Privacy Policy

1. Introduction & scope

Velovance Inc. ("Velovance," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website, mobile application, and related services (collectively, the "Service").

This policy applies to all customers, visitors, and users of our Service. By using Velovance, you consent to the data practices described in this policy. If you do not agree, please do not use our Service.

2. Information we collect

2.1 Personal identification information

We collect information that can identify you as an individual, including but not limited to:

• Full name, date of birth, and government-issued identification numbers (SSN, passport, driver's license)
• Contact information (email address, phone number, physical address)
• Account credentials (username, password, security questions)
• KYC/AML verification documents (ID photos, proof of address, selfies)
• Financial information (bank account numbers, routing numbers, tax identification)

2.2 Transaction and usage data

We automatically collect information about your interactions with our Service:

• Transaction history (deposits, withdrawals, transfers, payments)
• Account balances and activity logs
• IP address, device information, browser type, and operating system
• Geolocation data (with your consent)
• Cookies and similar tracking technologies
• Login history and session duration

2.3 Sensitive data

We may collect sensitive personal data as required by financial regulations, including biometric data (facial recognition for identity verification) and precise geolocation. We obtain explicit consent before collecting sensitive data and use it only for the purposes disclosed.

3. How we use your information

We use your information for the following purposes:

• Account management: Create and maintain your account, verify your identity, and provide customer support
• Transaction processing: Process deposits, withdrawals, transfers, and payments
• Regulatory compliance: Comply with KYC, AML, sanctions screening, and reporting obligations
• Security & fraud prevention: Detect, investigate, and prevent fraudulent or unauthorized activity
• Service improvement: Analyze usage patterns, fix bugs, and improve our products
• Communications: Send transaction alerts, security notifications, and policy updates
• Legal compliance: Respond to lawful requests from courts, law enforcement, and regulators

We do not sell your personal information to third parties. We do not use your data for purposes incompatible with those disclosed in this policy without your consent.

4. Legal basis for processing (GDPR)

For individuals in the European Economic Area (EEA), we process your personal data under the following legal bases:

• Contract performance: Processing necessary to provide our Service under our Terms & Conditions
• Legal obligations: Processing required to comply with financial regulations (KYC, AML, tax reporting)
• Legitimate interests: Processing for fraud prevention, security, and service improvement (where your rights do not override these interests)
• Consent: Processing for marketing communications, cookies, and optional data collection features

5. Information sharing & disclosure

We may share your information with the following categories of recipients:

5.1 Service providers

Third-party vendors who help us operate our Service, including:

• Banking and payment processors (ACH, wire transfer, card networks)
• Identity verification and KYC providers
• Cloud hosting and infrastructure providers (AWS, etc.)
• Customer support and communication platforms
• Fraud detection and security monitoring services

5.2 Regulatory and legal disclosures

We may disclose your information to:

• Financial regulators (FinCEN, FCA, etc.) as required by law
• Law enforcement or government agencies in response to valid legal process
• Credit bureaus (for loan reporting and fraud prevention)
• Tax authorities for reporting interest income and other taxable events

5.3 Business transfers

If Velovance is involved in a merger, acquisition, asset sale, or bankruptcy, your information may be transferred as part of that transaction. We will notify you of any such change.

6. Data retention

We retain your personal information for as long as necessary to fulfill the purposes outlined in this policy, including:

• Active accounts: Data retained for the duration of your account plus 5 years after closure (as required by financial regulations)
• Transaction records: Minimum 5 years from the date of each transaction
• KYC documents: 5 years after account closure or as required by AML regulations
• Marketing data: Until you unsubscribe or request deletion
• Cookies and analytics: Up to 24 months depending on cookie type

After retention periods expire, we securely delete or anonymize your data. Certain data may be retained longer if required by law, litigation, or regulatory investigation.

7. Your privacy rights

7.1 GDPR rights (EEA residents)

If you are in the European Economic Area, you have the following rights:

• Right to access: Request a copy of your personal data
• Right to rectification: Correct inaccurate or incomplete data
• Right to erasure: Request deletion of your data (subject to legal retention requirements)
• Right to restrict processing: Limit how we use your data
• Right to data portability: Receive your data in a machine-readable format
• Right to object: Object to processing based on legitimate interests or direct marketing
• Right to withdraw consent: Withdraw previously given consent at any time

To exercise these rights, contact us at privacy@velovance.com. We will respond within 30 days.

7.2 CCPA rights (California residents)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with:

• Right to know: Request disclosure of data collected, used, and shared about you
• Right to delete: Request deletion of your personal information (subject to exceptions)
• Right to opt-out: Opt out of the sale of your personal information (we do not sell your data)
• Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights

California residents may also request information about disclosures of personal information to third parties for direct marketing purposes under California's Shine the Light law (Civil Code Section 1798.83).

7.3 Other US state rights

Residents of Virginia, Colorado, Connecticut, Utah, and other states with privacy laws have similar rights to access, correct, delete, and opt out of data processing. Contact us to exercise your rights.

8. Cookies & tracking technologies

We use cookies and similar tracking technologies to improve your experience. Types of cookies we use include:

You can manage cookie preferences through your browser settings. Blocking essential cookies may affect Service functionality. For more information, see our Cookie Policy.

9. Data security

We implement industry-standard security measures to protect your data:

• Encryption: AES-256 encryption for data at rest, TLS 1.3 for data in transit
• Access controls: Role-based access, multi-factor authentication, and regular access reviews
• Monitoring: 24/7 security monitoring, intrusion detection, and real-time fraud alerts
• Audits: Annual SOC 2 Type II audits and third-party penetration testing
• Employee training: Mandatory privacy and security training for all employees

While we strive to protect your data, no transmission over the Internet is 100% secure. You use our Service at your own risk. We will notify you of any data breach as required by applicable law.

10. International data transfers

Velovance is headquartered in the United States and processes data in the US and other countries where we or our service providers operate. If you are located outside the US, your information may be transferred to countries with different data protection laws. We ensure appropriate safeguards (such as Standard Contractual Clauses) are in place for international transfers. For EEA residents, our data processing agreements comply with Chapter V of the GDPR.

11. Children's privacy

Our Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children under 18. If you believe a child has provided us with personal information, please contact us, and we will delete it.

12. Third-party links

Our Service may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before providing any personal information.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes:

• By email to the address associated with your account (with 30 days' notice)
• Through a notice in the Service or on our website
• By updating the "Last updated" date at the top of this policy

Your continued use of the Service after changes take effect constitutes acceptance of the updated policy. If you do not agree, you may close your account before the changes take effect.

14. Data Protection Officer (DPO)

We have appointed a Data Protection Officer to oversee our privacy practices. You may contact our DPO at:

• Email: dpo@velovance.com
• Address: Velovance Inc., Attn: Data Protection Officer, Velovance Italy S.r.l. Piazza Gae Aulenti, 12 20154 Milano (MI) Italy
• EU representative: Velovance Europe, 2 Grand Canal Square, Dublin 2, D02 A342, Ireland

15. Complaints & supervisory authority

If you believe we have violated your privacy rights, you have the right to lodge a complaint with a supervisory authority:

• US (CFPB): Consumer Financial Protection Bureau · (855) 411-2372 · consumerfinance.gov
• EU (GDPR): Your local Data Protection Authority (DPA) · edpb.europa.eu
• UK (ICO): Information Commissioner's Office · ico.org.uk

16. Contact us

For privacy-related questions, concerns, or to exercise your privacy rights, please contact us:

For security-sensitive privacy issues, please email us directly. We aim to respond to all privacy inquiries within 30 days.