Velocis Alpha is operated by Woocargo LTD(“we”, “us”, “our”), a private limited liability company incorporated in the Republic of Cyprus, with registered address at Andrea Assioti 4a, 2007 Nicosia, Cyprus. For the purposes of EU and UK data-protection law, Woocargo LTD is the controller of personal data processed in connection with the Velocis Alpha service (the “Service”), available at velocisalpha.com.

For any privacy-related question, request, or complaint, contact us at legal@velocialpha.com.

This Policy applies to personal data we process when you:

• visit velocisalpha.com or any related sub-domains;
• create an account, sign in, or use the Service;
• communicate with us by email or through support channels.

It does not apply to third-party websites, apps, or services that we do not control, even where they are linked from the Service. Their privacy practices are governed by their own policies.

3.1 Information you provide directly

• Account data: email address and, where you sign in via Google or another supported identity provider, the identifiers and basic profile fields shared by that provider (such as your email and display name).
• Authentication data: hashed password (where you choose email-and-password signup); session tokens.
• User Content: the prompts, messages, files, and instructions you submit to the conversational research assistant, together with the AI Outputs generated in response.
• Support and correspondence: any information you provide when you contact us by email.

3.2 Information collected automatically

• Usage data: pages and features accessed, actions performed, model/feature used per request, Credit consumption, timestamps.
• Technical data: IP address, approximate location derived from IP, device type, operating system, browser type and version, language preferences.
• Cookies and similar technologies: see Section 11 (Cookies).

3.3 Information from third parties

• Authentication providers: where you sign in via Google or a similar provider, we receive the identifiers and basic profile fields described above, in accordance with that provider's permissions.
• Payment provider: Paddle.com Market Limited and/or its affiliates (“Paddle”), acting as merchant of record, provides us with transaction confirmations, invoice metadata, country of purchase, and limited fraud-related signals. We do not receive or store full payment-card numbers.

3.4 Information we do not collect

We do not require KYC documents (such as passport scans). We do not connect to your brokerage or bank accounts. We do not deliberately collect sensitive categories of data (such as health data, biometric data, or data revealing racial or ethnic origin, political opinions, or religious beliefs) and ask that you do not submit such data through the Service.

We process your personal data for the purposes and on the legal bases summarized below.

Where we rely on legitimate interests, we have carried out a balancing test to ensure that our interests are not overridden by your rights and freedoms. You may request further information about this assessment by contacting legal@velocialpha.com.

Velocis Alpha relies on third-party large-language-model providers (currently Anthropic and OpenAI) to generate the conversational research Outputs. When you submit a prompt, the prompt and limited contextual data are transmitted to the relevant AI provider via its API.

We have selected providers that contractually commit, through their API terms, not to use customer inputs and outputs to train their general-purpose foundation models. We do not use your prompts or Outputs to train our own AI models. Where AI providers retain data for limited periods for abuse-monitoring or operational purposes, this is governed by their published policies.

If you choose not to send a particular type of information through the Service, simply do not include it in your prompts. You should never include real authentication credentials, account numbers, private keys, or other secrets in your prompts.

We do not sell your personal data. We share personal data only with the following categories of recipients, and only to the extent necessary:

• Cloud and infrastructure providers that host the Service and store data on our behalf;
• AI model providers (Anthropic, OpenAI, and any successor or additional providers we may engage) for the purpose of generating Outputs;
• Payment provider (Paddle) for payment processing, tax handling, and invoicing in its role as merchant of record;
• Identity providers (such as Google) where you choose to sign in via single sign-on;
• Email-delivery and customer-support providers used to send transactional and support communications;
• Professional advisers (such as lawyers, auditors, accountants) bound by duties of confidentiality;
• Public authorities, regulators, and law-enforcement agencies, where required by law or where necessary to establish, exercise, or defend legal claims;
• Acquirers, investors, and their advisers, in connection with a merger, acquisition, financing, due-diligence process, or sale of all or substantially all of our assets, subject to appropriate confidentiality obligations.

