Last updated: April 13, 2026

Privacy Policy

This Privacy Policy explains how danestves LLC ("we", "us", "Vela") collects, uses, and protects your information when you use the Vela mobile application, the website at hellovela.app, and related services. Unlike most health apps, we designed Vela so that we literally cannot read your health data. This policy tells you exactly how.

Table of contents
  1. 1. Our Privacy Principles
  2. 2. Information We Collect
  3. 3. Special Category (Sensitive) Data
  4. 4. Legal Bases for Processing (GDPR)
  5. 5. On-Device AI and Automated Decisions
  6. 6. How We Use Information
  7. 7. How We Protect Information
  8. 8. Data Sharing
  9. 9. Biometric Authentication
  10. 10. Push Notifications
  11. 11. Cookies and Local Storage
  12. 12. Do Not Track
  13. 13. Your Rights
  14. 14. California Privacy Rights (CCPA/CPRA)
  15. 15. International Data Transfers
  16. 16. Geographic Availability
  17. 17. Children's Privacy
  18. 18. Third-Party Services and Links
  19. 19. Data Retention and Account Deletion
  20. 20. Data Breach Notification
  21. 21. Medical Non-Device Statement
  22. 22. Changes to This Policy
  23. 23. Contact

The short version. Your cycle data, symptoms, journal, and every other health entry live on your phone — encrypted. If you turn on sync or partner mode, they’re encrypted end-to-end before they ever leave your device. Our servers (in Helsinki, Finland) see only opaque blobs. We don’t sell data. We don’t track health behavior. We don’t run ads. If it’s not paid, it’s not our business model.

1. Our Privacy Principles

Four commitments are enforced in our code, not just our copy:

  • Local-first. Every entry you make is saved to your device first. The app works fully offline.
  • Zero-knowledge. Health data we hold for sync is encrypted with keys only you possess. We cannot decrypt it. We cannot read it. Even if legally compelled, we could only hand over ciphertext.
  • Panic button. A single in-app action wipes local encryption keys and data, instantly — no confirmation chains, no remote delay.
  • Identity separation. Your health data is never indexed by your email, name, or any PII — only by an internal identifier that is meaningless outside our system.

2. Information We Collect

2.1 Information stored on your device only

All of the following stays on your phone unless you explicitly enable sync:

  • Cycle entries (period dates, flow, length, phase).
  • Symptoms, mood, and tags you log.
  • Notes and journal entries.
  • Prediction settings and preferences.
  • Garden state (plants, growth, streaks).

If you never enable sync or partner mode, none of this data ever reaches our servers.

2.2 Information we receive (only if you enable sync or sign in)

  • Authentication data. If you create an account, you sign in using Sign in with Apple or Sign in with Google. We do not offer password-based sign-up and never create, transmit, or store passwords. Through our identity library (better-auth) we receive from Apple or Google only a stable provider user ID, plus — if and only if you grant it during the consent screen — your email address and/or display name. We use these claims to recognize you on future sessions and, where applicable, to send you service emails (account deletion confirmations, security notices). Apple’s “Hide My Email” relay is fully supported: if you choose it, we never see your real address.
  • Encrypted data blobs. When sync is enabled, your device encrypts your data using keys derived on-device, then uploads the ciphertext. We store it, replicate it for reliability, and relay it back to your other devices. We never see plaintext.
  • Partner mode keys. When you invite a partner, their public key is exchanged with yours via an X25519 handshake. We store the encrypted session key, not your data. Partners see only what you choose to share, encrypted with keys derived from your handshake.

If you consent via our cookie banner, we send anonymous event data to OpenPanel, our privacy-first analytics provider. Analytics events help us understand what features people use — they do not include any health data. Our codebase enforces this with a hard-coded allow-list: event payloads containing forbidden keys raise a runtime exception rather than being sent.

Below is the complete list of every event we record on the web. These events have no user identifier attached — they are fully anonymous.

Event

What it records

page_view

Which page you visited (home, terms, privacy).

hero_cta_clicked

You clicked the main hero call-to-action.

app_store_link_clicked

You tapped the App Store download button, and where on the page (hero, final CTA, footer).

play_store_link_clicked

You tapped the Google Play button, and where on the page.

email_waitlist_submitted

You submitted the waitlist form (once that feature ships).

section_scrolled_into_view

Which marketing section became visible on your screen.

faq_expanded

Which FAQ item you opened (if/when the FAQ ships).

pricing_plan_viewed

Which pricing tier you looked at (if/when pricing is public).

locale_changed

You switched the site language (e.g., en → es).

consent_granted

You accepted analytics via the cookie banner.

consent_revoked

You declined or withdrew consent.

Our analytics system has a built-in safeguard: a forbidden keys list. If any event payload ever contains one of the following field names, the code throws a runtime error and the event is not sent:

email

name

firstName

lastName

displayName

phone

address

city

gps

latitude

longitude

cycleDay

cyclePhase

ovulation

luteal

follicular

flow

flowLevel

mood

moods

symptoms

notes

note

journal

journalEntry

basalTemp

cervicalMucus

pillTaken

contraceptive

hormoneTherapy

intercourse

medication

partnerCode

partnerId

inviteCode

predictedPeriod

periodDate

periodLength

searchQuery

query

messageContent

appleSub

googleSub

Every payload is also length-limited (each string capped at 128 characters) to prevent anything free-text from accidentally smuggling data out. You can revoke consent at any time from the cookie banner; when you do, the OpenPanel script is unloaded and no further events are sent.

2.4 Subscription information

Premium subscriptions are processed by Apple or Google via RevenueCat. We receive an entitlement status (premium vs. free) tied to your internal user ID — we never see your payment card, billing address, or App Store account.

2.5 Device and diagnostic information

If the app crashes, basic diagnostic information (device model, OS version, and a crash stack trace — with health data scrubbed before transmission) may be sent to Sentry, our crash-reporting service. Stack traces include technical paths and error messages, never your cycle data, journal contents, or symptoms. You can opt out of crash reporting in app settings.

3. Special Category (Sensitive) Data

Health data is legally sensitive. Cycle tracking, symptom logs, mood entries, and related information constitute special category data under Article 9 of the EU General Data Protection Regulation and equivalent “sensitive personal information” categories under California and other U.S. state privacy laws. Processing special category data requires a stricter legal basis than ordinary personal data.

Our legal basis for processing your health data is your explicit consent, given when you:

  • Install and open the app (stores data on your device).
  • Enable sync or partner mode in app settings (enables encrypted transmission).

You may withdraw that consent at any time by disabling sync, deleting your account, or using the panic-wipe feature. Because we never hold your decryption keys, withdrawing consent renders any previously-uploaded ciphertext permanently unreadable once your keys are discarded.

If you are in the European Economic Area, the United Kingdom, or Switzerland, Article 6 of the General Data Protection Regulation requires us to identify a legal basis for each processing activity:

Processing activity

Legal basis

On-device health data storage

Not applicable — no processing occurs on our infrastructure.

Encrypted blob sync

Explicit consent (Art. 9(2)(a)) and contract performance (Art. 6(1)(b)).

Account authentication

Contract performance (Art. 6(1)(b)).

Subscription billing

Contract performance (Art. 6(1)(b)).

Web and in-app analytics

Explicit consent via cookie banner (Art. 6(1)(a)).

Crash reporting (Sentry)

Legitimate interest in maintaining Service reliability (Art. 6(1)(f)), with opt-out.

Security, fraud, and abuse prevention

Legitimate interest (Art. 6(1)(f)).

Response to legal process

Legal obligation (Art. 6(1)(c)).

5. On-Device AI and Automated Decisions

Vela uses several machine-learning and AI features. All of them run entirely on your device. No health data is ever sent to a cloud AI service.

  • Cycle predictions. A combination of Ogino-Knaus calculation and weighted moving average, computed locally.
  • Anomaly detection. Z-score statistical analysis of cycle variations, computed locally.
  • Semantic search. On-device embeddings of your own journal entries for natural-language search.
  • Partner tips. A small on-device language model generates phase-aware suggestions shown to your Partner (if Partner Mode is enabled). The model sees only the phase context you choose to share, and inference happens on the Partner’s device — not on our servers.

Automated decision-making. Predictions, anomaly alerts, and tips are informational only. They do not produce legal effects or similarly significant effects for you, so they do not qualify as “solely automated decisions” under GDPR Article 22. You always retain full manual control over your data and the app’s behavior.

6. How We Use Information

  • To provide the core app experience on your device (all processing is local).
  • To sync your encrypted data across your own devices, if you enable sync.
  • To relay encrypted partner-mode data between you and a partner you’ve invited.
  • To authenticate you and tie your entitlement (premium vs. free) to the right account.
  • To measure aggregate, non-health usage patterns (only after consent) so we can improve the app.
  • To respond to your support requests.
  • To comply with legal obligations.

We do not use your information to serve ads, to train machine-learning models on your data, or to sell, rent, or lease it to anyone.

