Velahub Privacy Policy

Velahub is an LLM API gateway. We collect only what we need to deliver and meter your requests, reconcile billing, and respond to support and abuse signals. We do not sell your data, and we do not use your prompts to train models. Payment-method data is handled by our Merchant of Record, Lemon Squeezy, and never reaches our servers.

The data controller for this Service is Velahub, the operator of velahub.ai. For privacy questions, contact us at support@velahub.ai.

We collect three categories of data:

We use the categories above strictly for the following purposes:

• Operating the Service: routing your API calls to the upstream model you selected and returning the response.
• Metering and billing: computing wallet debits per request, generating ledger entries, and producing your usage history.
• Abuse prevention: rate-limiting, detecting credential-stuffing, blocking accounts that violate the Acceptable Use clause of the Terms.
• Troubleshooting and support: investigating reported issues and answering support questions about specific requests.
• Service communications: low-balance and account-status emails, security notices, and material Terms-update announcements.
• Legal compliance: responding to lawful requests and meeting record-keeping obligations applicable to the Operator's place of registration.

We do not use your data for advertising, profiling unrelated to the Service, or sale to third parties.

We share specific data with the following third parties, each with a documented and limited purpose:

• Upstream model providers (Anthropic, OpenAI, Google, DeepSeek, and any aggregators you select): we forward your request body to them so they can generate a response. Their handling of your inputs is governed by their own policies — see Terms § 2.
• Lemon Squeezy: receives the data necessary to process payments. Their privacy policy is at lemonsqueezy.com/privacy.
• Email transactional provider (currently Resend): receives your email address and the email body when we send you a one-time login code, low-balance notice, or similar service email.
• Hosting and infrastructure providers: receive your data only as a necessary consequence of storing and serving the Service. We do not transmit user data to these providers outside of the normal operation of the Service.

We do not sell or rent your data to anyone. Subprocessors are only added when necessary to operate the Service.

• Account data: retained while your account is active. After deletion request, removed within 30 days, except records required to be kept by applicable law (typically billing records for the operator's place of registration).
• Usage metadata (timestamp / token count / cost): retained for the lifetime of your account so you can see your usage history. Removed with the account on deletion.
• Full request and response bodies: 90 days by default, then automatically purged. Operators may configure a shorter retention.
• Payment metadata: retained as long as required by tax / accounting law in the operator's jurisdiction.

Depending on your jurisdiction, you may have one or more of the following rights:

• Access: you can request a copy of the personal data we hold about you.
• Correction: you can ask us to correct inaccurate or incomplete data.
• Deletion: you can request deletion of your account and associated data; see retention exceptions in Section 6.
• Portability: you can request an export of your account and usage history in a structured format.
• Objection or restriction: you can ask us to restrict certain processing where the law gives you that right.
• Withdraw consent: where processing relies on your consent, you can withdraw it at any time without affecting prior lawful processing.

To exercise any of these rights, email support@velahub.ai. We will respond within 30 days. There is no fee for reasonable requests. If you believe our handling is unlawful, you may also lodge a complaint with the data-protection authority of your jurisdiction.

Velahub operates an architecture that may route requests to model providers located outside your jurisdiction (commonly the United States and Europe). By using the Service, you understand that your prompts and responses will transit to and be processed in those jurisdictions. We rely on contractual protections offered by each provider; see Terms § 2 for the specific providers involved.

We use industry-standard measures to protect your data: TLS in transit, AES-256-GCM for sensitive at-rest fields (e.g. BYOK upstream keys), HMAC-hashed API key secrets, rate limiting, and access controls between processes. No system is perfectly secure; if you become aware of a vulnerability, please report it to support@velahub.ai.

The Service is not directed at individuals under 18 years of age (or the applicable age of majority in your jurisdiction). We do not knowingly collect data from such individuals. If you believe we have, contact us and we will delete the data.

Velahub uses minimal browser storage to operate the Dashboard: a locale preference cookie (NEXT_LOCALE), a session token kept in localStorage so you stay signed in, and similar functional values. We use Google Analytics (GA4) to understand site usage — analytics cookies are set ONLY if you accept the consent banner; until then, and if you decline, no analytics cookies are written (Google Consent Mode). You can change your choice by clearing site data. We do not use advertising cookies. The payment provider's checkout page (a separate domain) may set its own cookies for fraud prevention; see their privacy policy.

We may update this Privacy Policy when our practices change or applicable law evolves. Material changes will be announced via in-product notice or email. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.

For privacy questions or to exercise your rights:

• Email: support@velahub.ai
• Response time: within 30 days