Data Processing Agreement (DPA)

Last updated: 2026-05-28 · Version 0.2 (MVP self-drafted summary)

This Data Processing Agreement ("DPA") forms part of Velvr's Terms of Service and Privacy Policy. By creating a Velvr account and connecting a Fanvue account via OAuth, the Creator ("you") and Velvr (MAKOA LLC, "us") agree to the terms below, which govern the processing of fan personal data on your behalf.

1. Roles under GDPR Article 28

• You (the Creator) are the Data Controller for the personal data of your Fanvue fans (handles, message history, subscription status, lifetime spend).
• Velvr is the Data Processor, acting only on your documented instructions, which you provide through your use of the Service (e.g. enabling auto-reply, configuring personas, sending mass DMs).
• For your own Velvr account data (email, billing, subscription state), Velvr is the Data Controller — see our Privacy Policy.

2. Scope and Purpose

Velvr processes fan personal data only to:

• Generate auto-replies, captions, and PPV pitches via the Adaptive Engine.
• Run the six-layer validator pipeline that checks every output before send.
• Maintain your inbox, vault, fan-funnel state, and analytics on your behalf.
• Comply with legal obligations (audit logs, breach notification, EU AI Act Art. 50).

Velvr does not use fan message content to train AI models. Sub-processors (xAI Grok) operate under API-only no-training agreements.

3. Sub-Processors

Velvr engages the following sub-processors to deliver the Service. We notify you of material changes to this list with reasonable advance notice.

• Supabase, Inc. (US-East) — database, authentication, edge functions
• Cloudflare, Inc. (global CDN) — edge hosting, R2 media storage, Turnstile bot protection
• Inngest, Inc. (US) — durable workflow execution for background jobs
• Stripe, Inc. (US) — subscription billing and payments
• xAI Corp. (US) — Grok language model inference (API-only, no-training)
• Resend, Inc. (US) — transactional email delivery
• Sentry / PostHog — error monitoring and product analytics
• Vercel, Inc. (US) — application hosting

4. International Data Transfers

Velvr's primary infrastructure is hosted in the United States. Where personal data of EU/EEA residents is transferred to the US, we rely on the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and equivalent UK IDTA addenda where applicable. A copy of the SCC text used is available on request.

5. Security Measures

Velvr maintains the following technical and organizational measures:

• Encryption in transit (TLS 1.2+) and at rest (AES-256 via Supabase)
• OAuth tokens encrypted with AES-GCM at the application layer
• Row-level security policies enforcing per-creator multi-tenant isolation
• Role-based access controls on all internal systems
• Audit logging of sensitive actions (auto-reply toggle, OAuth connect, PPV send)
• Regular security review and dependency-vulnerability scanning

6. Data Subject Rights

If a fan submits a GDPR Article 15-22 request (access, rectification, erasure, restriction, portability, objection) regarding data processed by Velvr on your behalf, we will assist you in fulfilling the request within our technical capability upon written request to dpo@velvr.app. You remain the Controller responsible for the primary response.

7. Breach Notification

Velvr will notify you of any personal data breach affecting fan data without undue delay, and in any case within 72 hours of becoming aware, to enable you to fulfill your obligations under GDPR Article 33.

8. Audit Rights

You may request information about our processing activities upon reasonable notice. Velvr may satisfy audit requests by providing relevant third-party attestations, security questionnaires, or summary reports in lieu of on-site access.

9. Return and Deletion

Upon termination of your Velvr account, all fan personal data we process on your behalf will be deleted within 30 days, except as required by law (billing records, audit logs).

10. Your Obligations as Controller

By using Velvr, you warrant that:

• You have a valid legal basis under GDPR Article 6 for accessing and processing your fans' personal data via the Service.
• Your use of AI-generated content via Velvr complies with applicable consumer protection, advertising, and platform-specific rules — including Fanvue's own Terms.
• You comply with EU AI Act Article 50 disclosure obligations. Velvr's Layer-6 Disclosure-Validator mechanically appends the required marker on every Reply 1, but you remain the deployer responsible for transparency toward your fans.

11. Full Version on Request

This is the MVP summary intended to make Velvr's data-processing posture transparent before sign-up. The full DPA — including detailed clauses on confidentiality, sub-processor change-notification procedure, indemnification, and termination — is available on request. Email dpo@velvr.app with subject "DPA Request" and we will send the full document within 2 business days.

12. Contact

Data Protection Officer (DPO) and primary contact for any GDPR-related questions: dpo@velvr.app

For supervisory authority complaints in the European Union, you may contact your national data protection authority. Velvr's lead supervisory authority is not yet designated as we operate from the United States; SCCs govern EU/EEA data transfers.