7. How We Protect Information

  • At rest on your device: Vela uses your platform’s secure storage (iOS Keychain / Android Keystore) for encryption keys.
  • In transit: All network traffic is encrypted with TLS 1.2 or higher.
  • At rest on our servers: Sync and partner-mode payloads are encrypted on your device with AES-256-GCM before upload. We never hold your encryption keys.
  • Partner mode key exchange: Uses X25519 Diffie-Hellman for forward-secret session keys.
  • Access control: Only a small number of authorized engineers can access the infrastructure storing encrypted blobs, and access is logged.

8. Data Sharing

We do not sell or rent personal information. Ever. We share information only in the following narrow circumstances:

  • Service providers. Limited, contractual sharing with providers that operate the Service — our authentication provider, our hosting provider (Hetzner), our analytics provider (OpenPanel), our crash-reporting service (Sentry), and RevenueCat for subscription management. Each is bound by a data processing agreement and receives only the minimum data necessary.
  • Partner mode. Only the data you choose to share, encrypted end-to-end, visible only to the partner you invite. If you revoke the connection, their access ends.
  • Legal compulsion. If compelled by valid legal process, we would comply — but because sync data is encrypted with your keys, the useful content we could hand over is limited to account-level metadata (email if you signed in, subscription status, the existence of encrypted blobs). We would not be able to produce plaintext health data.
  • Business transfer. If Vela is ever acquired, your information may transfer to the acquirer, subject to a policy at least as protective as this one. We’ll notify you before your data moves.

9. Biometric Authentication

If you enable Face ID, Touch ID, or fingerprint unlock for the Vela app, the biometric template is stored exclusively in the Secure Enclave (iOS) or Trusted Execution Environment / Keystore (Android) on your device. We never receive, store, or process your biometric data. The operating system returns only a success/failure signal to the app.

10. Push Notifications

If you grant permission, Vela may send push notifications — for example, cycle reminders or phase updates. Notification content is generic by design and never contains your cycle day, phase name, symptoms, or journal content. You can disable notifications at any time from your device’s system settings.

11. Cookies and Local Storage

The Vela website uses browser localStorage only for functional purposes:

  • Your theme preference (light / dark).
  • Your language preference (English / Spanish).
  • Your cookie-consent choice.

We do not use tracking cookies. If you grant analytics consent, the OpenPanel script may set a first-party identifier; if you revoke consent, it is cleared.

12. Do Not Track

Some browsers send a “Do Not Track” (DNT) signal. Because we do not load analytics or any tracking technologies without your explicit consent via the cookie banner, a DNT signal is effectively honored by default — we simply don’t track anyone who hasn’t opted in, regardless of DNT.

13. Your Rights

You have the following rights, available in-app or by contacting [email protected]:

  • Access and export. Export your data from the app as a JSON file. Because the data lives on your device, this is always available.
  • Correction. Edit any entry at any time within the app.
  • Deletion. Delete individual entries, wipe all local data, or delete your account entirely from app settings.
  • Panic wipe. Instantly destroy local keys and data with one tap, no remote dependency.
  • Withdraw consent. Revoke analytics consent at any time; we’ll stop loading the analytics script.
  • Object or restrict processing. Contact us if you want to limit how we process account metadata.
  • Data portability. The exported JSON is portable and can be imported into any tool that supports the format.
  • Lodge a complaint. If you’re in the EU or UK, you have the right to complain to your local data protection authority.

14. California Privacy Rights (CCPA/CPRA)

If you are a resident of California, you have additional rights under the California Consumer Privacy Act and the California Privacy Rights Act:

Categories of personal information we collect

  • Identifiers: email address, authentication provider ID, internal user ID.
  • Commercial information: subscription entitlement status from RevenueCat.
  • Internet or other electronic network activity information: analytics events (only after consent) and basic device diagnostic data.
  • Sensitive personal information: cycle data, symptoms, journal — stored exclusively on your device or as end-to-end-encrypted blobs we cannot read.

Sources

Directly from you, from Apple and Google during authentication or subscription, and from your device (diagnostic data).

Business purposes

To provide and secure the Service, process subscriptions, respond to support, and (with consent) improve the product through analytics. We do not use personal information for targeted advertising.

Your California rights

  • Right to know what personal information we collect, use, disclose, and the sources and purposes.
  • Right to delete the personal information we hold about you, subject to limited exceptions.
  • Right to correct inaccurate personal information.
  • Right to limit use and disclosure of sensitive personal information — we use it only for providing the Service and do not disclose it beyond what this Policy describes.
  • Right to opt out of sale or sharing. We do not sell your personal information and do not share it for cross-context behavioral advertising. There is nothing to opt out of, but your right is preserved.
  • Right to non-discrimination. We will not deny, charge different prices for, or provide a different quality of Service because you exercise any of these rights.
  • Authorized agent. You may designate an authorized agent to exercise your rights by providing signed written authorization.

