| Health Data Encryption | Zero-knowledge (client-side encrypted, server cannot read) |
| Data Sales | Never — subscription-only revenue model |
| Health Data in Ads | Never — health data is never used for advertising or shared with advertisers |
| CCPA/CPRA | Compliant — health data classified as SPI |
| PIPEDA/BC PIPA | Compliant — explicit consent for health data |
| FTC HBNR | Compliant — encrypted health data, no unauthorized sharing |
| WA MHMDA | Compliant — consent-based health data collection |
| Breach Response | 60-day notification (FTC), ASAP (PIPEDA) |
| Data Deletion | Immediate permanent deletion upon request |
| Third-Party Sharing | None for health data — ever |
Vela ("we," "us," or "our") operates the Vela mobile application and the website at veladate.app. This Privacy Policy explains what information we collect, how we use it, and what rights you have over your data.
We built Vela for people who deserve privacy more than most. We take that seriously.
Inferential health data: We recognize that your use of Vela may itself suggest information about your health status. We treat your account existence and all associated data with the same level of protection as explicitly provided health information.
| Purpose | Data used | Legal basis |
|---|---|---|
| Create and manage your account | Email, phone number, display name, age | Contract performance |
| Verify your phone number via SMS (anti-bot) | Phone number | Legitimate interest (preventing fraudulent accounts) |
| Show your profile to potential matches | Photos, bio, city, age, gender, relationship intent | Contract performance |
| Match you with compatible people | Location, preferences, intent (NOT health conditions) | Contract performance |
| Enable messaging between matches | Messages, photos | Contract performance |
| Verify you are a real person | Face verification selfie | Legitimate interest (safety) |
| Moderate content for safety | Messages, photos (AI-scanned for policy violations) | Legitimate interest (safety) |
| Improve the app | Anonymized usage data, crash reports | Legitimate interest |
| Send push notifications | Device push token (no message content or health data) | Consent |
| Communicate with you | Email (account notifications, support) | Contract performance |
Vela cannot read your health conditions. Your health data is encrypted on your device before it ever reaches our servers. We store only encrypted ciphertext that is unintelligible without your personal device key. Even if our servers were compromised, your health conditions would remain private.
Vela is not a healthcare provider. We do not diagnose, treat, or provide medical advice. Health condition data on Vela is entirely self-reported.
When you enter your health conditions during onboarding or profile editing:
You may choose to share your health conditions with a match by granting them access through the app. When you do:
Under the California Consumer Privacy Act (CCPA/CPRA), Washington My Health My Data Act (MHMDA), and other privacy laws, certain categories of data are considered "sensitive personal information" (SPI). Vela collects the following SPI:
| SPI category | How we handle it |
|---|---|
| Health information | Encrypted client-side; server stores only ciphertext; never used for advertising, analytics, or sharing with third parties |
| Sexual orientation | Used only for matching preferences within the app; never shared with third parties |
| Biometric data (face verification) | Used for liveness detection at sign-up to prevent bots. Required to create an account. See Section 5 — Biometric data for the full disclosure including processor (Anthropic), retention schedule, and rights. |
You have the right to limit the use and disclosure of your sensitive personal information. To exercise this right, contact us at [email protected].
Vela requires face verification during account creation to prevent bots and fake profiles. This system performs liveness detection: it confirms a real, live human is present at the device — not a photo, video, or deepfake. It does not identify you, match you against any database, or generate any facial profile, faceprint, biometric template, or representation capable of identifying an individual. Your face photos are analyzed and then permanently deleted — see the retention schedule below for the specific windows. No facial profile, faceprint, biometric template, or other identifier is ever created or retained. The only outputs of this system are pass/fail liveness signals that cannot identify you.
To perform this check, Vela collects 3 face photos through your device's camera and transmits them to Anthropic (Claude Haiku) for AI-assisted liveness processing on Vela's behalf.
Depending on your jurisdiction, face photos may be classified as biometric data under applicable privacy laws. Under California law, face imagery is biometric information regardless of use (Cal. Civ. Code § 1798.140(b)). Under the Illinois Biometric Information Privacy Act as interpreted by courts, biometric identifiers must be capable of identifying an individual. Under Québec Law 25, biometric characteristics used to verify identity trigger specific regulatory obligations. Vela complies with the requirements of all applicable jurisdictions. To the extent your face photos constitute biometric data under any applicable law, all protections in this section apply in full.
Face verification is conducted by Vela's internal system using AI technology provided by Anthropic (Claude Haiku). Anthropic confirms a live human is present and returns a pass/fail result — no identification occurs at the Anthropic processing stage. Anthropic does not share your photos with any other party. In the event of an unsuccessful verification, only authorized Vela staff conducting the manual review have access to your photos for that sole purpose. Your photos are never transmitted to any facial recognition database, biometric identification service, data broker, or advertising platform.
Vela does not sell, lease, trade, or otherwise profit from biometric data.
Biometric data is Sensitive Personal Information under the California Privacy Rights Act. This collection is necessary to provide the Vela service and is limited to that purpose. California residents have the right to limit use of their Sensitive Personal Information by contacting [email protected].
Biometric data is protected by security safeguards appropriate to its sensitivity under BC's Personal Information Protection Act. Collection is subject to the consent obtained during account creation. This Biometric Data Retention Schedule is publicly available and will be updated to reflect any material change in our biometric data practices.
We use AI for content moderation. Photos and messages may be scanned by AI to detect policy violations (harassment, illegal content, etc.). Moderation is automated and no human reviews your content unless a violation is flagged. Health condition data is never sent to AI moderation systems.