All processors we engage are bound by written data-processing agreements that include the safeguards required under Article 28 GDPR.

Some of our service providers (notably AI providers, cloud infrastructure, and analytics) are established outside the European Economic Area (“EEA”), including in the United States. When we transfer personal data outside the EEA, we rely on appropriate safeguards as required by Articles 44–49 GDPR, including:

• the European Commission's Standard Contractual Clauses (SCCs);
• where applicable, the EU-U.S. Data Privacy Framework and its UK extension, where the recipient is certified;
• supplementary technical and organizational measures (such as encryption in transit and at rest) where necessary.

You may request a copy of, or further information about, the safeguards in place for any particular transfer by emailing legal@velocialpha.com.

Backups and disaster-recovery copies may persist for a short additional period following deletion, after which they are overwritten in the ordinary course.

Subject to applicable conditions and exceptions, you have the following rights in relation to your personal data:

• Right of access (Art. 15): obtain confirmation of whether we process your data and a copy of it.
• Right to rectification (Art. 16): correct inaccurate or incomplete data.
• Right to erasure (Art. 17): request deletion of your data in certain circumstances (the “right to be forgotten”).
• Right to restriction (Art. 18): request restriction of processing in certain circumstances.
• Right to data portability (Art. 20): receive data you provided to us in a structured, commonly used, machine-readable format.
• Right to object (Art. 21): object to processing based on our legitimate interests, and to direct marketing at any time.
• Right to withdraw consent (Art. 7(3)): where processing is based on consent, withdraw it at any time.
• Right to lodge a complaint (Art. 77): lodge a complaint with the Cyprus Office of the Commissioner for Personal Data Protection (www.dataprotection.gov.cy) or the supervisory authority in your country of residence or workplace.
• Rights related to automated decision-making (Art. 22): we do not subject you to decisions producing legal or similarly significant effects that are based solely on automated processing. AI Outputs are research analyses, not automated decisions about you.

To exercise any of these rights, email legal@velocialpha.com from the address associated with your account, or use the in-product controls where available. We will respond within the time periods required by law (typically one month, extendable by up to two further months for complex or numerous requests). We may need to verify your identity before fulfilling certain requests.

We implement technical and organizational measures designed to protect personal data against unauthorized access, alteration, disclosure, or destruction. These include, among others:

• encryption in transit (TLS) and at rest for stored data;
• access controls and the principle of least privilege for employees, contractors, and processors;
• strong authentication for administrative accounts and infrastructure;
• logging, monitoring, and alerting on security-relevant events;
• regular review of vendors, configurations, and dependencies.

No system can guarantee absolute security. You are responsible for keeping your credentials secure and for using a strong, unique password (and a unique Google account) for your Velocis Alpha account.

We use a limited set of cookies and similar technologies to operate the Service. These include:

• Strictly necessary cookies — required for authentication, session management, security, load balancing, and basic functionality. These do not require consent under EU and Cyprus law.
• Preference cookies — to remember settings such as language or theme.

We do not currently use third-party analytics or advertising cookies. If we add cookies that require consent in the future, we will request your consent through an appropriate consent banner and update this Policy.

The Service is not intended for, and is not directed to, persons under eighteen (18) years of age, and we do not knowingly collect personal data from such persons. If we become aware that we have collected personal data from a person under 18, we will delete it promptly. If you believe a minor has provided us with personal data, contact legal@velocialpha.com.

We may update this Privacy Policy from time to time, for example to reflect changes in the Service, in our processing activities, in third-party providers, or in applicable law. Where changes are material, we will provide reasonable notice (such as by email or in-product notice) before they take effect. The “Effective Date” at the top of this Policy indicates the date of the most recent revision.

For any privacy-related question or request, contact:

If you are not satisfied with our response, you have the right to lodge a complaint with the Cyprus Office of the Commissioner for Personal Data Protection (www.dataprotection.gov.cy) or with the data-protection supervisory authority in your EEA Member State of habitual residence, place of work, or place of the alleged infringement.