Veblyn
← Home

Privacy Policy

Last updated: April 2, 2026

1. Introduction

This Privacy Policy describes how Veblyn, a Delaware corporation ("Veblyn," "we," "us," or "our"), collects, uses, shares, and protects your personal information when you use our website, dashboard, API, and related services (collectively, the "Service").

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices described herein, you should not use the Service.

This policy applies to all users of the Service, including visitors who browse the website without creating an account, registered users with Free accounts, and subscribers on paid plans (Pro and Fund).

2. Information We Collect

2.1 Account Data

When you create a Veblyn account, we collect your email address and, if provided, a display name. We use email-based one-time password (OTP) authentication, meaning we do not collect or store persistent passwords.

2.2 API Usage Data

When you use the Veblyn API, we automatically collect: (a) the API endpoints you access; (b) the number of API calls made per day; (c) request and response timestamps; (d) your IP address; (e) your user agent string; (f) request parameters (excluding any sensitive data you may include in query strings); and (g) response status codes and latency metrics.

2.3 Payment Data

If you subscribe to a paid plan, payment processing is handled entirely by Stripe. Veblyn does not collect, store, or have access to your full credit card number, debit card number, or bank account details. We receive from Stripe: (a) a truncated card identifier (last four digits); (b) card brand and expiration date; (c) billing address; (d) transaction amounts and dates; and (e) payment status (success, failure, refund).

2.4 Device and Browser Data

When you access the Veblyn website or dashboard, we may automatically collect: (a) browser type and version; (b) operating system; (c) screen resolution; (d) referring URL; (e) pages visited and time spent on each page; and (f) general geographic location derived from IP address (city/country level, not precise coordinates).

2.5 Cookies and Similar Technologies

We use cookies and similar technologies (such as local storage) to maintain your authentication session, remember your preferences, and collect analytics data. See Section 11 for detailed information about our cookie practices.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Provide and maintain the Service: To operate the platform, deliver API responses, and display dashboard content.
  • Authenticate requests and enforce rate limits: To verify your identity via OTP, validate API keys, and enforce per-tier usage limits.
  • Process payments: To manage subscriptions, process billing through Stripe, and handle plan upgrades or downgrades.
  • Send transactional emails: To deliver OTP codes for authentication, billing receipts, payment failure notifications, and important service announcements. We use Resend for email delivery.
  • Analyze usage patterns: To understand how the Service is used, identify popular endpoints and features, optimize performance, and plan capacity.
  • Detect and prevent fraud and abuse: To identify unauthorized access attempts, API key abuse, rate limit circumvention, and other prohibited activities described in our Terms of Service.
  • Respond to support requests: To address your questions, troubleshoot issues, and provide technical assistance.
  • Comply with legal obligations: To meet applicable legal, regulatory, and tax requirements.

We do not use your personal information for advertising purposes. We do not build advertising profiles or serve targeted advertisements.

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data under the following legal bases:

  • Contract performance (Article 6(1)(b) GDPR): Processing necessary to provide the Service you have requested, including account creation, API access, authentication, billing, and subscription management.
  • Legitimate interest (Article 6(1)(f) GDPR): Processing necessary for our legitimate business interests, including fraud detection, abuse prevention, usage analytics for platform improvement, and ensuring platform security and stability. We balance these interests against your rights and freedoms.
  • Consent (Article 6(1)(a) GDPR): Where we rely on your consent, such as for non-essential analytics cookies, you have the right to withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
  • Legal obligation (Article 6(1)(c) GDPR): Processing required to comply with applicable laws, such as maintaining payment records for tax purposes.

5. Data Sharing and Disclosure

We do not sell your personal data. We have never sold personal data and have no plans to do so.

We may share your information with the following categories of recipients:

5.1 Service Providers

We use trusted third-party service providers who process data on our behalf to deliver the Service:

  • Stripe - Processes payments and manages subscription billing. Stripe receives your payment information directly and is a PCI DSS Level 1 certified provider.
  • Resend - Delivers transactional emails including OTP codes and billing notifications. Resend receives your email address.
  • MongoDB Atlas - Hosts our database infrastructure. Account data, API usage logs, and application data are stored on MongoDB Atlas servers.
  • Vercel - Hosts the Veblyn website and application. Vercel may process request metadata (IP address, user agent) as part of serving web traffic.

5.2 Law Enforcement and Legal Requests

We may disclose your information if we believe in good faith that disclosure is required to: (a) comply with applicable law, regulation, legal process, or governmental request; (b) enforce our Terms of Service; (c) detect, prevent, or address fraud, security, or technical issues; or (d) protect the rights, property, or safety of Veblyn, our users, or the public.

5.3 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal data may be transferred as part of the transaction. We will notify you of any such change in ownership or control of your personal data via email or a prominent notice on the Service.

5.4 Aggregated and Anonymized Data

We may share aggregated, de-identified data that cannot reasonably be used to identify you. For example, we may share statistics about overall API usage patterns or platform growth metrics.

6. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required by law. Specific retention periods are as follows:

  • Account data (email, display name): Retained while your account is active and for 30 days following account deletion to allow for account recovery.
  • API usage logs (endpoints, call counts, IP addresses): Retained for 90 days, after which they are automatically purged or aggregated into anonymized statistics.
  • Payment records (transaction history, billing data): Retained for 7 years as required for tax compliance and financial record- keeping obligations.
  • OTP codes: Automatically deleted 10 minutes after generation, regardless of whether they were used.
  • Analytics data (page views, session data): Retained for 12 months in identifiable form, then aggregated into anonymized statistics.
  • Support correspondence: Retained for 2 years after the last communication in the thread.

When data reaches the end of its retention period, it is either securely deleted or irreversibly anonymized.

7. Data Security

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS (Transport Layer Security). API requests and responses are transmitted over HTTPS.
  • API key hashing: API keys are hashed using SHA-256 before storage. We do not store plaintext API keys. Your API key is shown to you only once at the time of creation.
  • Encryption at rest: Data stored in MongoDB Atlas is encrypted at rest using AES-256 encryption.
  • Access controls: Access to production systems and databases is restricted to authorized personnel using role-based access controls and multi-factor authentication.
  • Audit logs: We maintain logs of administrative access to production systems.
  • Regular reviews: We periodically review our security practices and update them as appropriate.

While we strive to protect your personal information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, and you use the Service at your own risk.

8. International Data Transfers

Veblyn is based in the United States. Your personal data is primarily stored on MongoDB Atlas servers located in the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States, which may have different data protection laws than your country of residence.

Our third-party service providers may process data in various locations: Stripe processes payment data globally in accordance with applicable regulations; Vercel serves content from edge locations worldwide; Resend processes email delivery through infrastructure that may span multiple regions.

For users in the EEA, UK, or Switzerland, we rely on the following mechanisms for international data transfers: (a) Standard Contractual Clauses (SCCs) approved by the European Commission; and (b) service providers who participate in the EU-US Data Privacy Framework where applicable.

9. Your Rights

9.1 GDPR Rights (EEA, UK, Switzerland)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights under the GDPR:

  • Right of access: Request a copy of the personal data we hold about you.
  • Right to rectification: Request correction of inaccurate or incomplete personal data.
  • Right to erasure ("right to be forgotten"): Request deletion of your personal data, subject to legal retention requirements.
  • Right to restriction of processing: Request that we limit the processing of your personal data in certain circumstances.
  • Right to data portability: Request a machine-readable copy of your personal data to transfer to another service.
  • Right to object: Object to processing based on legitimate interests, including profiling.
  • Right to withdraw consent: Where processing is based on consent, withdraw your consent at any time.

You also have the right to lodge a complaint with your local data protection supervisory authority.

9.2 CCPA Rights (California Residents)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with the following rights:

  • Right to know: Request disclosure of the categories and specific pieces of personal information we have collected, the sources of collection, the business purposes, and the categories of third parties with whom we share it.
  • Right to delete: Request deletion of personal information we have collected from you, subject to legal exceptions.
  • Right to opt-out of sale:We do not sell personal information. If this changes, we will provide a "Do Not Sell My Personal Information" link.
  • Right to non-discrimination: We will not discriminate against you for exercising any CCPA rights.
  • Right to correct: Request correction of inaccurate personal information.

9.3 How to Exercise Your Rights

To exercise any of the rights described above, please contact us at contact@veblyn.com. We will respond to your request within 30 days (or within the timeframe required by applicable law). We may need to verify your identity before processing your request.

10. Children's Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at contact@veblyn.com, and we will take steps to delete such information promptly.

If we become aware that we have collected personal data from a child under 18 without parental consent, we will delete that data as soon as reasonably practicable.

11. Cookies

We use cookies and similar storage technologies on the Service. The types of cookies we use include:

11.1 Essential Cookies

These cookies are strictly necessary for the Service to function. They include: (a) authentication tokens that maintain your logged-in session; (b) security cookies that help detect and prevent unauthorized access; and (c) session identifiers. These cookies cannot be disabled without breaking core functionality.

11.2 Analytics Cookies

We may use analytics cookies to collect anonymous usage data, including pages visited, time on page, navigation patterns, and feature usage. This data helps us understand how the Service is used and identify areas for improvement. All analytics data is aggregated and does not identify individual users.

11.3 Advertising Cookies

We do not use advertising cookies. We do not serve third-party advertisements on the Service and do not participate in advertising networks.

11.4 Managing Cookies

You can manage cookie preferences through your browser settings. Most browsers allow you to block or delete cookies. However, blocking essential cookies will prevent you from logging in and using authenticated features of the Service. For instructions on managing cookies in your specific browser, consult your browser's help documentation.

12. Do Not Track

Some web browsers transmit "Do Not Track" (DNT) signals to websites. Veblyn respects DNT signals. When we detect a DNT signal from your browser, we disable non-essential analytics tracking for your session. Essential cookies required for authentication and core functionality remain active regardless of DNT settings.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. For material changes, we will provide at least 30 days notice by: (a) sending an email to the address associated with your account; or (b) posting a prominent notice on the Service.

Non-material changes (such as clarifications or formatting updates) may be made without prior notice. We encourage you to review this Privacy Policy periodically. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

The "Last updated" date at the top of this page indicates when this Privacy Policy was last revised.

14. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Veblyn
A Delaware corporation
Email: contact@veblyn.com

For GDPR-related inquiries, you may also contact your local data protection supervisory authority.

We aim to respond to all privacy-related inquiries within five (5) business days.