Privacy Policy

This policy explains what data Verlox collects, why we collect it, who we share it with, and the rights you have under GDPR. We try to keep it short, plain, and accurate.

1. Who we are (data controller)

The data controller of your personal information is Felix Cristobal, an independent developer based in Spain, operating the Verlox service. References to "Verlox", "we", "us" and "our" mean the controller.

2. What we collect

When you create an account

• your email address;
• a salted hash of your password (we never store or see your plain password);
• the date your account was created.

When you use Verlox

• the prompts you type, and any files or screenshots you attach, which we forward to the AI provider so it can answer;
• the commands the AI plans and runs (these stay on your own device and are not sent back to us);
• a simple monthly message counter, so the free-tier limit can be enforced.

When you subscribe to Pro

• a Stripe customer ID and subscription ID;
• the billing email you provide to Stripe.

We do not store your card details. Stripe holds those directly.

Automatically

• standard server access logs (IP address, timestamp, request) used for security and abuse prevention, kept for a short period (typically around 30 days) and then deleted.

3. Why we use it (lawful basis under GDPR)

• To provide the service (running the app, processing your requests through the AI, enforcing your plan): performance of a contract (GDPR Art. 6(1)(b)).
• To take payments through Stripe: performance of a contract.
• To prevent abuse, fraud and security incidents: legitimate interest (GDPR Art. 6(1)(f)).
• To communicate about service changes you need to know (security incidents, billing, material policy changes): performance of a contract / legitimate interest.

We do not currently send marketing emails. If we ever do, it will be opt-in.

4. Who we share it with (processors)

We share data only with the third parties we need to actually run the service. We do not sell your data and we do not share it with advertisers.

• Anthropic, PBC (United States): processes your prompts to generate AI responses. Subject to Anthropic's own privacy and data terms.
• Stripe, Inc. / Stripe Payments Europe Ltd (Ireland / United States): processes subscription billing.
• Railway Corp. (United States): hosts our backend and database.
• Vercel Inc. (United States): hosts the website at www.verlox.app and provides privacy-friendly visitor analytics (Vercel Web Analytics).
• GitHub, Inc. (United States, Microsoft subsidiary): hosts the app installer and our public support channel.

5. International transfers

Some of our processors are based in the United States. Where personal data is transferred outside the European Economic Area, we rely on the European Commission's Standard Contractual Clauses or equivalent safeguards offered by those providers.

6. How long we keep it

• Account data: kept while your account is active, plus a short period after deletion to handle any final billing or legal obligations.
• Usage counters: kept for the current and previous calendar month so the rolling reset works, then deleted.
• Server logs: typically around 30 days.
• Stripe billing records: kept as long as Stripe's own retention and tax/accounting rules require (typically several years).

7. Your rights (GDPR)

If you are in the EEA, the UK, or Switzerland, you have the right to:

• access the personal data we hold about you;
• correct it if it's wrong;
• delete it ("right to be forgotten"), subject to legal retention obligations;
• restrict or object to certain processing;
• export it ("data portability");
• withdraw consent at any time where processing is based on consent.

To exercise any of these, contact us through github.com/TylerES777/Verlox/issues. We aim to respond within 30 days.

You also have the right to lodge a complaint with a supervisory authority. In Spain, that is the Agencia Española de Protección de Datos (AEPD): aepd.es.

8. Cookies and tracking

The Verlox desktop app does not use cookies or third-party analytics. Your session token is stored in your operating system's secure keychain on your own device.

The Verlox website (www.verlox.app) uses Vercel Web Analytics to count visitors and see which pages are looked at. It does not set cookies, does not collect personal data, does not track you across other sites, and does not require a consent banner under GDPR. We use it only to understand what's working on the site so we can improve it.

9. Children

Verlox is not directed at children under 16. We do not knowingly collect data from anyone under that age. If you believe a child has signed up, contact us so we can delete the account.

10. Security

Passwords are stored as salted hashes. All communication between the app and our backend is encrypted in transit (HTTPS). No system is perfectly secure, but we take reasonable measures to protect your data and follow industry-standard practices.

11. Changes to this policy

We may update this policy from time to time. We will update the "Last updated" date at the top, and for material changes that affect your rights we will give reasonable notice in the app.

12. Contact

For privacy questions, requests, or complaints, the current contact channel is github.com/TylerES777/Verlox/issues. A dedicated email address will be added once available.