Privacy Policy

Velin Tech Pty Ltd is the controller of personal data described in this policy. We are an Australia-founded company building booking, scheduling, and client management software for coaches and service-based organisations.

For privacy queries, contact privacy@velinfitness.com. For general support, contact support@velinfitness.com.

This policy covers:

• The Velin mobile app (iOS and Android)
• The Velin Studio web admin
• velinfitness.com marketing pages
• The Velin API

Velin operates a two-sided platform. Coaches and organisations who use Velin Studio are independent controllers of their own member lists and the data they upload. End-clients (people who book sessions through the Velin mobile app) are Velin's direct users, and this policy describes how Velin handles their personal information.

From you directly

• Account information via Clerk (email, first and last name, and optionally phone number)
• Profile information (date of birth, gender if provided, interests)
• Booking and session data
• Payment information, handled by Stripe — Velin does not store full card numbers
• Onboarding answers
• Marketing-consent status

Automatically

• Device information
• IP address
• App crash reports
• Basic usage analytics (page and screen views)
• Session timing

From third parties

• Authentication tokens from Clerk
• Payment metadata from Stripe (last 4 digits, card brand, country) — never the full card number

Special category data (GDPR Art. 9)

Velin does not knowingly collect “special category data” under GDPR Article 9 (e.g., health data, racial or ethnic origin, religious beliefs, sexual orientation, biometric data) through normal product use. Coaches may collect such data for their own purposes outside the Service; that processing is governed by the Coach's own privacy practices, not Velin's.

Categories of personal information collected (CCPA enumeration)

We do not collect precise geolocation, biometric data, racial or ethnic origin, religious beliefs, sexual orientation, or other categories of sensitive personal information beyond those listed above.

• Provide and improve the Velin booking and scheduling service
• Process payments and manage refunds
• Send transactional emails (booking confirmations, password resets, account changes)
• Send reminder emails (24 hours before sessions — opt-out available)
• Send product updates from the Velin team (opt-out available)
• Send marketing emails — only with your explicit consent (opt-in via signup or settings)
• Detect, prevent, and address fraud or security issues
• Comply with legal obligations (tax law, retention requirements)
• Improve our service through anonymised analytics

Additional GDPR Art. 13 disclosures. We do not currently use automated decision-making or profiling that produces legal or similarly significant effects on you. Providing the data marked as required during signup is necessary to create an account; without it, we cannot provide the Service. We have not appointed a Data Protection Officer because the scale of our processing does not require one under GDPR Art. 37(1). For privacy queries, contact privacy@velinfitness.com.

• Under amendments to Australia's Privacy Act effective 10 December 2026, organisations must disclose any automated decision-making that significantly affects an individual; we do not currently use such decision-making and will update this notice if that changes.

We work with the following service providers. Each receives only the information needed for its role:

• Clerk — authentication. Receives email, name, login activity. clerk.com/legal/privacy
• Stripe — payment processing. We share account holder identity, booking data, and transaction metadata with Stripe to enable payments and dispute handling. See callout above.
• Resend — transactional email delivery. Receives recipient email and message content. resend.com/legal/privacy-policy
• Railway — API hosting (database). Stores all the data we hold about you. railway.com/legal/privacy
• Vercel — web hosting. Receives request metadata for the studio web app. vercel.com/legal/privacy-policy
• Expo (EAS) — mobile build and distribution infrastructure. Receives only build-time metadata, no user data. expo.dev/privacy
• The coach or organisation you book with — receives your name, contact details, booking history, and payment confirmation status (so they can run their business).
• Legal or safety authorities — only if required by law or to protect our rights, our users, or others.
• Acquirers — in the unlikely event of a merger, acquisition, or asset sale, with notice to you.

If you grant the Velin mobile app permission to access your device calendar, we use this access to add your bookings to your calendar app. We do not transmit your calendar contents to our servers — calendar events are added locally on your device. You can revoke calendar access at any time in your device settings; doing so will not delete past calendar entries we've already added.

Your personal information may be transferred to and processed in countries other than where you live. Most of our infrastructure is in the United States (Railway, Vercel, Resend, Stripe). We rely on standard contractual clauses (SCCs) for transfers from the European Economic Area, and the UK International Data Transfer Addendum for transfers from the UK.

We use industry-standard encryption in transit (TLS) and at rest. Access to user data is restricted to authorised Velin personnel and is auditable. We rely on the security certifications of our infrastructure partners (Clerk SOC 2, Stripe PCI-DSS Level 1, Railway, Vercel).

The following rights apply to all users regardless of location:

• Access — request a copy of the personal data we hold about you.
• Correction — update inaccurate or incomplete data.
• Deletion — delete your account (instructions in the next section).
• Portability — receive your data in a machine-readable format.
• Withdrawal of consent — for any consent-based processing (such as marketing emails).
• Right to object — under GDPR Article 21, you can object to processing based on our legitimate interests; we will stop unless we demonstrate compelling grounds.

• In-app delete (mobile): Settings → Account → Delete account.
• Public web delete: velinfitness.com/delete — for users who can no longer sign in.
• Other rights: email privacy@velinfitness.com.

We commit to responding within 30 days.

When you request deletion, your account is immediately marked for deletion and you will be signed out. You have 30 days to undo. After 30 days, your personal information (name, profile, onboarding answers, calendar tokens) is permanently anonymised. Your booking and payment records are retained in anonymised form for tax and legal compliance — no personally identifiable information remains attached to them.

Velin is not directed to children under 18 years old. We do not knowingly collect personal information from anyone under 18. If you believe a child has provided us with personal information, please contact privacy@velinfitness.com and we will delete it promptly.

• The mobile app uses no cookies. Native session storage only.
• The studio web app uses session cookies for authentication (via Clerk) and basic functional cookies. No advertising or third-party tracking cookies.
• No cross-site tracking. No data sold to third parties for advertising purposes.

15.1 California (CCPA / CPRA)

• We do not sell your personal information.
• We do not share your personal information for cross-context behavioural advertising.
• California rights: right to know, right to delete, right to correct, right to limit sensitive personal information use, right to opt out of sale or sharing.
• Authorised agents are permitted.
• Non-discrimination guarantee — we will not discriminate against you for exercising your rights.
• Email privacy@velinfitness.com to exercise rights.

In the preceding 12 months we have collected the categories of personal information listed in Section 3 above. We have not sold or shared personal information for cross-context behavioural advertising in the preceding 12 months.

15.2 EEA / United Kingdom

• Velin is the data controller.
• Data subject rights are listed in Section 11 (Your rights).
• Right to lodge a complaint with your local supervisory authority (UK: ICO, ico.org.uk).
• Cross-border transfers via SCCs / UK IDTA.

15.3 Australia

• Velin complies with the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs).
• Right to access and correct personal information.
• Right to make a complaint to Velin first; if unresolved, escalate to the Office of the Australian Information Commissioner (OAIC).

15.4 Canada (PIPEDA)

• Velin complies with the Personal Information Protection and Electronic Documents Act (PIPEDA).
• Right to access and correct personal information.
• Right to withdraw consent.
• Right to file a complaint with the Office of the Privacy Commissioner of Canada.

We may update this policy from time to time. Material changes will be communicated by email and through the Velin app at least 30 days before they take effect. The “Last updated” date at the top reflects the most recent revision.

• Privacy queries: privacy@velinfitness.com
• General support: support@velinfitness.com
• EU representative: We currently do not require an EU representative under GDPR Art. 27 because of our processing volume.
• UK representative: We currently do not require a UK representative under UK GDPR Art. 27 because of our processing volume.