Version française
Privacy Policy
Last updated: 2026-07-06 · Version v2.1
1. Data controller
Virelya is the data controller for your personal data. For any question, email privacy@virelya.app.
2. Data collected and purpose
Virelya only collects data necessary for the service.
- Card identity (first name, last name, role, company, professional email, phone, website, location, avatar, logo, background): provided by you. Purpose: generate your digital business card. Legal basis: contract performance (Art. 6.1.b GDPR).
- Authentication (email + hashed password, or Google OAuth): handled by Supabase. Purpose: secure your access.
- Approximate location (only if you enable Explorer): to display nearby cards. Legal basis: explicit consent.
- Photos (gallery or camera): only for backgrounds and avatars you select. No photo is read without your action.
- Messaging and calls (if you use these features): the content of messages you send (text and voice messages), plus metadata and any recaps of your calls. Purpose: deliver your conversations and calls with other users. Legal basis: contract performance (Art. 6.1.b). Important: these exchanges are not end-to-end encrypted — they are encrypted in transit and at rest, but remain technically accessible to Virelya for moderation and safety.
- Teams (if you create or join a team): your membership, role, posted announcements and the team's brand template. A team admin can see members and enforce a visual identity on your primary card. Legal basis: contract performance.
- Social features: recommendations you give or receive, referral code, view count of your cards. Purpose: networking and sharing features.
- Moderation: reports and blocks you submit. Purpose: community safety and terms enforcement. Legal basis: legitimate interest (Art. 6.1.f).
- Notifications: token stored to alert you (AI portrait ready, new message, team announcement, incoming call).
- Contact book (only if you grant permission via "Find your friends on Virelya" or at first launch): Virelya scans your contacts to identify people who already have a Virelya card and proposes them to add to your wallet. Server-side data processed: ONLY irreversible SHA-256 cryptographic fingerprints of normalized phones and emails — NEVER the plain values. Privacy strategy: pattern similar to Signal/WhatsApp. The content of your contact book (names, nicknames, photos, personal notes) stays on your phone and is never transmitted. When a contact matches a Virelya user, their Virelya identifier may be added to that contact's entry in your phone book (a custom URL field, without modifying name or notes). Legal basis: explicit consent (GDPR Art. 6.1.a) — you can revoke this permission at any time in your phone's system Settings.
- Technical data (device model, OS, app version): aggregated and anonymized for diagnostics.
3. Sub-processors
Virelya relies on the following sub-processors. Each applies its own GDPR safeguards.
- Supabase (Germany, eu-central-1) — database + image storage hosting.
- Sentry (Germany, DE region) — anonymized crash collection. Auth headers and tokens automatically redacted before sending.
- PostHog (United States) — product analytics (usage volume, journey). No session replay enabled. You can opt-out in Settings → Privacy.
- Google (Gemini, Maps) — AI image generation and map display. Text prompts you write and photos used for AI generation transit through their servers.
- OpenAI — logo image generation.
- LiveKit — real-time infrastructure for audio/video calls (only when you make or receive a call).
- Apple / Google (push notifications) — only when enabled by you.
4. Retention
- Account data: as long as your account is active. Deleted within 30 days after account closure.
- Technical logs: 90 days maximum.
- Backups: 30 days after account deletion.
5. Your rights
In accordance with GDPR Articles 15-22, you have:
- Access: receive a copy of your data. Email privacy@virelya.app.
- Rectification: edit your data directly in the app, anytime.
- Erasure: Settings → Danger zone → Delete my account. Immediate effect, full cascade.
- Portability: receive your data in a structured format (JSON).
- Opposition: refuse analytics in Settings → Privacy.
- Complaint: you can file a complaint with the CNIL or your local DPA.
6. International transfers
Some sub-processors (PostHog, Google, OpenAI) host part of the data in the United States. Transfers rely on the European Commission Standard Contractual Clauses (or Data Privacy Framework for certified sub-processors).
7. Security
All communication is HTTPS-encrypted. Passwords are hashed (bcrypt via Supabase) — Virelya never sees your password in plain text. Data access is protected by Row Level Security at the database level.
8. Contact
For any question, write to privacy@virelya.app. Reply within 30 days maximum.
Terms of Service · Back to Virelya