We use the following third-party services to operate Vela. None of these services receive your health condition data.
| Service | Purpose | Data shared | Health data shared? |
|---|---|---|---|
| Cloud infrastructure provider | Database, authentication, file storage | Account data, profile data, encrypted health conditions (ciphertext only), photos, messages | No (encrypted ciphertext only) |
| Anthropic (Claude Haiku) | Face verification (liveness detection) and content moderation | Face photos for liveness detection; photos and text submitted for moderation review. Anthropic retains inputs for up to 30 days for safety monitoring per their published terms, then permanently deletes them. Anthropic does not use inputs for AI training. | No |
| AI image generation service | AI avatar generation | Profile photos (for style transfer). Photos are sent to the processing service and generated results are downloaded to our servers immediately. Photos may be temporarily cached by the processing service for up to 60 seconds before automatic deletion. | No |
| Analytics provider | Product analytics | Anonymized usage events (no health data, no PII beyond hashed user ID) | No |
| Error monitoring service | Error tracking and crash reporting | Crash reports, device info, hashed user ID (no email or other PII) | No |
| SMS delivery provider | Phone number verification | Phone number (one-time verification code during signup) | No |
| Email delivery provider | Transactional email delivery | Email address (invitations, account notifications) | No |
| Geolocation service | City/location autocomplete | Search query text, IP address | No |
| Push notification services | Push notification delivery | Device push token | No |
| Payment processor | Subscription billing | Email address, payment method details (processed directly by the payment provider — we never see or store your card number) | No |
We do not sell your data. We do not share your data with advertisers. We do not use advertising SDKs, tracking pixels, or data brokers. Vela's revenue comes exclusively from subscription fees.
| Data type | Retention period |
|---|---|
| Profile data (name, bio, preferences) | Duration of account; permanently deleted immediately upon account deletion |
| Health conditions (encrypted) | Duration of account; encryption key cleared on logout/deletion |
| Profile photos | Duration of account; permanently deleted immediately upon account deletion |
| Face verification photos | Not retained long-term. Temporarily uploaded to secure storage for verification; permanently deleted from Vela immediately upon successful verification (or within 7 days if manual review is required). Our AI processor (Anthropic) retains a copy for up to 30 days for safety monitoring before permanent deletion (see "Biometric retention schedule" above) |
| Chat messages | Duration of account; permanently deleted immediately upon account deletion |
| Analytics data | Anonymized; retained per our analytics provider's retention policy |
| Crash reports | 90 days |
| Moderation logs | Retained during your account lifetime for safety and compliance; deleted when your account is deleted |
You can delete your account at any time from the Settings screen in the app. Here is what happens:
Reports filed against your account by other users may be retained for community safety purposes even after your account is deleted.
Account deletion is immediate and permanent. There is no recovery window. Once you confirm deletion, your data cannot be restored.
If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:
To exercise your CCPA/CPRA rights, email [email protected] or use the in-app Settings. We will respond within 45 days. You may designate an authorized agent to make requests on your behalf.
In the preceding 12 months, we have not sold any personal information and have not shared personal information for cross-context behavioral advertising.
Washington residents are covered by our standalone Consumer Health Data Privacy Policy, published in compliance with RCW 19.373.030(1)(b). The summary below is supplemental; the standalone document is the controlling disclosure for consumer health data.
If you are a Washington state resident, you have additional rights regarding your health data under the My Health My Data Act:
Your health conditions are encrypted on your device. We store only encrypted ciphertext. When you delete your account or withdraw consent, the encryption key is destroyed, rendering any stored ciphertext permanently unreadable.
If you are a Canadian resident, you have rights under the Personal Information Protection and Electronic Documents Act:
We collect, use, and disclose your personal information only for purposes that a reasonable person would consider appropriate in the circumstances, and only with your consent. Your health condition data receives the highest level of protection through client-side encryption.
To exercise your rights under PIPEDA, contact us at [email protected]. We will respond within 30 days.
If you are a British Columbia resident, you have rights under the Personal Information Protection Act (PIPA), including the right to access, correct, and request deletion of your personal information. Contact us at [email protected] to exercise these rights.
If you are located in the EEA, you have additional rights under the General Data Protection Regulation:
Our legal bases for processing are: consent (you choose to create an account and share data), contract performance (operating the dating service you signed up for), and legitimate interest (safety, content moderation, and service improvement).
In the event of a data breach that affects your personal information, we will:
Important: Because your health conditions are encrypted with a key that exists only on your device and is never transmitted to our servers, a breach of our database would NOT expose your health condition data. The encrypted ciphertext is unintelligible without your personal device key.
The Vela mobile app does not use cookies. Our website (veladate.app) may use minimal cookies for analytics purposes. You can disable cookies in your browser settings.
Vela is strictly for users aged 18 and older. We do not knowingly collect information from anyone under 18. Age is self-reported during account creation. If we discover that a user is under 18, their account will be immediately terminated and their data deleted.
Vela's infrastructure is hosted in the United States. If you access Vela from outside the United States, your data will be transferred to and processed in the United States. By using Vela, you consent to this transfer. We ensure that your data is protected in accordance with this Privacy Policy regardless of where it is processed.
We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. We have never done so and have no plans to do so. Vela's revenue model is based exclusively on subscription fees, not advertising or data monetization.
If you are a California resident and wish to exercise your right to opt out, or if you have questions about our data practices, contact us at [email protected].
We are committed to protecting your privacy, including from government overreach. Our approach to law enforcement requests:
We may update this Privacy Policy from time to time. When we do, we will post the updated Privacy Policy on this page and update the "Last updated" date. For significant changes, we will make reasonable efforts to notify you through the app or by email.
Your continued use of Vela after any changes constitutes acceptance of the updated policy. If you do not agree to the updated policy, you should stop using the Service and delete your account.
If you have questions about this Privacy Policy, your data, or your rights, contact us: