Version française

Privacy Policy

Last updated: 2026-05-10 · Version v2.0

1. Data controller

Virelya is the data controller for your personal data. For any question, email privacy@virelya.app.

2. Data collected and purpose

Virelya only collects data necessary for the service.

• Card identity (first name, last name, role, company, professional email, phone, website, location, avatar, logo, background): provided by you. Purpose: generate your digital business card. Legal basis: contract performance (Art. 6.1.b GDPR).
• Authentication (email + hashed password, or Google OAuth): handled by Supabase. Purpose: secure your access.
• Approximate location (only if you enable Explorer): to display nearby cards. Legal basis: explicit consent.
• Photos (gallery or camera): only for backgrounds and avatars you select. No photo is read without your action.
• Notifications: token stored to alert you when an AI portrait is ready.
• Technical data (device model, OS, app version): aggregated and anonymized for diagnostics.

3. Sub-processors

Virelya relies on the following sub-processors. Each applies its own GDPR safeguards.

• Supabase (Germany, eu-central-1) — database + image storage hosting.
• Sentry (Germany, DE region) — anonymized crash collection. Auth headers and tokens automatically redacted before sending.
• PostHog (United States) — product analytics (usage volume, journey). No session replay enabled. You can opt-out in Settings → Privacy.
• Google (Gemini, Maps) — AI image generation and map display. Text prompts you write and photos used for AI generation transit through their servers.
• OpenAI — logo image generation.
• Apple / Google (push notifications) — only when enabled by you.

4. Retention

• Account data: as long as your account is active. Deleted within 30 days after account closure.
• Technical logs: 90 days maximum.
• Backups: 30 days after account deletion.

5. Your rights

In accordance with GDPR Articles 15-22, you have:

• Access: receive a copy of your data. Email privacy@virelya.app.
• Rectification: edit your data directly in the app, anytime.
• Erasure: Settings → Danger zone → Delete my account. Immediate effect, full cascade.
• Portability: receive your data in a structured format (JSON).
• Opposition: refuse analytics in Settings → Privacy.
• Complaint: you can file a complaint with the CNIL or your local DPA.

6. International transfers

Some sub-processors (PostHog, Google, OpenAI) host part of the data in the United States. Transfers rely on the European Commission Standard Contractual Clauses (or Data Privacy Framework for certified sub-processors).

7. Security

All communication is HTTPS-encrypted. Passwords are hashed (bcrypt via Supabase) — Virelya never sees your password in plain text. Data access is protected by Row Level Security at the database level.

8. Contact

For any question, write to privacy@virelya.app. Reply within 30 days maximum.

Terms of Service · Back to Virelya