.

Data subject request

Submit a privacy request

Use this form to exercise your rights under GDPR, CCPA, or your state's privacy law. We respond within 30 days— the stricter of the two timelines we're subject to. We may need to verify your identity (email confirmation or, for sensitive operations, government ID) before fulfilling the request.

What kind of request?

Access — show me the data you have on meDeletion — delete the data you have on mePortability — give me the data in a machine-readable formatRectification — fix incorrect dataObjection — stop processing my data for marketing

We remove the personal data tied to your email and confirm in writing. Some records are retained where law requires (e.g. transactional logs). (GDPR Art. 17 / CCPA right-to-delete).

Email *The email associated with the data you're requesting.Name (optional)Helps us locate records faster if your email isn't a perfect match.

Jurisdiction (optional)Tells us which law you're asserting your rights under. Defaults to the strictest (30-day) timeline if blank.Details (optional)0/1000 characters. Leave blank if you just want a standard request of the chosen kind.

By submitting, you authorize Velora Health to use the email above to verify and respond to this request. We don't add this to any marketing list.

7. Security practices

Data encrypted at rest and in transit using industry-standard infrastructure defaults.
Session tokens stored as hashed values, not plaintext.
Role-based access control with scoped API keys.
Audit logs for user and API actions.

Formal certifications (HIPAA BAA posture, SOC 2 Type II) are not yet in place. We do not claim certifications we have not obtained. When we achieve them, they will be surfaced here with audit-report access available under NDA.

8. Communications compliance

Velora helps you respect TCPA, CAN-SPAM, and state-level outbound rules — STOP/UNSUBSCRIBE handling, timezone-aware send windows, and opt-out suppression across channels. You remain responsible for the lawful basis of your own outreach.

9. Changes to this policy

Material changes are announced 30 days in advance via email to your account administrator. Continued use constitutes acceptance.

10. Contact

Questions? Email privacy@velora.app.

Privacy Policy