Privacy Policy
Effective March 30, 2026
1. What We Collect
- Account data: email address, display name (from account signup)
- Integration tokens: Google OAuth tokens (access + refresh), Todoist API token — stored in our database to connect your accounts
- Task data: task names, priorities, due dates, estimates, projects — synced from your Todoist account
- Calendar data: event titles, times, locations — read from your Google Calendar for scheduling
- Email data: when Gmail integration is enabled — subject lines, sender, date, message snippet, and up to 2,000 characters of body text from your last 3 days of Gmail. Used only for triage task extraction; raw email content is not stored, but extracted task metadata is retained for 14 days
- Voice data: audio recordings captured when you use voice mode — transcribed in real-time, never stored
- Planning data: your conversations with Vela, daily objectives, scheduled tasks
- Behavioral data: task completion patterns, scheduling preferences, estimation accuracy — used to improve planning suggestions over time
2. How We Use Your Data
- Daily planning: your tasks, calendar, and context are assembled into prompts sent to Claude (Anthropic) to generate personalized planning suggestions
- Triage extraction: when Gmail is connected, messages are sent to Claude to identify actionable tasks — only extracted task metadata is stored, not raw email content
- Knowledge system: facts, observations, and inferences about your work patterns are generated to improve future planning — all scoped to your account
- Profile building: your work patterns are analyzed to personalize scheduling (peak hours, estimation tendencies, overcommitment patterns)
- Voice mode: audio is transcribed via Groq Whisper, and Vela's responses are converted to speech via OpenAI TTS — no audio is stored
3. Third-Party Processors
Your data is processed by these services:
| Service | What they receive | Purpose |
|---|
| Anthropic (Claude) | Task names, calendar events, email content, chat messages, planning context | AI planning and task extraction |
| OpenAI | Vela's response text (no user data) | Text-to-speech in voice mode |
| Groq | Audio recording (no user identity) | Speech-to-text transcription |
| Google | OAuth tokens, calendar/Gmail API calls | Calendar sync and email triage |
| Todoist | API token, task CRUD operations | Task management sync |
| Supabase | All stored data (database host) | Database and authentication |
| Loops | Email address | Waitlist signup and email communications |
| Sentry | Error stack traces, user ID | Error monitoring (production only) |
| Vercel Analytics | Page URL, referrer, user-agent (no personal identity) | Usage analytics |
Each service has its own privacy policy governing how they handle data.
4. Data Retention
| Data type | Retention |
|---|
| Daily activity logs | 14 days |
| Triage feed (extracted tasks) | 14 days |
| Daily summaries | 30 days |
| Daily reflections | 30 days |
| Chat sessions | 30 days |
| Weekly digests | 84 days (12 weeks) |
| Learnings & preferences | Until you delete your account |
| User profile | Until you delete your account |
| Weekly plans | Until you delete your account |
Retention cleanup runs daily via automated maintenance.
5. Data Storage & Security
- All data stored in Supabase (PostgreSQL) with row-level security — you can only access your own data
- All connections use HTTPS encryption in transit
- Integration tokens (Google, Todoist) are stored in the database — not encrypted at rest beyond Supabase's infrastructure encryption
- Your browser's localStorage stores UI preferences (panel width, filter settings, panel expand state) and your authentication session token managed by Supabase. No task content, calendar data, or email data is stored in localStorage
6. Your Rights
- Delete your account: deleting your account cascades to delete all your data across all tables
- Disconnect integrations: you can revoke Google access via your Google account settings; you can remove your Todoist token via Vela settings
- Opt out of voice: voice mode is optional — don't use it and no audio is captured
- Data export: not currently available — planned for a future release
7. International Users
If you are located in the EU, you may have additional rights under GDPR, including the right to access, correct, or erase your data. If you are a California resident, we do not sell your personal information. Contact phil@getvela.bot to exercise any data rights.
8. Changes
We may update this policy as the product evolves. Changes will be posted on this page with an updated effective date.
9. Contact
Questions about your data? Email phil@getvela.bot.