Velora
Legal

Privacy policy

What we collect, why we collect it, and the choices you have.

Last updated 9 May 2026

In plain language

We collect the minimum we need to run Velora: enough to authenticate you, take payments, confirm bookings, and reach you when something changes about your trip. We don't sell your data, and we don't use it for cross-site advertising.

1. Data we collect

Account data — name, email, phone, nationality, date of birth (optional), profile photo. Provided by you.

Booking data — services you book, dates, party size, special requests, and payment receipts (Velora does not store full card numbers; payment is tokenised by Stripe).

Device data — app version, OS, push token for notifications, language and currency preference.

Usage data — pages viewed, searches performed, errors encountered. Used to improve the product, not to profile you.

2. How we use it

Operationally: to authenticate you, complete bookings, settle payouts to vendors, send transactional alerts (booking confirmed, payout received, etc.), and respond to support requests.

Improvements: aggregated analytics so we know which screens crash, which features are used, and where new travellers get stuck.

3. Who sees your data

Vendors — they see your name, contact details, and booking-specific info (party size, dates, special requests) for the bookings you make with them. Nothing else.

Service providers — Stripe (payments), Firebase (push notifications + crash reports), AWS S3 (file storage). Each is bound by their own data-processing agreement with Velora.

Authorities — only when required by valid legal process under Malaysian law.

4. How long we keep it

Active account data is retained while your account is open and for 7 years after closure (the period mandated by Malaysian tax law for financial records). Anonymous analytics is retained for 24 months.

5. Your rights

You can access, correct, or export your data at any time via the app's Profile screen. To delete your account permanently, tap Delete account in Settings — Velora soft-deletes the account immediately and erases personal data after a 30-day cooling period.

You can opt out of marketing emails any time via the Notifications settings or the unsubscribe link in any marketing email.

6. Security

Data in transit is encrypted with TLS 1.2+. Data at rest in our databases is encrypted at the volume level. Access to production systems requires SSO + 2FA, and is audited.

7. Contact our DPO

Privacy questions or data-subject requests: privacy@velora.app.