Privacy Policy

Last updated: February 2026

1. Introduction

Veldi ehf., a company registered in Reykjavik, Iceland, is the data controller for personal data processed through the Veldi platform ("Service"). We process personal data in accordance with the General Data Protection Regulation (EU 2016/679, "GDPR") and the Icelandic Act No. 90/2018 on Data Protection and the Processing of Personal Data.

This Privacy Policy explains what data we collect, why we collect it, how we use it, and what rights you have.

2. Data Controller

Veldi ehf.
Reykjavik, Iceland
Email: support@veldi.app

The relevant data protection authority is Persónuvernd (the Icelandic Data Protection Authority), Rauðarárstígur 10, 105 Reykjavík, Iceland.

3. What Data We Collect

Account data

Name, email address, and hashed password (or OAuth provider token).

Profile data

Preferred currency, locale, and display preferences.

Asset data

Asset names, types, values, descriptions, purchase dates, and photos you upload. This data is provided entirely by you.

Financial data

Expenses, income records, loan details, and insurance policy information you enter.

Maintenance data

Maintenance schedules, records, and service history you create.

Documents

Files you upload, such as receipts, contracts, warranties, and manuals.

Usage data

Aggregate, anonymised analytics about pages visited and features used. This data cannot be used to identify individual users.

Technical data

Browser type, device type, and IP address, collected for security and fraud prevention purposes.

4. Legal Basis for Processing

Under GDPR Article 6, we process your personal data on the following legal bases:

• Contract performance (Art. 6(1)(b)): Processing that is necessary to provide the Service you signed up for, including storing your asset data, calculating dashboard summaries, and sending service-related notifications.
• Legitimate interest (Art. 6(1)(f)): Processing for security purposes, fraud prevention, and improving the Service based on aggregate usage patterns. We have assessed that these interests do not override your fundamental rights.
• Consent (Art. 6(1)(a)): Where applicable, for optional analytics and marketing communications. You may withdraw consent at any time.

5. How We Use Your Data

We use your data to:

• Provide and operate the Veldi service, including storing and displaying your assets, financial records, and documents.
• Calculate dashboard summaries, net asset values, and cost breakdowns.
• Generate and deliver maintenance reminders and notifications.
• Send service-related communications (e.g., password resets, account notifications).
• Improve the Service based on aggregate, anonymised usage patterns.
• Ensure the security and integrity of the platform.

We do not sell your data. We do not share your personal data with advertisers, data brokers, or any third party for marketing purposes.

6. Data Storage and Security

Where your data is stored

All your personal and financial data is stored in the European Union, specifically in Stockholm, Sweden (AWS eu-north-1). Your data never leaves the EU/EEA. We chose this location to ensure your information is protected by some of the strongest data protection laws in the world.

This includes your account information, asset records, financial data, maintenance history, and any documents or photos you upload. Everything stays in the Nordics.

How your data is protected

• All data is encrypted in transit using TLS 1.2 or higher.
• All data is encrypted at rest using AES-256 encryption.
• Row-Level Security (RLS) policies in the database ensure strict data isolation between users. You can only access your own data.
• Uploaded files are stored in encrypted cloud storage with per-user access controls.
• Access to production systems is restricted to essential personnel only and requires multi-factor authentication.

What we do not do

• We do not connect to your bank accounts or financial institutions.
• We do not share your financial data with any third party.
• We do not use your data to build financial profiles or creditworthiness assessments.
• We do not store payment card details — all payments are handled by our payment processor.

7. Data Retention

• Active accounts: Your data is retained for as long as your account is active.
• Deleted accounts: When you delete your account, all personal data is permanently deleted within 30 days.
• Backups: Backup copies containing your data are purged within 90 days of account deletion.

8. Your Rights

Under GDPR Chapter III, you have the following rights regarding your personal data:

• Right of access (Art. 15): You may request a copy of all personal data we hold about you.
• Right to rectification (Art. 16): You may correct inaccurate or incomplete data at any time through the app, or by contacting us.
• Right to erasure (Art. 17): You may delete your account and all associated data at any time.
• Right to data portability (Art. 20): You may request your data in a structured, commonly used, machine-readable format.
• Right to restrict processing (Art. 18): You may request that we limit how we process your data in certain circumstances.
• Right to object (Art. 21): You may object to processing based on legitimate interest.
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at support@veldi.app. We will respond within 30 days as required by GDPR.

You also have the right to lodge a complaint with Persónuvernd (the Icelandic Data Protection Authority) if you believe your data protection rights have been violated. Website: personuvernd.is

9. Third-Party Services

We use a limited number of third-party services to operate Veldi. These providers process data on our behalf as data processors, bound by data processing agreements:

• Supabase — Database, authentication, and file storage. Data processed in the EU (Stockholm).
• Vercel — Web application hosting. Serves the frontend application.
• Google — OAuth sign-in (if you choose to sign in with Google). Only authentication data is shared.

We do not use advertising networks, data brokers, or social media tracking pixels.

10. International Transfers

Your data is processed within the EU/EEA. Our primary data infrastructure is located in Stockholm, Sweden (EU). Iceland is part of the European Economic Area (EEA), ensuring GDPR-equivalent data protection.

If we need to transfer data outside the EEA in the future, we will ensure adequate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission or reliance on adequacy decisions.

11. Cookies

Veldi uses only essential cookies required for the Service to function, specifically for authentication session management. We do not use:

• Tracking cookies
• Advertising cookies
• Third-party analytics cookies

Essential cookies are exempt from consent requirements under the ePrivacy Directive, so no cookie consent banner is needed.

12. Children

Veldi is not directed at children under the age of 16. We do not knowingly collect personal data from children. If we become aware that a child under 16 has provided us with personal data, we will take steps to delete that data promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email at least 14 days before the changes take effect. Previous versions of this policy are available upon request.

14. Contact

For any questions or requests regarding your personal data or this Privacy Policy:

Email: support@veldi.app

Data Protection Authority:
Persónuvernd
Rauðarárstígur 10
105 Reykjavík, Iceland
personuvernd.is