Privacy Policy

Effective Date: May 6, 2026 | Governing Law: Ontario, Canada | PIPEDA & GDPR Compliant

1. Introduction and Scope

Veklom ("we," "us," or "our") operates a governed AI marketplace and compute routing platform ("Services"). This Privacy Policy explains how we collect, use, disclose, and protect personal information in accordance with Canada's Personal Information Protection and Electronic Documents Act ("PIPEDA"), the Personal Health Information Protection Act ("PHIPA") where applicable, and, for users in the European Economic Area or United Kingdom, the General Data Protection Regulation ("GDPR") and UK GDPR.

This Policy applies to all users of our website at https://veklom.com, our APIs, our Marketplace, and our Workspace application. By using the Services, you consent to the practices described in this Policy.

2. Information We Collect

Information you provide: account registration data, billing information processed by Stripe, vendor listing information, communications sent to Veklom, and voluntary survey or feedback responses.

Information collected automatically: log data, usage data, device data, cookies, and similar tracking technologies.

Information from third parties: authentication provider profile data, Stripe payment status and fraud signals, and BYOS infrastructure monitoring metrics that do not include workload data.

BYOK credential handling: when you use Bring Your Own Key features, credentials are processed in-memory during the Governed Execution session only. BYOK credentials are never logged, stored, written to disk, or transmitted to any party other than the intended provider endpoint.

Audit artifacts and governance logs: Veklom generates cryptographically signed records for Governed Executions. These contain execution metadata, not prompt or output content unless prompt logging is explicitly enabled in Workspace settings.

3. How We Use Your Information

We use collected information for service delivery, governance and compliance, security, transactional communications, product improvement using aggregate or anonymized data, and legal compliance. For EU/UK users, processing is based on contract performance, legal obligation, legitimate interests, or consent as applicable.

4. How We Share Your Information

We share information with vetted processors under data processing agreements, including Stripe, Resend, infrastructure providers, web hosting providers, database hosting providers, and GitHub for source code and CI/CD. Marketplace transactions may require sharing limited profile information with the applicable Vendor for order fulfillment. We may disclose information when required by law, during business transfers, or to protect Veklom, users, or the public. Veklom does not sell, rent, or trade personal information to third parties for their own marketing purposes.

5. Data Retention

Account data is retained for the duration of your account plus 3 years after termination, or as required by law. Billing records are retained for 7 years. Audit artifacts and governance logs are retained according to subscription tier. Usage logs are retained for 90 days rolling. Security incident logs are retained for at least 3 years. Email engagement data is retained for 24 months. Upon account deletion, personal data is purged within 30 days except where retention is required by law or legitimate business purposes.

6. Your Rights

Canadian users have rights to access, correction, withdrawal of consent, and complaint to the Office of the Privacy Commissioner of Canada. EU/UK users may also request erasure, restriction, portability, objection, and may lodge a complaint with a supervisory authority. To exercise rights, email legal@veklom.com with the subject line "Privacy Rights Request." We respond within 30 days.

7. International Data Transfers

Veklom is based in Ontario, Canada. Information may be transferred to, stored, and processed in Canada, the United States, and EU member states. For transfers requiring safeguards, we use Standard Contractual Clauses or other approved transfer mechanisms.

8. Cookies and Tracking

We use essential cookies for authentication, session management, and security; analytics cookies for anonymized usage patterns; and preference cookies for settings. We do not use third-party advertising cookies or behavioral tracking networks. Browser settings can control cookies, but disabling essential cookies prevents authenticated use.

9. Security

We use TLS in transit, AES-256 encryption at rest, role-based access controls, tamper-evident audit logging, and security assessments. BYOK credentials are in-memory only and are never persisted. If a breach affects personal information, we will notify affected users and applicable regulators within required timeframes. Report vulnerabilities to security@veklom.com.

10. Children's Privacy

The Services are not directed to individuals under 18. We do not knowingly collect personal information from minors. If we become aware of such data, we will delete it promptly.

11. Changes to This Policy

We may update this Policy from time to time. Material changes will be posted at https://veklom.com/legal/privacy and, for existing users, communicated by email at least 14 days before taking effect.

12. Contact and Data Controller

For privacy inquiries, data access requests, or complaints: legal@veklom.com. Address: Veklom, Ontario, Canada. For EU/UK users, Veklom acts as data controller for information collected through the Services.