Privacy Policy
Last updated: 17 March 2026
1. Who We Are
VelocityApps ("we", "our", "us") is the data controller for personal data processed through this Service. We are based in the United Kingdom and operate in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Contact: hello@velocityapps.dev
Website: https://velocityapps.dev
We are in the process of registering with the Information Commissioner's Office (ICO) as required under UK data protection law.
2. What Data We Collect and Why
We collect and process personal data only where we have a lawful basis to do so under UK GDPR Article 6.
2.1 Account Information
Data: Email address, password (hashed, never stored in plain text).
Lawful basis: Contract — necessary to provide you with access to the Service.
Retention: For the lifetime of your account, plus 30 days after deletion.
2.2 Payment Information
Data: We do not store payment card details. Payments are processed by Stripe, who act as an independent data controller. We retain records of subscription status, billing history, and Stripe customer/subscription IDs.
Lawful basis: Contract and Legal Obligation (financial record-keeping).
Retention: 7 years, as required for VAT and tax purposes.
2.3 Shopify Store Data
Data: Your store URL, encrypted access token, and — only when an automation runs — product data, order data, customer names and email addresses, and inventory levels.
Lawful basis: Contract — this data is necessary to execute the automations you have installed.
How we handle your customers' data: We act as a data processor on your behalf when processing your Shopify customers' personal data. You remain the data controller for your customers' data. We process it only to the extent required to run your chosen automations and do not use it for our own purposes.
Retention: Access tokens are retained until you disconnect your store. Customer data accessed during automation runs is not stored beyond what is required to complete the run (typically seconds to minutes).
2.4 Usage and Technical Data
Data: IP address, browser type, pages visited, features used, error logs, automation execution logs.
Lawful basis: Legitimate Interests — to operate, maintain, and improve the Service, and to detect and prevent fraud or abuse.
Retention: Logs retained for 90 days; anonymised analytics retained indefinitely.
2.5 Support Communications
Data: Messages and attachments you send via our support system.
Lawful basis: Contract and Legitimate Interests.
Retention: 2 years from ticket closure.
3. Data Processors and Third Parties
We use the following third-party services to operate the platform. Each is bound by appropriate data processing agreements and/or standard contractual clauses (SCCs) where data is transferred outside the UK.
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database and authentication | EU (West EU region) |
| Stripe | Payment processing | UK / EU |
| Vercel | Hosting and infrastructure | US (SCCs in place) |
| Resend | Transactional email delivery | US (SCCs in place) |
| PostHog | Product analytics | EU (EU Cloud) |
| Sentry | Error monitoring | EU (SCCs in place) |
| Shopify | Store data access (your authorisation) | Canada / US |
We do not sell your personal data to third parties.
4. Cookies
We use the following categories of cookies:
- Strictly Necessary: Authentication session cookies required to log you in and keep you logged in. These cannot be disabled without breaking the Service.
- Functional: Short-lived cookies used during the Shopify OAuth flow (expire within 5 minutes).
- Analytics: PostHog cookies that help us understand how the Service is used. These are anonymised where possible. You may opt out by contacting us.
We do not use advertising or tracking cookies.
5. Your Rights Under UK GDPR
Under UK data protection law, you have the following rights. To exercise any of them, contact us at hello@velocityapps.dev. We will respond within one month.
- Right of Access: Request a copy of your personal data (Subject Access Request).
- Right to Rectification: Request correction of inaccurate or incomplete data.
- Right to Erasure: Request deletion of your personal data ("right to be forgotten"), subject to our legal retention obligations.
- Right to Restrict Processing: Ask us to pause processing your data in certain circumstances.
- Right to Data Portability: Receive your data in a commonly used machine-readable format.
- Right to Object: Object to processing based on Legitimate Interests.
- Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.
6. Data Security
We apply appropriate technical and organisational measures to protect personal data, including:
- AES-256-GCM encryption for Shopify access tokens at rest
- HTTPS (TLS) for all data in transit
- Row-level security on our database (users can only access their own data)
- Access tokens stored server-side only, never exposed to the browser
- Error monitoring via Sentry to detect and address vulnerabilities
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and inform affected individuals without undue delay.
7. Children
The Service is intended for business use only and is not directed at individuals under the age of 18. We do not knowingly collect personal data from children.
8. Changes to This Policy
We may update this Privacy Policy from time to time. Where changes are material, we will notify you by email at least 14 days before they take effect. The current version is always available at this URL.
9. Contact
For any privacy-related queries, requests to exercise your rights, or data protection concerns:
Email: hello@velocityapps.dev
Website: https://velocityapps.dev