Legal
Privacy Policy
Last updated: 7 June 2026
How we handle personal data across the Veltflow website, the guest-facing QR experience, and the staff and manager dashboards.
Who we are
Veltflow is a hospitality guest-service and operations platform operated by Vibros LTD, a Cyprus private limited company (“Veltflow”, “Vibros”, “we”, “us”). Because we are established in the EU, this policy is written to align with the EU General Data Protection Regulation (GDPR) and Cyprus data-protection law.
- Company number: HE489995
- Privacy contact: privacy@veltflow.app
A note for hotel & venue guests
If you are a guest using a QR code at a hotel, beach bar, restaurant, or other venue, the venue is normally the controller of your order and request data. Vibros provides the Veltflow software as a processor for that venue, unless this Privacy Policy clearly states otherwise. Questions about how a particular venue uses your data are best directed to that venue.
Controller vs processor — an important distinction
Veltflow plays two different roles depending on the data:
- We are an independent controller for our own business and platform data — website visitors, demo and sales enquiries, customer staff and manager accounts, authentication data, billing data, support communications, security logs, and business-relationship data.
- We are a processor for the operational data a venue collects from its own guests through Veltflow — guest service requests, orders, messages, QR scan/session metadata, operational status data, and related venue records. For that data the venue (our Customer) is the controller, and we process it only on the Customer’s instructions under our Data Processing Agreement.
Information we collect
Website visitors & demo requests
When you submit the demo form we collect the property name, your name, email, optional phone number, role, property size, and any message, plus technical metadata (IP address and browser user-agent) for security and abuse prevention.
Customer staff & managers
Account identity (name, email, and optionally surname, phone, and notes) and the role assigned within a workspace. Authentication is handled by our identity provider, Clerk; we store the role and profile fields needed to operate the dashboards. We act as controller for this data.
Venue guests
Guests use Veltflow with no login and no app install. When a guest scans a QR code we create a short-lived session and may record the request or order details, any optional name or message the guest provides, and limited scan metadata (approximate IP-derived country/city, user-agent, and timestamps) used to prevent fraudulent or off-property submissions. We do not ask guests for accounts or payment card details. We act as processor for this data on the venue’s behalf.
Legal bases for processing
Where we act as controller, we rely on the legal bases below. Where we act as processor, we process on the venue’s documented instructions and the venue is responsible for establishing the legal basis.
| Processing activity | Our role | Legal basis |
|---|---|---|
| Website visits and basic analytics | Controller | Legitimate interests / consent where required |
| Demo and sales enquiries | Controller | Legitimate interests / steps before a contract |
| Staff/manager account creation | Controller | Contract / legitimate interests |
| Authentication and account security | Controller | Contract / legitimate interests |
| Billing and invoicing | Controller | Legal obligation / contract |
| Support communications | Controller | Contract / legitimate interests |
| Platform security logs | Controller | Legitimate interests / legal obligation where applicable |
| Guest orders and requests | Processor | Processed on the venue’s instructions |
| Guest QR scan/session metadata | Processor | Processed on the venue’s instructions |
Cookies and similar technologies
We keep cookies to a minimum and do not run advertising trackers. The guest experience uses a single strictly-necessary, HttpOnly session cookie (velt_qrs) that ties a request to a recent scan and expires within about an hour. Operator sign-in uses session cookies set by Clerk. These are essential to operate the service.
Sharing and sub-processors
We do not sell personal data. We share it with vetted infrastructure providers who process it on our behalf — including Neon (database hosting, EU region), Vercel (application hosting), Clerk (authentication), and Cloudflare (image storage and network). The current list and their roles are maintained in our Data Processing Agreement.
International transfers
Our primary database is hosted in the EU (Frankfurt region). Some service providers may process data outside the EEA. Where this occurs, Vibros uses appropriate safeguards such as EU Standard Contractual Clauses and additional transfer protections where required.
How we protect personal data
We use appropriate technical and organisational measures designed to protect personal data, including access controls, tenant separation, secure hosting providers, encryption in transit, environment-based secret management, and operational security measures. No system is completely secure, and we continuously improve our safeguards as the platform develops. The contractual security measures for data we process on a Customer’s behalf are set out in Annex 2 of our Data Processing Agreement.
Retention
We keep personal data only as long as needed for the purposes above. Indicative periods:
| Data category | Retention |
|---|---|
| Guest QR session data | Short operational period, unless needed for debugging/security |
| Guest orders and requests | As instructed by the venue/customer |
| Staff/manager account data | For the account duration, plus a reasonable deletion/export period |
| Support communications | Up to 24 months, unless legally required longer |
| Demo/sales leads | Up to 24 months after the last meaningful interaction |
| Security logs | 6–12 months, unless needed for an investigation |
| Billing/accounting records | As required by Cyprus tax and accounting law |
Your rights
Subject to applicable law, you may request access to, correction of, or deletion of your personal data, as well as restriction, portability, or objection to certain processing. We respond to valid GDPR rights requests without undue delay and normally within one month, unless an extension is legally permitted. For data we process on a venue’s behalf, we will refer your request to that venue as controller. You also have the right to lodge a complaint with the Office of the Commissioner for Personal Data Protection (Cyprus) or your local supervisory authority.
Children
Veltflow is a business tool not directed at children, and we do not knowingly collect their personal data.
Changes
We may update this policy as the product evolves. We will revise the “last updated” date above and, for material changes, take reasonable steps to notify affected customers.
Contact
Questions or requests: privacy@veltflow.app — Vibros LTD, Nicosia, Cyprus.