Privacy Policy

Velvet is built with privacy as a core design value, not an afterthought. We believe voice is among the most intimate forms of personal data and should stay under your control at all times. This policy explains exactly what data we collect, how we use it, and the rights you have.

This policy applies to the Velvet desktop applications for Windows and macOS, the velvetvoice.app marketing site, and any connected services (licensing, cloud transcription, user dashboard).

We collect only the minimum data required to provide the service.

Account data

When you create an account, we store your email address and a bcrypt-hashed password. We never store plaintext passwords.

Billing data

Payment information is handled entirely by PayPal — our payment processor. Velvet never sees card numbers or PayPal login details. We receive only: subscription status, plan tier, renewal date, and country (for VAT).

Usage counters

Word counts per week are reported to our servers when you dictate on the Free tier, so we can enforce weekly cloud and local word quotas. We store only the count — not your transcripts or audio.

• To provide and maintain the Velvet service.
• To manage your subscription and issue license keys.
• To send transactional emails (password reset, billing receipts, expiry warnings).
• To respond to support requests.
• To improve the product via aggregated, opt-in crash reports. You can disable this in Preferences → Privacy.

We do not:

• Sell or rent your data to any third party.
• Use your voice data or transcripts to train any model.
• Serve third-party advertising or tracking scripts.
• Share your data with ad networks, data brokers, or analytics platforms that resell data.

Local mode — Your audio is processed entirely on your device using the bundled Whisper models. No audio or transcription data is sent to Velvet or any third party.

Cloud mode — If you opt in to cloud transcription (off by default on Free), audio is sent over TLS 1.3 to our managed endpoint. We delete the audio immediately after the transcript is returned. We do not log the audio or transcript. Our open-source auditor lets you verify this.

Privacy Mode — When enabled, Velvet writes nothing to disk: no audio, no transcripts, no word counts, no dictionary sync. A clean session every time.

• Account data is stored in an encrypted SQLite database on a hardened Linux server.
• All transport uses TLS 1.3. HTTP is disabled site-wide.
• Passwords are hashed with bcrypt (cost factor 12) and never logged.
• Your local dictionary, snippets, and preferences are AES-256 encrypted at rest.
• Access to production systems is gated by hardware keys and logged.

• PayPal — payment processing, subscription management, VAT handling.
• Resend — transactional emails (receipts, password resets).
• Cloudflare — CDN, DNS, DDoS mitigation for the website.
• Groq — cloud transcription and AI text cleanup for Pro subscribers who enable cloud mode. Audio is not retained after transcription.

Each service has its own privacy policy. We share only the minimum data required for each service to function.

You have the right to:

• Access and export all personal data we hold (dashboard → Settings → Export).
• Correct any inaccurate data about you.
• Delete your account and all associated data at any time.
• Object to or restrict processing.
• Port your dictionary and snippets as JSON or CSV.
• Withdraw consent for crash reporting or cross-device sync.

Exercise any of these from your Dashboard. We respond within 30 days.

The velvetvoice.app website uses essential cookies for authentication and preferences. If you consent, we also use Google Analytics to collect anonymised traffic statistics. We do not use marketing cookies or ad trackers. See our Cookie Policy for details.

We retain personal data only for as long as necessary for the purposes described below:

After the retention period expires, data is securely deleted or anonymised. Backups may retain data for up to 90 days after deletion before being overwritten.

We use carefully selected subprocessors to operate our services. Each subprocessor is contractually bound to process data only on our behalf and in compliance with UK GDPR and EU GDPR.

• PayPal — payment processing, subscription management (United States)
• Resend — transactional email delivery (United States)
• Cloudflare — CDN, DNS, DDoS mitigation (United States / EU)
• Groq — cloud transcription & AI text cleanup for Pro users who enable cloud mode (United States)
• Hetzner — server hosting, encrypted volumes (Germany)

We rely on Standard Contractual Clauses (SCCs) for any transfers of personal data outside the UK and EEA. If you require a copy of our Data Processing Agreement (DPA), please contact us.

If you are in the United Kingdom or the European Economic Area (EEA), you have the following data protection rights under the UK GDPR / EU GDPR:

• Right to access (Art. 15) — request a copy of all personal data we hold about you.
• Right to rectification (Art. 16) — correct inaccurate or incomplete data.
• Right to erasure (Art. 17) — request deletion of your personal data (“right to be forgotten”).
• Right to restrict processing (Art. 18) — limit how we use your data in certain circumstances.
• Right to data portability (Art. 20) — receive your data in a structured, machine-readable format (JSON/CSV).
• Right to object (Art. 21) — object to processing based on legitimate interests, including direct marketing.
• Right to withdraw consent — withdraw consent for crash reporting or cross-device sync at any time.
• Right to lodge a complaint — with the UK Information Commissioner's Office (ICO) or your local EU supervisory authority.

To exercise any right, use the Export or Delete functions in your Dashboard, or contact us. We respond within 30 days. There is no charge for making a request.

Legal basis for processing

• Contract (Art. 6(1)(b)) — account management, service provision, billing.
• Legitimate interests (Art. 6(1)(f)) — product improvement via anonymised metrics, fraud prevention, network security.
• Consent (Art. 6(1)(a)) — opt-in crash reporting and any optional data-sharing features.
• Legal obligation (Art. 6(1)(c)) — tax records, responding to lawful requests.

EU representative

As a UK company offering services to individuals in the EU, we have appointed an EU representative for GDPR purposes. If you are in the EU and wish to contact our representative directly, please contact us with “EU Representative” in the subject line and we will provide the contact details.

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you the following rights:

• Right to know — request disclosure of the categories and specific pieces of personal information we collect.
• Right to delete — request deletion of your personal information, subject to certain exceptions.
• Right to opt-out of sale/sharing — we do not sell or share personal information for cross-context behavioural advertising. No action is required.
• Right to non-discrimination — we will not discriminate against you for exercising your privacy rights.
• Right to correct — request correction of inaccurate personal information.
• Right to limit use of sensitive personal information — we do not collect sensitive personal information beyond what is necessary to provide the service.

To exercise your California privacy rights, contact us or use the Dashboard tools. We will verify your identity before processing the request.

Categories of personal information collected (last 12 months)

• Identifiers (email address, account ID)
• Commercial information (subscription status, billing cycle, payment history)
• Internet or network information (IP address, browser type, device type)
• Usage data (word counts, feature usage — aggregated and anonymised where possible)

Disclosures for business purposes

We disclose personal information to our subprocessors (PayPal, Resend, Cloudflare, Groq, Hetzner) solely to operate the service. We do not sell personal information.

In the unlikely event of a personal data breach, we will:

• Assess the severity and scope of the breach within 24 hours of discovery.
• Notify the UK Information Commissioner's Office (ICO) within 72 hours if the breach is likely to result in a risk to your rights and freedoms.
• Notify affected users without undue delay if the breach is likely to result in a high risk to your rights and freedoms.
• Document the breach, its effects, and the remedial action taken.

Velvet is not directed at children under 13 (or 16 in the EU). We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us from your Dashboard and we will delete it.

We may update this policy. Material changes are announced by email to all registered users at least 30 days before they take effect. The “last updated” date at the top of this page always reflects the current version. Continued use of the service after the effective date constitutes acceptance of the revised policy.

Questions about privacy, data, or this policy? Contact us from your Dashboard or use our contact form.

Data controller: GasDigital Ltd., registered in England & Wales (Company Number available on request). Our registered office is in the United Kingdom.

If you are unsatisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk or your local EU data protection authority.