Privacy Policy

Velentis Ambassador Portal

Notice: This policy is currently under legal review. Wording may be updated. The substance of how we process your data will not change retroactively without notice.

Last updated: 18 May 2026

1. Introduction

This Privacy Policy describes how Velentis Iberia, S.L. ("Velentis", "we", "us") collects, uses, stores, and protects your personal data when you use the Velentis Ambassador Portal (the "Portal") at https://ambassadors.velentis.ai.

This Policy complies with the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and Spanish Organic Law 3/2018 on Personal Data Protection and Guarantee of Digital Rights ("LOPDGDD").

2. Data Controller

The controller of your personal data is:

Velentis Iberia, S.L. C/ Hermosilla 48, piso 1º derecha 28001 Madrid, Spain Contact for privacy matters: privacy@velentis.ai

3. What Personal Data We Collect

3.1 Data You Provide Directly

When you register for and use the Portal, we collect:

Account and profile data: full name, email address, LinkedIn profile URL, university (or free-text university name if "Other"), country of residence, optional study program, optional free-text "why join" answer (max 500 characters), optional tax identification number (NIE / NIF / DNI / Steuernummer / passport number / equivalent home-country tax ID — required only before the first commission payout);
Account credentials: login email and password (passwords are stored only as irreversible hashes via Supabase Auth; we never see the plaintext);
Consent timestamps: the date and time you ticked each of the six required confirmations at signup (Terms & Privacy Policy acceptance; age 18+; residence/work authorization; sole tax and social-security responsibility; independent-contractor relationship; B2B/professional capacity);
Contract signature record: for each version of the Referral Partner Agreement you sign — the signed-at timestamp, the agreement version, your typed signature name, your IP address at signing, and your browser user-agent string;
KYC information (before first payout only): full legal name (required, must match your bank account) and IBAN (optional — required only if Velentis does not already have your bank details). We reserve the right to request additional documentation under Terms § 7.4 if circumstances require it, but the live KYC form only collects these two fields today;
Account activity records: timestamped audit-log entries we create when you take privacy-sensitive actions (signing the contract, requesting a GDPR data export, requesting account deletion, etc.); deletion-request and data-export-log records also capture the IP address and user-agent string of the request, for security and abuse-investigation purposes;
Tax-reminder markers (Spanish residents only): two integer year-flags indicating whether you have already been sent the €10k / €13k SMI reminder emails for the current calendar year, so we do not send them twice;
Lead and deal data: information about leads you introduce (see § 5 below — Velentis is the controller for Lead data from the moment of submission);
Communication data: messages and support requests you send to us.

3.2 Data Collected Automatically

When you use the Portal, our systems automatically collect:

Technical data: IP address, browser type and version, operating system, device identifiers;
Usage data: pages visited, actions taken, timestamps, session duration;
Security data: login attempts, authentication events, access logs.

3.3 Data We Do NOT Collect

The Portal does not use advertising trackers, social-media pixels, or third-party analytics tools that profile you for marketing purposes. We do not process special-category data (health, political opinion, etc.) unless you voluntarily provide it in a free-text field.

No marketing emails: During the Pilot phase of the Velentis Ambassador Programme, Velentis does not send marketing or promotional emails to Ambassadors. All emails sent to Ambassadors are transactional (e.g., account verification, contract signing, lead status updates, commission notifications) and necessary for the performance of the contract under Article 6(1)(b) GDPR.

3.4 Data Transmitted to AI Processing (chatbot)

When you use the Portal's AI chatbot (on the landing page or inside the portal), the content of your messages is streamed in real time to Anthropic PBC (USA) for processing by the Claude language model. Portal-context messages include your account identifier and may include your name, stage, and questions about your account. Velentis does not persistently store the chatbot conversation content; only an audit fingerprint is retained (timestamp, ambassador ID, rate-limit counter — no message text). Full subprocessor details are in § 6.2; transfer safeguards in § 7.

4. Purposes and Legal Bases

We process your personal data for the following purposes and on the following legal bases under Article 6 GDPR:

Purpose	Legal Basis	Retention
Account creation and management	Art. 6(1)(b) GDPR — performance of a contract (Terms of Service)	Until account deletion
Processing referrals and paying commissions	Art. 6(1)(b) GDPR — performance of Referral Partner Agreement	10 years (tax/commercial law retention)
Fulfilling tax, commercial, and accounting obligations	Art. 6(1)(c) GDPR — legal obligation (tax law, accounting rules)	10 years (Spain/Germany commercial law)
Service emails (welcome, lead status, commission updates)	Art. 6(1)(b) GDPR — performance of contract	Until account deletion
Portal security, fraud prevention, audit logging	Art. 6(1)(f) GDPR — legitimate interest (security)	24 months
Responding to your data-subject requests	Art. 6(1)(c) GDPR — legal obligation (GDPR rights)	3 years after resolution

5. Data of Third Parties (Leads) You Submit

When you submit personal data of a potential customer (a "Lead") via the Portal, Velentis acts as the controller for that Lead data from the moment of submission. The legal basis for processing is Article 6(1)(f) GDPR (legitimate interest), as documented in our internal Legitimate Interest Assessment.

The Velentis Ambassador Program is structurally designed for warm, personal-network referrals. You are required by the Referral Partner Agreement (§ 7.2) not to submit Lead data obtained through indiscriminate cold outreach, mass scraping, or purchased contact lists. To support this, the Portal limits each Ambassador to a maximum of 15 active claimed Leads at any time.

Velentis will provide each Lead with a Privacy Notice at the point of first commercial contact, informing them of the source of their data, the purposes of processing, and their rights under GDPR (including the right to object under Article 21 GDPR).

You retain no controllership over Lead data once submitted; queries from a Lead about their personal data should be directed to Velentis at privacy@velentis.eu.

6. With Whom We Share Your Data

We may share your personal data with the following categories of recipients:

6.1 Velentis Personnel Authorised Velentis personnel, on a need-to-know basis (currently: Velentis Iberia administrators).

6.2 Subprocessors We use the following subprocessors under GDPR-compliant Data Processing Agreements (DPAs). Each is bound by confidentiality and security obligations:

Subprocessor	Service	Data Processed	Hosting Location	Legal Entity
Supabase Inc.	Database, authentication	All Portal data	Frankfurt, Germany (EU)	970 Toa Payoh North #07-04, Singapore 318992
Hetzner Online GmbH	Application hosting	All Portal data, server logs	Nuremberg, Germany (EU)	Industriestr. 25, 91710 Gunzenhausen, Germany
Resend (Drift Inc.)	Transactional email delivery	Email addresses, email content	Ireland (EU region)	2261 Market Street #4667, San Francisco, CA 94114, USA
Anthropic PBC	AI chatbot (Claude language model) on the landing page and inside the portal	Chatbot message content; for portal sessions, account identity and conversation context (name, stage, questions about your account)	United States (API endpoint; no EU region currently available)	548 Market St PMB 90375, San Francisco, CA 94104, USA

Anthropic does not use API inputs to train its models, per its Commercial Terms of Service. Message content is retained by Anthropic for up to 30 days for trust-and-safety review, then deleted. Legal basis under Article 6(1)(b) GDPR: performance of the contract (the chatbot is a Portal feature).

6.3 Professional Service Providers Tax advisors, auditors, and banks, as required to process commission payments and fulfil tax obligations under Spanish commercial and tax law.

6.4 Competent Authorities Where required by law (e.g., Spanish tax authorities for IRPF/IRNR withholding under Modelos 111, 190, 216; law enforcement under valid legal process).

6.5 What We Do Not Do We do NOT sell or rent your personal data to third parties. We do NOT share your data with advertising networks or data brokers. We do NOT use your data for automated profiling beyond the deterministic commission calculations described in § 13.

7. International Data Transfers

Your personal data is primarily processed within the European Economic Area (EEA): our application hosting is in Germany (Hetzner, Nuremberg), our database is in Germany (Supabase, Frankfurt), and our email infrastructure is in Ireland (Resend, EU region).

However, three of our subprocessors have parent entities outside the EEA:

Supabase Inc. is incorporated in Singapore. Hosting and data storage are exclusively in Frankfurt (EU).
Resend (Drift Inc.) is incorporated in the United States. Email delivery infrastructure is in the Ireland region (EU).
Anthropic PBC is incorporated in the United States. Chatbot API requests are processed in the United States; Anthropic does not currently offer an EU-region API endpoint.

For transfers to or processing by these non-EEA entities, we rely on the following safeguards under Article 46 GDPR:

Standard Contractual Clauses (SCCs): signed with all non-EEA subprocessors, in the version published by the European Commission in Decision 2021/914. This currently covers Resend (Drift Inc., USA) and Anthropic PBC (USA).
Transfer Impact Assessment (TIA): a Transfer Impact Assessment for transfers to Anthropic PBC is in progress and is available on request once finalised.
Supplementary measures: end-to-end TLS encryption in transit, encryption at rest, access controls, and contractual confidentiality commitments.
Data minimisation: only data strictly necessary for each subprocessor's function is shared.

You may request a copy of the SCCs and a summary of supplementary measures by contacting privacy@velentis.ai.

