Privacy Policy
Last updated: 3 July 2026
1. Controller
Markus Eggenreiter (EGM Digital Solutions), Alexander-Girardi-Straße 5/13, 4820 Bad Ischl, Austria. Full provider details are available in the imprint.
Contact for data protection matters:
2. Website Visits and Server Logs
When you access this website (veltu.app), our hosting provider Cloudflare, Inc. processes technically necessary data such as IP address, date and time of access, the page accessed and browser information (server logs). The logs are not merged with other data. This website uses no cookies and no tracking.
3. Data Processed and Purposes
The legal basis for the processing described below is the performance of the user agreement (Art. 6(1)(b) GDPR) as well as our legitimate interest in secure and stable operation (Art. 6(1)(f) GDPR).
- Account data — email address and authentication data, in order to provide the user account and sign-in.
- Note content — text and images you create in the app, in order to store and synchronise your notes.
- AI processing data — note content transmitted to external services for the AI features (semantic search, summary) (premium only, see section 5).
- Subscription data — purchase and subscription status, processed via the payment provider in order to manage premium features.
- Technical data — device and usage data, insofar as required for operation, security and troubleshooting.
Contact form: If you use the contact form, we process your name, email address and message in order to handle your enquiry. Delivery takes place via Resend (see processors). The enquiry is deleted once it has been finally dealt with.
4. Legal Bases
Processing takes place in order to perform the user agreement (Art. 6(1)(b) GDPR — provision of the account, note storage, premium features) and on the basis of legitimate interests (Art. 6(1)(f) GDPR — security and operation of the app).
5. Processors and Service Providers
We use the following service providers to operate the app:
- Cloudflare, Inc. — hosting of the website and delivery of the contact form, processing of server logs (USA/global).
- Supabase — hosting, database and authentication (EU region).
- OpenAI — generation of text embeddings for semantic search (USA). Premium only.
- Anthropic — AI summarisation of note content (USA). Premium only.
- Resend — delivery of system and authentication emails as well as contact form messages; technical delivery via Amazon SES (eu-west-1 region, Ireland).
- RevenueCat — management of subscriptions and purchase status (processes subscription status and an app user identifier, no payment data).
- Google Play / Google LLC — app distribution, sign-in via Google and billing of in-app purchases.
6. Transfers to Third Countries
Some of the service providers used (including OpenAI, Anthropic, Cloudflare, Google) process data in the USA. For these transfers we rely on the European Commission's Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR. Insofar as the respective provider is certified under the EU-US Data Privacy Framework (DPF), the transfer additionally takes place on the basis of the European Commission's adequacy decision.
A residual risk remains that US authorities may access data under US law (e.g. FISA 702, CLOUD Act). We transmit only the data technically required for the respective feature. Note content is transmitted solely for the AI features (embeddings, summary) and only where premium is actively used. To assess these transfers we carry out a Transfer Impact Assessment (TIA) in line with the recommendations of the European Data Protection Board and review it regularly.
7. Security and Access
Your data is stored encrypted in transit and at rest. End-to-end encryption is not in place: note content must be processed technically for the AI features, which means the operator can technically access content. Content is not disclosed beyond the purposes set out in this policy.
8. Your Rights
You have the rights to access, rectification, erasure, restriction, data portability and objection. Within the app you can export your notes and delete your account together with all data.
You also have the right to lodge a complaint with the supervisory authority — in Austria the Austrian Data Protection Authority.
9. Retention Periods
Notes you move to the trash are permanently deleted after 30 days. Account and note data are removed in full when you delete your account.
We store personal data for as long as a lawful purpose exists. Data relevant to billing and accounting is retained for seven years due to tax retention obligations under § 132 BAO (Austrian Federal Fiscal Code). Deleted notes remain in the trash for 30 days and are then permanently removed. Once the purpose ceases to apply and statutory periods have expired, the data is deleted.
10. Contact
For questions about data protection: