Privacy Policy Changelog¶
From: November 1, 2025 version To: February 2026 version
Summary¶
The original policy covered approximately 30% of actual data practices. This update brings coverage to ~95% of documented platform capabilities.
Critical Fixes¶
1. Domain Reference Corrected¶
| Before | After |
|---|---|
https://app.vell.ai |
https://vell.ai |
All references updated to reflect the primary domain.
New Sections Added¶
Section 8: CCPA Compliance (NEW)¶
- Right to Know
- Right to Delete
- Right to Opt-Out
- Right to Non-Discrimination
- "Do Not Sell" disclosure
Section 14: Children's Privacy (NEW)¶
- Platform not intended for users under 16
- No knowing collection of children's data
Section 17: Consent Records (NEW)¶
- Documents consent version tracking
- Timestamp and IP recording at registration
Major Additions to Existing Sections¶
Section 2: Data Collection (Expanded from 5 to 7 categories)¶
Added: | Category | Data Points | |----------|-------------| | Social Login Data | Google, GitHub, Facebook tokens and profile data | | Phone number | Optional registration field | | Company details | Website, address, postal code | | Enterprise SSO | Cognito tokens, org identifiers | | Payment/Affiliate | Subscription status, affiliate codes | | reCAPTCHA data | IP sent to Google for verification |
Section 4: AI Model Training Disclosure (NEW SUBSECTION)¶
Critical addition:
By default, anonymized usage patterns may be used to improve our AI models. You can opt out of training data usage at any time through your account settings.
Documents opt-out scopes: all, executions, knowledge base, brand voice.
Section 5: Data Retention (Corrected)¶
| Data Type | Before | After (Corrected) |
|---|---|---|
| Session data | 24 hours | 120 minutes |
| Data exports | Not mentioned | 7 days |
| Soft-deleted records | Not mentioned | 90 days |
Added: Self-service data export documentation with cooldown period.
Section 6: Third-Party Processors (Expanded from 4 to 15+)¶
Previously listed: - AWS - Cloudflare R2 - Redis/Aurora - "Optional Analytics Providers"
Now includes:
| Provider | Category | Previously Disclosed |
|---|---|---|
| Amazon SES | No | |
| Stripe | Payments | No |
| PayPal | Payments | No |
| Google Analytics | Analytics | Vague ("optional") |
| Google reCAPTCHA | Security | No |
| HubSpot | CRM | No |
| Mailchimp | Marketing | No |
| Slack | Integration | No |
| OpenAI | AI (user keys) | No |
| Anthropic | AI (user keys) | No |
Section 7: GDPR Rights (Enhanced)¶
Added: - Self-service export capability documentation - Detailed account deletion process (30-day timeline) - Multiple deletion methods (dashboard, email, mobile)
Section 9: Security Measures (Expanded)¶
Added: - Two-factor authentication mention - AWS security practices - VPC isolation - Session timeout specifics
Section 10: Cookies (Detailed)¶
Before: Generic description After: Specific cookie table with names, purposes, durations
Section 12: Automated Decision-Making (Clarified)¶
Added: Explicit right to request human review of AI decisions.
Removed/Modified¶
Removed Technical Details¶
- Specific mentions of "Laravel CSRF" (implementation detail)
- "Redis cache IDs" (internal detail)
Corrected Inaccuracies¶
- Session duration: 24 hours → 120 minutes
- Vague "Optional Analytics" → Specific Google Analytics disclosure
Compliance Impact¶
| Regulation | Before | After |
|---|---|---|
| GDPR | Partial | Comprehensive |
| CCPA | Not addressed | Full section |
| Children's privacy (COPPA) | Not addressed | Addressed |
Recommended Next Steps¶
- Update admin settings with new privacy policy content
- Increment consent version to trigger re-acceptance for existing users
- Review Mailchimp integration - consider changing from auto-subscribe to opt-in
- Verify Google Analytics has proper consent gate
- Consider adding in-app privacy controls dashboard
Files Created¶
/docs/PRIVACY_POLICY_UPDATED.md- Full updated policy/docs/PRIVACY_POLICY_CHANGELOG.md- This changelog
Generated: February 2026