Veylo

Privacy Policy

Last updated: 12 June 2026

1. Who we are

Veylo ("Veylo", "we", "our", or "us") is a geo-fenced event media service operated by [Controller name and address to be confirmed]. We are the "data controller" for the personal data described in this policy for the purposes of the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018.

Registration with the UK Information Commissioner's Office ("ICO") is in progress. This page will be updated with our registration number once issued.

2. Scope

This policy applies to personal data we collect when you use the Veylo iOS application (the "App") and the Veylo website at veylo.me (together, the "Service"). The Service is currently a closed beta available only in the United Kingdom and only via Apple TestFlight invitation.

3. The data we collect and why

We collect the categories of data listed below. For each, we set out the purpose and our lawful basis under Article 6 of the UK GDPR.

Account & identity

  • Email address, display name, password, and avatar image — used to create and authenticate your account, identify you to other users you interact with, and contact you about the Service. Authentication is operated by Amazon Cognito on our behalf. Lawful basis: performance of our Terms of Service (Art. 6(1)(b)).
  • Account type (Personal or Business) and, for Business accounts, business name — used to determine which features are available to you (Business accounts may host public events). Lawful basis:performance of contract.
  • Apple Sign-In identifier — if you sign in with Apple, Apple provides us with a stable user identifier and (optionally) your email.Lawful basis: performance of contract.

Location data

  • Precise device location — used to find events near you, verify that you are physically inside an event geo-fence before allowing you to upload, and trigger geo-fence-entry notifications if you have enabled them. Location is checked at the moment of each request and is not stored as a continuous trail. Lawful basis: performance of contract; the geo-fenced model is a core feature of the Service.
  • Technical metadata embedded in photos and videos you upload — used to verify that media you upload was captured at the event you are sharing it to. Lawful basis: performance of contract; legitimate interests in preventing fraudulent or out-of-context uploads (Art. 6(1)(f)).

Content you create

  • Events you create or join, photos and videos you upload, captions, comments, and likes — used to provide the core Service to you and to people you have invited or who are in the same event. Lawful basis:performance of contract.
  • Live streams — when you start a live stream we generate a short-lived stream key (held only on your device for the duration of the stream) and a recording of the broadcast. Recordings are stored as event media. Lawful basis: performance of contract.
  • Follow, block, and mute relationships — used to determine who can see your private events and to filter notifications.Lawful basis: performance of contract.

Business verification (Business accounts only)

  • Date of birth, last four digits of National Insurance number, owner name, and bank details— collected directly by Stripe via Stripe's hosted form when you start business verification ("KYB"). Veylo does not store this data; we hold only the Stripe account identifier.Lawful basis: compliance with our legal obligations under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (Art. 6(1)(c)) and performance of contract.
  • Identity document image — collected directly by Stripe; Veylo never sees the document. Lawful basis: as above.
  • Business verification fee (£9.99) payment details — collected by Stripe via PaymentSheet. We store the Stripe PaymentIntent ID and outcome only. Lawful basis: performance of contract.

Device & technical data

  • Apple Push Notification (APNs) device token — used to deliver push notifications you have enabled. Lawful basis: consent (Art. 6(1)(a)) — you can disable push notifications in iOS Settings or in the App at any time.
  • Crash reports and performance data — when you opt in to share data with App Developers in iOS Settings, Apple sends us aggregated crash and performance reports for the App. We use these only to fix bugs.Lawful basis: legitimate interests in maintaining a working app; Apple acts as data controller for the underlying collection and you control the opt-in via iOS.
  • Server logs — our servers automatically log timestamps, request paths, and IP addresses for security and abuse prevention. Logs are retained for up to 30 days. Lawful basis: legitimate interests in security.

4. Who we share data with

We use the following processors and sub-processors:

  • Amazon Web Services EMEA SARL (eu-west-1, Ireland) — hosting, authentication, encrypted media storage, live video delivery, content delivery network, and application compute.
  • Stripe Payments UK, Ltd. — business verification (KYB) and payments. Stripe is an independent controller for the verification data it collects directly from you. See Stripe's privacy policy.
  • Apple Inc. — push delivery (APNs), TestFlight distribution, Sign in with Apple, and aggregated crash reports. See Apple's privacy policy.

We do not sell personal data. We do not use your data for advertising, and we do not run third-party analytics or tracking on the Service.

5. International transfers

Your data is primarily processed in the European Economic Area (Ireland — AWS eu-west-1). Stripe and Apple may process data outside the UK and EEA. Where this happens, we rely on the UK's Data Protection Act 2018 adequacy decisions, the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, or other approved transfer mechanisms.

6. How long we keep data

  • Account data — for as long as your account is active. If you delete your account, we delete or anonymise account data within 30 days, except where we are required to retain it for legal or accounting reasons.
  • Photos, videos, and live recordings — until you delete them or your account is deleted, whichever is sooner.
  • Server logs — up to 30 days.
  • Stripe verification & payment records — retained by Stripe according to their policy and applicable financial-services regulation; we retain the Stripe identifier for the lifetime of your account and for up to 7 years after for accounting purposes.

7. Your rights

Under the UK GDPR you have the right to:

  • access the personal data we hold about you;
  • have inaccurate personal data corrected;
  • have your personal data erased (the "right to be forgotten");
  • restrict or object to our processing of your personal data;
  • data portability — receive a copy of your data in a structured format;
  • withdraw consent at any time where we process data on the basis of consent (e.g. push notifications);
  • lodge a complaint with the Information Commissioner's Office (ico.org.uk/make-a-complaint).

To exercise any of these rights, email contact-us@veylo.me. We will respond within one month.

8. Children

Veylo is not intended for and is not knowingly offered to anyone under the age of 18. If you believe we have collected data from a child, contact contact-us@veylo.me and we will delete it.

9. Security

All traffic between your device and our servers is encrypted using TLS. Photos and videos are stored in encrypted object storage. Authentication is operated by Amazon Cognito, and we do not store passwords ourselves. Despite reasonable precautions, no system is perfectly secure; you use the Service at your own risk.

10. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top reflects the most recent change. Material changes will be brought to your attention in-app or by email.

11. Contact

For privacy questions or to exercise your rights, contact contact-us@veylo.me.