Privacy Policy

1. Introduction

This Privacy Policy describes how Velo ("we," "us," or "our") collects, uses, stores, and protects information when you use the Velo reading application for iOS and our website at veloreader.com (collectively, the "Service"). By using the Service, you agree to the practices described in this policy.

2. Information We Collect

2.1 Account Information

When you create an account, we collect your email address and password. Authentication is handled by AWS Cognito; we never store your password in plain text.

2.2 Your Documents

Velo lets you import EPUB and PDF files for reading. Here is how your documents are handled:

• On-device storage: All imported books are stored locally on your device using IndexedDB. Books remain on your device and are readable offline without any data leaving your phone or tablet.
• Cloud library (optional): If you choose to sync your library, books are uploaded to a private Amazon S3 bucket tied to your account. Each file is accessible only to your authenticated session via short-lived, signed URLs. We do not read, index, analyze, or share the content of your uploaded files.
• Deletion: You can delete any book from your cloud library at any time. Deletion removes both the file from S3 and its metadata from our database.

2.3 Reading Progress

When cloud sync is enabled, we store your reading position (book identifier, percentage, word position) and book metadata (title, author, file type) in a DynamoDB table so you can resume reading on another device. This data is associated with your account and is not shared with anyone.

2.4 Waitlist & Marketing

If you join our waitlist, we collect your email address and optional attribution data (UTM source, medium, campaign). We send a welcome email and periodic updates via Amazon SES. Every email contains an unsubscribe link; unsubscribing immediately stops all future messages and is recorded in our database.

2.5 Automatically Collected Information

• Usage analytics: Features used, reading session duration, reading mode switches, and words-per-minute statistics. These are used solely to improve the reading experience.
• Crash reports and error logs: Stack traces and device state at the time of a crash, used to diagnose and fix bugs.
• Device information: Device model, iOS version, app version, and screen size.
• IP address: Logged transiently by our API gateway and cloud infrastructure. We do not store IP addresses in our application database or use them for tracking.

2.6 Information We Do NOT Collect

• We do not use Apple's IDFA or participate in ad tracking.
• We do not collect contacts, photos, location, health data, or financial information.
• We do not use third-party analytics SDKs (e.g., Google Analytics, Facebook SDK, or similar) in the iOS app.

3. How We Use Your Information

• Provide the Service: Authenticate you, store and sync your books and reading progress across devices.
• Improve the Service: Analyze aggregate usage patterns (e.g., average session length, popular reading speeds) to prioritize features and fix issues.
• Communicate with you: Send transactional emails (account verification, password reset) and, if you opted in, marketing updates about Velo.
• Legal compliance: Respond to lawful requests from government authorities.

4. Data Storage & Security

All server-side data is hosted on Amazon Web Services (AWS) in the US-East-2 (Ohio) region. We implement the following security measures:

• Encryption in transit: All API traffic uses TLS 1.2+.
• Encryption at rest: S3 buckets use server-side encryption (SSE-S3). DynamoDB tables use AWS-managed encryption.
• Authentication: All user-specific API endpoints require a valid JWT access token issued by AWS Cognito. Tokens are short-lived and refreshed automatically.
• Access control: Cloud library files are stored in a private S3 bucket. Access is granted only through short-lived presigned URLs scoped to the authenticated user.
• Minimal retention: Server-side logs are retained for 30 days, then automatically deleted.

5. Data Sharing & Third Parties

We do not sell, rent, or trade your personal information.

We share data only with the following service providers, solely to operate the Service:

• Amazon Web Services (AWS): Cloud hosting, authentication (Cognito), database (DynamoDB), file storage (S3), and email delivery (SES).
• Apple: App distribution via the App Store. Apple may collect its own analytics per its privacy policy.

We may disclose information if required by law, subpoena, or court order, or to protect the rights, safety, or property of Velo, our users, or the public.

6. Data Retention

• Account data: Retained as long as your account is active.
• Cloud library files: Retained until you delete them or delete your account.
• Reading progress: Retained until you delete your account.
• Waitlist data: Retained until you unsubscribe or request deletion.
• Server logs: Automatically deleted after 30 days.

When you delete your account, we permanently remove your account record, all cloud library files, and all reading progress data within 30 days.

7. Your Rights

Regardless of where you live, you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate information.
• Delete your account and all associated data.
• Export your data (your books are always downloadable from the app).
• Opt out of marketing emails at any time via the unsubscribe link in every email.

To exercise any of these rights, email hello@veloreader.com. We will respond within 30 days.

California Residents (CCPA)

You have the right to know what personal information we collect and how it is used, to request deletion of your personal information, and to not be discriminated against for exercising your rights. We do not sell personal information as defined by the CCPA.

European Residents (GDPR)

Our legal basis for processing your data is contract performance (providing the Service you signed up for) and legitimate interest (improving the Service). You may request data portability or lodge a complaint with your local data protection authority.

8. Children's Privacy

Velo is not directed to children under 13 (or under 16 in the EEA). We do not knowingly collect personal information from children. If we learn that we have collected data from a child, we will promptly delete it. If you believe a child has provided us with personal information, please contact us at hello@veloreader.com.

9. Apple App Store Privacy Details

As required by Apple, here is a summary of our data practices for the App Privacy section:

• Data used to track you: None. We do not track you across other companies' apps or websites.
• Data linked to you: Email address, reading progress, and cloud library metadata.
• Data not linked to you: Crash logs and usage analytics (collected in aggregate without persistent user identifiers).

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (if you have an account) or by placing a prominent notice in the app. The "Last updated" date at the top of this page indicates when the policy was last revised.

11. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

Email: hello@veloreader.com