Privacy Policy

Last updated: 2026-05-10 · Version v2.0

1. Data controller

Virelya is the data controller for your personal data. For any question, email [email protected].

2. Data collected and purpose

Virelya only collects data necessary for the service.

Card identity (first name, last name, role, company, professional email, phone, website, location, avatar, logo, background): provided by you. Purpose: generate your digital business card. Legal basis: contract performance (Art. 6.1.b GDPR).
Authentication (email + hashed password, or Google OAuth): handled by Supabase. Purpose: secure your access.
Approximate location (only if you enable Explorer): to display nearby cards. Legal basis: explicit consent.
Photos (gallery or camera): only for backgrounds and avatars you select. No photo is read without your action.
Notifications: token stored to alert you when an AI portrait is ready.
Technical data (device model, OS, app version): aggregated and anonymized for diagnostics.

3. Sub-processors

Virelya relies on the following sub-processors. Each applies its own GDPR safeguards.

Supabase (Germany, eu-central-1) — database + image storage hosting.
Sentry (Germany, DE region) — anonymized crash collection. Auth headers and tokens automatically redacted before sending.
PostHog (United States) — product analytics (usage volume, journey). No session replay enabled. You can opt-out in Settings → Privacy.
Google (Gemini, Maps) — AI image generation and map display. Text prompts you write and photos used for AI generation transit through their servers.
OpenAI — logo image generation.
Apple / Google (push notifications) — only when enabled by you.

4. Retention

Account data: as long as your account is active. Deleted within 30 days after account closure.
Technical logs: 90 days maximum.
Backups: 30 days after account deletion.

5. Your rights

In accordance with GDPR Articles 15-22, you have:

Access: receive a copy of your data. Email [email protected].
Rectification: edit your data directly in the app, anytime.
Erasure: Settings → Danger zone → Delete my account. Immediate effect, full cascade.
Portability: receive your data in a structured format (JSON).
Opposition: refuse analytics in Settings → Privacy.
Complaint: you can file a complaint with the CNIL or your local DPA.

6. International transfers

Some sub-processors (PostHog, Google, OpenAI) host part of the data in the United States. Transfers rely on the European Commission Standard Contractual Clauses (or Data Privacy Framework for certified sub-processors).

7. Security

All communication is HTTPS-encrypted. Passwords are hashed (bcrypt via Supabase) — Virelya never sees your password in plain text. Data access is protected by Row Level Security at the database level.

8. Contact

For any question, write to [email protected]. Reply within 30 days maximum.