Veloxyveloxy
Legal

Privacy Policy

Last updated · 2026-05-29

This Privacy Policy explains what data Veloxy collects, why we collect it, and what we do with it. We deliberately keep data minimal because that’s the only honest way to run a privacy-adjacent service.

1. What we collect

Account data

  • Email address — used as your login and to send service notifications. We do not require, store, or verify any other identity information.
  • Password — stored only as a bcrypt hash; never readable by us.
  • API keys — stored as a SHA-256 hash; the raw key is shown once at creation and discarded server-side.
  • Account language and display name — optional, you can change them any time.

Order & billing data

  • Order history (product, duration, amount in USD, timestamps, status).
  • Payment processor identifier (Heleket invoice UUID and status). Crypto wallet addresses, transaction hashes, and KYC information are not shared with us.
  • Account balance and total spent.

Proxy usage data

We log proxy provisioning events (which proxy you have, which city it’s connected to, when it was rotated or its fingerprint changed). We do not log the URLs, domains, requests, response bodies, or any other content of traffic that passes through the proxy. Outbound carrier-level metadata is retained by the underlying mobile operator and is outside our control.

Technical data

  • Server-side request logs (IP, user-agent, timestamp, status code) for our dashboard and API endpoints — retained 30 days for security and abuse-detection purposes.
  • A single first-party cookie (veloxy_token) holding your authentication token. We do not use third-party analytics, advertising, or tracking pixels.

2. Why we collect it

  • To operate the service (account login, billing, provisioning).
  • To prevent fraud, abuse, and brute-force attacks on accounts.
  • To comply with applicable law and respond to valid legal process.

3. Sharing

We share data with two categories of subprocessors only:

  • Payment processor (Heleket / Cryptomus) — receives invoice amount, order id, and webhook callback URL. They do not receive your account email.
  • Infrastructure providers (the hosting datacenter, DDoS mitigation in front of our domain) — handle the network bytes required to operate the dashboard and API.

We do not sell or rent your data, ever.

4. Cookies

We set exactly one strictly-necessary cookie: veloxy_token, which stores your JWT session. It is HTTPS-only, SameSite=Strict, expires after 7 days, and is removed when you log out. No analytics or advertising cookies are set.

5. Data retention

  • Account data — until you delete the account or 24 months of inactivity.
  • Order/billing records — kept for 5 years for tax/audit purposes after which they are deleted.
  • Server request logs — 30 days.

6. Your rights

Under GDPR (if you’re in the EEA) and similar laws elsewhere, you have the right to access, correct, export, and delete your data. To exercise any of these rights, contact privacy@veloxy.top. We respond within 30 days.

7. Security

All traffic is encrypted in transit (TLS 1.3 on the public edge). Passwords use bcrypt; API keys are stored as SHA-256 hashes. Database backups are encrypted at rest. We practice the principle of least privilege internally and audit access via our admin audit log.

8. Contact

Questions or requests: privacy@veloxy.top.