Privacy Policy

1. Information We Collect

We collect information to provide and improve the Vella service. The data we collect depends on how you use our features:

• Account and Identity Data: Name, email address, email verification timestamps, avatar images, and social login identifiers (if you use Google, Apple, or Facebook to sign in). We also store limited payment metadata (such as the last four digits of your card) to manage billing.
• Authentication and Security Data: IP addresses, user agent details for session storage, hashed magic login codes, and API access tokens to secure your account.
• User Content and Communications: Card messages, titles, occasions, styles, salutations, delivery schedules, and customer support submissions. We also track card interactions (e.g., when a card is viewed or opened) and maintain records of relationships between senders and recipients.
• AI Image Generation Data: User prompts, full generated prompts, generation settings, metadata (model, image dimensions), and the generated image files.
• Billing and Credits Data: Subscription records, plan statuses, and transaction ledgers showing credit balances, usage, and purchases.

2. How We Use Your Information

Our lawful bases and purposes for processing your data include:

• Service Delivery: To provide account access, authenticate logins via magic codes or OAuth, create and send cards, and generate AI images from your prompts.
• Billing and Support: To process payments, manage subscriptions and credit balances, and respond to your customer support requests.
• Fraud and Security: To detect, prevent, and respond to fraud, abuse, or security incidents.
• Service Improvement: To analyze how our services are used and to improve our product features.

3. Third-Party Processors and Data Sharing

We use trusted third-party services to operate Vella. These providers may process your data outside of your jurisdiction. Categories include:

• Payment Processors: To process subscriptions, one-time purchases, and related billing events.
• Email Delivery Providers: To send transactional emails such as sign-in links, invitations, card delivery notifications, and account updates.
• AI Processing Providers: To process text prompts and generate card images.
• Cloud Storage Providers: To store user-uploaded assets, generated images, and related media securely.
• Identity Providers: To support optional social sign-in and account authentication.

Note on Card Invitations: When you send an invite-based card link, the URL may include tokenized parameters and the recipient's email address in the query string to grant access to the card.

4. Data Retention and Deletion

We retain your data for as long as necessary to provide our services and fulfill the purposes described in this policy.

• Expired or used magic login codes are periodically deleted.
• For users whose subscriptions have ended, we may routinely clean up disconnected card connections and delete orphaned cards or images after a designated period (e.g., 90 days).
• Cards and card connections generally utilize soft-delete mechanisms to prevent accidental permanent loss during key flows.

5. Your Privacy Rights

Depending on your location, you may have the right to access, correct, delete, port, or object to the processing of your personal data.

6. Contact Us

If you wish to exercise your privacy rights, or if you have questions about this policy, please sign in and contact us through the support flow.