Every vendor that touches your data.

Listed plainly. When we add or remove one, we update this page within 14 days. If you need this in a signed addendum form for your own compliance review, email legal@vellem.io.

Service providers

VendorWhat they doData they handleWhere
Cloudflare, Inc. Hosting, CDN, DDoS protection, edge compute, D1 database, R2 storage, KV cache. Every page view and API call. Email, IP, payment metadata, kit assets USA, EU
Stripe, Inc. Payment processing for kits and Pro subscriptions; Stripe Tax for VAT/GST/sales tax. PCI scope is Stripe's; Vellem never sees card numbers. Email, name, billing address, card token, purchase history USA (Stripe EU subsidiary for EU customers)
OpenAI Hosted image and text generation models used by the kit generator and brand voice writer. Prompt content (your brand brief) is sent; outputs returned. Brand briefs, voice prompts (no PII unless you include it) USA
Resend, Inc. Transactional and marketing email delivery for kit-ready notifications, founder notes, and cadence. Email, name, brand name, message content USA
Sentry (Functional Software, Inc.) Crash and performance monitoring for the mobile app. PII is scrubbed before send (email becomes [redacted], IP dropped). Crash stacks, device model, OS version, anonymized customer ID USA, EU (data residency option)
Apple Inc. App Store distribution, In-App Purchase processing, push notifications via APNs. Apple ID email, IAP receipts, push tokens USA, EU (regional storage)
Google LLC Play Store distribution, Play Billing, push notifications via FCM. Google account email, IAP receipts, FCM push tokens USA, EU (regional storage)
Meta Platforms, Inc. Conversion tracking via Meta Pixel. Only fires after explicit cookie consent. Hashed email, event metadata, IP USA, EU
TikTok Conversion tracking via TikTok Pixel. Only fires after explicit cookie consent. Hashed email, event metadata, IP USA, Singapore
Google Analytics 4 Aggregate web traffic measurement. Only fires after explicit cookie consent. IP anonymization enabled. Anonymized session metadata USA, EU

What you control

You can opt out of marketing analytics (Meta, TikTok, GA4) by declining cookies on first visit or via the cookie banner at any time. You can opt out of marketing email at any time via the unsubscribe link in any email or by emailing support@vellem.io. You can delete your account entirely in the app at Account, Delete account, or by emailing us, which removes your data from Vellem's systems within 30 days (vendor-side deletion follows their own retention schedules).

Vendor changes

If we add a new subprocessor, we update this page within 14 days. We do not notify customers individually unless the change materially affects how your data is handled, in which case you'll get an email at least 30 days before the change takes effect, giving you time to object or terminate.

Data Processing Agreement

For B2B customers who need a signed Data Processing Agreement (DPA) to satisfy their own GDPR or CCPA compliance, email legal@vellem.io with your company name and we'll send our standard DPA template. Standard turnaround is 2 business days.

LAST UPDATED, 2026-07-09