Privacy Policy

Last updated: May 22, 2026 · Version 2.1

1. Who we are

Velsy (the "Service") is operated by PINEFORGE INC., a corporation incorporated under the laws of Canada with a registered office at 76 Amand Dr, Kitchener, ON N2R 0L1, Canada ("PINEFORGE," "we," "us").

Our Privacy Officer is accountable for our compliance with this policy and with Canadian privacy law. For privacy questions, data subject requests, or to exercise any right described below, contact:

Privacy Officer, PINEFORGE INC. 76 Amand Dr, Kitchener, ON N2R 0L1, Canada Email: privacy@velsyapp.com (aliased to support@velsyapp.com)

Velsy has not appointed an EU or UK representative — our processing is occasional and does not involve systematic monitoring of EU/UK data subjects.

2. Scope

This policy covers data processed through the Velsy mobile app (iOS and Android) and the Velsy website at velsyapp.com. It does not cover websites or services operated by third parties even when linked from Velsy; those are governed by their own policies.

3. What we collect

Directly from you

Account identity — email address and password (hashed by Supabase Auth), used only for authentication and password reset.
Business profile — display name, business name, booth color, booth icon, booth logo image.
Your content — inventory items, market sessions, transaction records (line items, totals, payment method, timestamps), notes, cost-audit events, and any photos you attach.
Preferences — language, currency, sounds, haptics, appearance, low-stock threshold, marketing-email consent, analytics opt-in.

Automatically

Push notification token — an Expo-issued device token, stored so we can deliver reminders you opted into. Not tied to your email.
Pseudonymous analytics events — product usage events (e.g. sale_recorded, market_started) tagged with your Supabase user id as the distinct identifier. No name, no email, no location, no advertising identifier. Disabled for guests. Opt out any time in Account → Share anonymous usage data.
Crash and error reports — stack traces, device model, OS version, scoped to your pseudonymous user id.
Subscription state — RevenueCat customer id (equal to your Supabase user id) and entitlement status, used to unlock paid features.

We do not collect

Precise location, contacts, calendar, microphone, camera-roll scraping, advertising identifiers (IDFA/AAID), third-party login tokens, health or financial-account data. The optional app lock uses Face ID / Touch ID / PIN stored on-device only (iOS Keychain / Android Keystore) and never leaves your device.

4. Why we collect it (lawful bases)

Under the GDPR we rely on the following lawful bases. If you are in the UK, the equivalent UK GDPR bases apply.

| Purpose | Lawful basis | | --- | --- | | Create your account, authenticate, reset passwords | Art. 6(1)(b) Contract | | Store, display, and sync your inventory / markets / transactions / notes / photos | Art. 6(1)(b) Contract | | Send push notifications you opted into | Art. 6(1)(a) Consent | | Send marketing or product-announcement emails | Art. 6(1)(a) Consent | | Pseudonymous product analytics | Art. 6(1)(a) Consent | | Crash and error reporting for app stability | Art. 6(1)(f) Legitimate Interest | | Manage subscriptions and validate receipts | Art. 6(1)(b) Contract | | Security, abuse prevention, fraud detection | Art. 6(1)(f) Legitimate Interest | | Comply with tax, accounting, or record-keeping obligations | Art. 6(1)(c) Legal Obligation |

We do not process any special categories of data under GDPR Art. 9.

If you are in Canada, we collect, use, and disclose your personal information under the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial laws (Quebec Law 25, BC PIPA, Alberta PIPA), in accordance with the ten Fair Information Principles set out in Schedule 1 of PIPEDA. Where Canadian law requires consent, we obtain it through the in-app surfaces described in §3.

5. Subprocessors

We use the subprocessors below to run the Service. Each operates under its own privacy policy and processes only the minimum data needed.

Supabase Inc. — database, authentication, file storage, Edge Functions.
PostHog Inc. — product analytics.
Functional Software Inc. (Sentry) — crash and error telemetry.
RevenueCat Inc. — subscription lifecycle and receipt validation.
Resend Inc. — transactional email (verification, password reset, support replies).
Expo (650 Industries Inc.) — push notification delivery.
Apple Inc. — app distribution and in-app purchase.
Google LLC — Play Store distribution and in-app purchase.

6. International transfers

All subprocessors are based in the United States. When personal information leaves Canada, the EEA, the UK, or Switzerland and is processed by these US-based subprocessors, it becomes subject to the laws of the United States, including lawful access requests by US authorities. We require each subprocessor by contract to maintain a level of protection comparable to the protections in this policy, and we transfer data from the EEA, UK, or Switzerland under the Standard Contractual Clauses adopted by the European Commission and the equivalent UK and Swiss addenda. You can request the name of the country where a specific item of your personal information is stored by emailing the Privacy Officer.

7. How long we keep it

Active account data (auth, app data, photos) — retained for as long as your account exists.
Deleted accounts — purged immediately from our primary systems via our delete-account function. Encrypted database backups are retained by Supabase for up to 30 days and then purged automatically.
Guest-mode data — stored only on your device; wiped on sign-out or app uninstall.
Push notification tokens — rotated per device; cleared on sign-out.
PostHog analytics events — up to 12 months, per PostHog's cloud retention.
Sentry crash logs — up to 90 days, per Sentry's default retention.
Marketing consent records — for the duration of consent plus 3 years after withdrawal, as proof of consent.

8. Your rights

You have the rights below regardless of where you live; some are granted by GDPR, some by PIPEDA, some by the CCPA / CPRA, and we honor them for everyone as a matter of policy.

Access and export — Account → Export all data produces a ZIP with CSV exports of every entity, all uploaded photos, and your preferences.
Rectification / correction — edit any field in the app directly.
Erasure / deletion — Account → Delete Account triggers our delete-account function, which removes your Supabase auth user, all app records (via cascade), every photo in your Supabase Storage folder, your PostHog profile, and anonymizes your RevenueCat customer.
Restriction and objection — email privacy@velsyapp.com.
Portability — the export CSVs are a portable format you can import into spreadsheets or other tools.
Withdraw consent — toggle off analytics or marketing in Account any time.
Complaint — you can lodge a complaint with your local supervisory authority. If you are in Canada, you can also file a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca, 1-800-282-1376, 30 Victoria Street, Gatineau, Quebec, K1A 1H3); for Quebec, the Commission d'accès à l'information du Québec (cai.gouv.qc.ca); for BC, the Office of the Information and Privacy Commissioner for BC (oipc.bc.ca); for Alberta, the Office of the Information and Privacy Commissioner of Alberta (oipc.ab.ca).

We respond within one month for GDPR requests (extendable to three for complex requests), within 30 days for PIPEDA requests (extendable with notice), and within 45 days for CCPA requests (extendable to 90).

9. Children (COPPA)

Velsy is not directed at children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided us personal information, contact privacy@velsyapp.com and we will delete the information within 30 days.

10. Canadian residents (PIPEDA, Quebec Law 25, BC PIPA, Alberta PIPA)

Accountable organization. PINEFORGE INC. is the organization accountable for personal information under your custody and control under PIPEDA. Our Privacy Officer is named in §1.

Consent. We rely on your express or implied consent (depending on the sensitivity of the data) to collect, use, and disclose your personal information for the purposes set out in §3 and §4. You may withdraw consent for non-essential processing (push notifications, marketing email, product analytics) at any time in Account.

Cross-border processing. As described in §6, your personal information is processed by US-based subprocessors. Canadian law does not prohibit this, but you should know that data processed outside Canada is subject to the laws of the receiving country.

No automated decisions. We do not use your personal information to render decisions based exclusively on automated processing that produce legal effects or similarly significantly affect you. If that changes, we will disclose it here, explain the categories of personal information used, and offer you the right to request human review (Quebec Law 25 §12.1, GDPR Art. 22).

Access and correction. You can exercise your PIPEDA right of access and right of correction through Account → Export all data and by editing fields directly in-app, or by emailing the Privacy Officer.

Complaints. See §8 for the complaint path to the Office of the Privacy Commissioner of Canada and the equivalent provincial authorities.

11. California residents (CCPA / CPRA)

Your additional California rights

Right to know what personal information we collect, use, disclose, and retain (covered above).
Right to delete personal information we hold about you (Account → Delete Account).
Right to correct inaccurate personal information (edit in-app or email us).
Right to opt out of sale or sharing — see below.
Right to limit use of sensitive personal information — we do not use sensitive personal information beyond what's necessary to provide the Service, so this right is not triggered.
Right to non-discrimination — we do not offer financial incentives conditioned on sharing personal information and will not discriminate against you for exercising any right.

Do Not Sell or Share My Personal Information

We do not sell your personal information. We do not share it for cross-context behavioral advertising. Our product-analytics subprocessor (PostHog) is configured for first-party analytics only, with no ad-tech integrations.

Because we do not sell or share, we do not provide a separate "Do Not Sell or Share" link; submitting a deletion request via Account → Delete Account, or emailing privacy@velsyapp.com, is sufficient.

Authorized agents: designate an agent by providing signed written permission to privacy@velsyapp.com.

Shine the Light: we do not share your personal information with third parties for their own direct marketing purposes.

12. Security

Data at rest is encrypted (AES-256) and in transit (TLS 1.2+) by Supabase.
Every app table enforces Supabase Row-Level Security scoped to your user id — one user cannot read another's rows.
Photos are stored in a user-scoped folder (photos/<uid>/...) in Supabase Storage.
An optional app lock uses Face ID / Touch ID / PIN stored only on-device.
No system is perfectly secure; we encourage you to use a strong, unique password and enable device-level security.

13. Changes to this policy

We may update this policy. The "Last updated" date above reflects the most recent revision. Material changes will be surfaced in-app via a banner or push notification. Non-material edits (typos, clarifications) may happen with only a "Last updated" bump.

14. Contact

Privacy questions or data subject requests: privacy@velsyapp.com
General support: support@velsyapp.com
Postal address: Privacy Officer, PINEFORGE INC., 76 Amand Dr, Kitchener, ON N2R 0L1, Canada