To exercise any right, email [email protected]. We’ll verify your identity using information reasonably necessary to confirm your request and respond within the timeframes required by law (generally 45 days).

”Shine the Light” notice

California Civil Code §1798.83 permits California residents to request information about disclosures we make of personal information to third parties for their direct-marketing purposes. We do not make such disclosures.

15. International Data Transfers

Our backend runs on self-hosted infrastructure at Hetzner’s data center in Helsinki, Finland (European Union). If you access Vela from outside the EU, your encrypted data will travel across borders to and from Finland. For users in the EU and UK, data remains within adequate-protection jurisdictions. For users in the United States and other regions, transfers rely on appropriate safeguards, including Standard Contractual Clauses approved by the European Commission where applicable.

Because the overwhelming majority of your data stays on your device and any synced data is encrypted with keys we never hold, cross-border transfer is limited to account metadata and ciphertext we cannot read.

16. Geographic Availability

danestves LLC is established in the State of Delaware, United States, and is not established in the European Union, the European Economic Area, the United Kingdom, or Switzerland. At this time, Vela is not offered in the EEA (the 27 EU member states plus Iceland, Liechtenstein, and Norway), the United Kingdom, or Switzerland: the App Store and Google Play listings for Vela restrict distribution to territories outside those regions, and the Service is not marketed or targeted to residents of those regions.

Because Vela is not offered in those regions, we have not appointed a representative under Article 27 of the EU GDPR, under Article 27 of the UK GDPR, or under the revised Swiss Federal Act on Data Protection (nFADP). Should we expand availability to any of those regions in the future, we will appoint the representative(s) required by applicable law before enabling distribution there, and we will update this Privacy Policy with the representative’s name, postal address, and contact email. If you believe we have inadvertently collected personal data from a resident of a restricted region, please contact [email protected] and we will delete it promptly.

17. Children’s Privacy

Vela is not directed to anyone under 16. We do not knowingly collect personal information from minors under 16. If we learn we have, we will delete it promptly. If you believe we hold information about a minor, contact [email protected].

18. Third-Party Services and Links

A short roster of who helps us run Vela, and why:

  • Hetzner Online GmbH — EU-based (Helsinki, Finland) hosting provider. Stores encrypted blobs only; reads only ciphertext.
  • OpenPanel — privacy-first analytics. Cookieless by default. No health data ever sent (see §2.3).
  • Sentry — crash reporting. Receives stack traces with health data scrubbed.
  • RevenueCat — subscription management. Receives subscription events from Apple / Google, not your health data.
  • Apple & Google — app distribution, payments, and (if you sign in with Apple / Google) authentication.

Third-party links. Our Service may contain links to third-party websites. We are not responsible for the privacy practices of those sites. We encourage you to read their privacy policies before providing any information.

19. Data Retention and Account Deletion

Data on your device is retained until you delete it. The account-deletion process runs as follows:

  1. In-app action. Open Settings → Account → Delete Account.
  2. Immediate. Your local data and encryption keys are wiped from your device. Our server marks your encrypted blobs and account metadata for deletion.
  3. Within 30 days. Encrypted blobs are permanently deleted from production databases.
  4. Within 90 days. Encrypted blobs cycle out of encrypted backups.
  5. Retained beyond 90 days. Only the minimum records required by law — such as tax-related billing records — are retained, and only for the minimum period required.

Analytics events are retained in aggregate for up to 13 months, with no way to tie them back to you.

20. Data Breach Notification

In the event of a personal data breach affecting you, we commit to notifying you within 72 hours of becoming aware of the breach (the timeline required by GDPR Article 33), regardless of whether GDPR directly applies to you. Notifications will describe what happened, what data was affected, what we are doing about it, and what you can do to protect yourself. Security-related contact: [email protected].

21. Medical Non-Device Statement

Vela is designed for general wellness purposes and is not a medical device under U.S. FDA regulations, the EU Medical Device Regulation (EU 2017/745), or the UK MHRA framework. We are not a HIPAA-covered entity or business associate, because we do not provide services on behalf of healthcare providers or plans. Nothing in Vela is intended to diagnose, treat, cure, or prevent any disease or condition. See the Terms of Service, Section 10, for the full medical disclaimer.

22. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we’ll update the “Last updated” date above and, for material changes, notify you via the app or email. Substantive changes affecting how your data is used will provide you a chance to withdraw before they take effect.

23. Contact

Questions, requests, or concerns about privacy? Email us at [email protected]. Security-related matters: [email protected]. We read every message and respond within a reasonable time.

danestves LLC · Delaware, United States.