8. How Long We Keep Your Data

We keep your data only as long as necessary for the purposes set out above. Specific retention periods are listed in the table in § 4. After the applicable retention period expires, we delete or anonymise the data, unless we are legally required to keep it longer.

Note: Commercial and tax law in Spain and Germany generally requires retention of invoicing and commission records for up to 10 years. This supersedes a deletion request for those specific records.

9. Your Rights Under the GDPR

As a data subject, you have the following rights:

Right of access (Art. 15): confirm whether we process your data and obtain a copy;
Right to rectification (Art. 16): have inaccurate data corrected;
Right to erasure / "right to be forgotten" (Art. 17): request deletion, subject to legal-retention obligations;
Right to restriction of processing (Art. 18): limit how we process your data in certain cases;
Right to data portability (Art. 20): receive your data in a structured, machine-readable format;
Right to object (Art. 21): object to processing based on legitimate interest;
Right to withdraw consent (Art. 7(3)): where processing is based on consent, withdraw it at any time without affecting prior lawfulness;
Right to lodge a complaint (Art. 77): with a supervisory authority — in Spain: AEPD, www.aepd.es; in Germany: your Bundesland's DPA.

To exercise any of these rights, contact us at privacy@velentis.ai. We will respond within 30 days (may be extended by 60 days for complex requests, with notice).

10. Security Measures

We implement appropriate technical and organisational measures to protect your personal data, including:

HTTPS/TLS encryption for all data in transit;
Encryption at rest for the entire database (provided by Supabase / PostgreSQL native encryption);
Access controls and the principle of least privilege. Multi-factor authentication (TOTP) is required for all admin accounts and is enforced at login: an admin without a verified TOTP factor is redirected to set one up before accessing any administrative function. For ambassador accounts, MFA is available and recommended but not mandatory at the pilot stage; ambassadors can enable TOTP from their account settings at any time;
Regular security updates and monitoring;
Role-based access (RBAC) and audit logging;
Backup and disaster-recovery procedures.

In the event of a personal-data breach affecting your data, we will notify you and the competent supervisory authority without undue delay, and in any event within 72 hours, in accordance with Articles 33 and 34 GDPR.

11. Cookies and Similar Technologies

The Portal categorises cookies and similar technologies into three tiers. On your first visit, a cookie banner allows you to accept all, reject non-essential, or manage your preferences. You can change your choices at any time via the Cookie Preferences link in the footer.

11.1 Strictly Necessary (no consent required)

Required for the Portal to function. These are exempt from consent under Article 5(3) of the ePrivacy Directive.

Supabase Auth (JWT session cookie): authenticates your session and protects against CSRF.

11.2 Analytics (opt-in)

Off by default. Activated only after you grant consent.

Sentry (EU region): captures application errors and performance issues to help us diagnose and fix bugs. Hosted in the EU for GDPR compliance. Configured with no session replay and no performance trace sampling.

11.3 Marketing (opt-in)

Off by default. We do not currently use any marketing or advertising trackers, social-media pixels, or third-party advertising cookies. This category is reserved for future opt-in features and will only be activated with your explicit consent.

Your consent decision is stored in your browser (in localStorage and a companion cookie) for one year, after which we will ask again. We will also re-prompt you if we add new cookie categories.

12. Children

The Portal is not intended for persons under 18 years of age. We do not knowingly collect personal data from minors. If you believe we have collected such data, please contact us at privacy@velentis.ai so we can delete it.

13. Automated Decision-Making

We do not make decisions with legal or significant effects on you based solely on automated processing. Commission calculations are mechanical (deterministic) and follow the formulas agreed in the Referral Partner Agreement; these are not "automated decisions" in the meaning of Art. 22 GDPR.

13a. Data Protection Officer

Velentis Iberia is not legally required to appoint a Data Protection Officer (DPO) under Article 37 GDPR (no large-scale processing of special-category data; no systematic monitoring of data subjects on a large scale). For all privacy-related inquiries, please contact privacy@velentis.ai. Velentis maintains an internal Record of Processing Activities (Article 30 GDPR) available for inspection by the AEPD upon request.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. Material changes will be notified to you by email or via a notice on the Portal. The "Last updated" date at the top of this document indicates the current version.

15. Contact

For any questions about this Privacy Policy or our processing of your data, please contact:

Velentis Iberia, S.L. C/ Hermosilla 48, piso 1º derecha 28001 Madrid, Spain Email: privacy@velentis.ai

You are also entitled to lodge a complaint with the Spanish Data Protection Agency (AEPD): C/ Jorge Juan 6, 28001 Madrid — www.aepd.es — or with the supervisory authority in your country of residence.