Privacy Policy

Last updated: March 23, 2026

Velum ("we", "our", "us") is a study-planning tool for medical students. This Privacy Policy explains what data we collect, how we use it, and your rights regarding that data.

1. Data We Collect

We collect the following categories of personal data:

Account data: Your name and email address provided through Google Sign-In.
Profile data: Medical school year, school name, study preferences, sleep and wellness goals you enter during onboarding.
Study data: Exam names, dates, difficulty ratings, and study schedules you create within Velum.
Calendar data: Event titles, dates, and times from your Google Calendar if you choose to connect it. We never access calendar event descriptions, attendees, or video call links.
Usage data: Study logs, task completion records, and notification preferences you set within the app.
Device data: Browser type and push notification subscription tokens if you enable notifications.

We do not collect: payment information, health records, academic transcripts, grades, or any data from your educational institution.

Velum is an independent study tool not affiliated with any educational institution, school, or district. We do not receive student records from schools or educational institutions. Calendar data you choose to connect is used solely to generate your personal study schedule and is never shared with your institution, school, or any third party.

2. How We Use Your Data

To create and personalize your study schedule.
To detect calendar conflicts and free windows.
To track study completion and adapt future schedules.
To send study reminders you have opted into.
To save your preferences so you don't have to re-enter them.

We do not sell, share, or transfer your data to third parties for advertising or marketing purposes.

3. Legal Basis for Processing (GDPR)

We process your data under the following legal bases:

Contract performance: Processing necessary to provide the Velum service you signed up for (scheduling, exam management, study logging).
Legitimate interests: Improving our service based on aggregate usage patterns. We ensure this does not override your privacy rights.
Consent: Push notifications and Google Calendar access, which you explicitly grant and can revoke at any time.

4. Third-Party Services (Subprocessors)

Velum uses the following third-party services to operate:

Supabase (supabase.com): Database and authentication infrastructure. Data stored in US-based servers. GDPR compliant.
Vercel (vercel.com): Application hosting and deployment. GDPR compliant. Data processed in US and EU edge locations.
Anthropic (anthropic.com): AI schedule generation. Your exam names and study preferences are sent to Anthropic's API to generate your schedule. Anthropic does not train on API data.
Google (google.com): Authentication (Google Sign-In) and optional Calendar integration. Governed by Google's Privacy Policy.
Web Push (browser built-in): Push notifications delivered through your browser's built-in push service.

We do not use advertising networks, analytics trackers, or any third-party that monetizes your data.

5. Google API Limited Use Disclosure

Velum's use of Google Calendar data adheres to the Google API Services User Data Policy, including the Limited Use requirements. We only request read-only access to your calendar and use it solely to build your study plan. We do not store raw calendar event data beyond what is needed for scheduling.

6. Data Storage and Security

Your data is stored in a Supabase-hosted PostgreSQL database with row-level security enabled. Each user can only access their own data. All connections use HTTPS/TLS encryption. Authentication is handled by Supabase Auth with Google OAuth 2.0. We do not store passwords.

In the event of a data breach affecting your personal data, we will notify you within 72 hours of becoming aware of the breach, in accordance with GDPR requirements. Notification will be sent to your registered email address.

To report a security vulnerability: bykarishma21@gmail.com

7. Data Retention

We retain your data for as long as your account is active. Specifically:

Account and profile data: retained until you delete your account.
Study schedules and logs: retained until you delete your account or clear your schedule.
Push notification tokens: deleted immediately when you disable notifications or delete your account.
Google Calendar tokens: deleted immediately when you disconnect Google Calendar or delete your account.
Cookie consent records: retained for 3 years for compliance purposes.

Upon account deletion, all personal data is permanently deleted within 30 days. Anonymized, aggregated data that cannot identify you may be retained indefinitely.

8. Your Rights

Regardless of where you are located, you have the right to:

Access: Request a copy of all data we hold about you. Use the "Export Data" button in Settings.
Correction: Update your profile information at any time in Settings.
Deletion: Delete your account and all associated data permanently. We delete all data within 30 days.
Portability: Export your data in JSON format at any time.
Opt-out of notifications: Disable all notifications in the Notification Center or revoke permission in browser settings.
Withdraw Google Calendar access: Disconnect at any time in Settings.

California residents (CCPA): You have additional rights including the right to know what data we collect, the right to delete, and the right to opt-out of data sales. We do not sell your data.

EU/EEA residents (GDPR): You have the right to lodge a complaint with your local supervisory authority if you believe we have violated your privacy rights.

To exercise any right, contact: bykarishma21@gmail.com

9. We Do Not Sell Your Data

Velum does not sell, rent, trade, or otherwise transfer your personal information to third parties for monetary or other valuable consideration. This applies to all users regardless of location.

10. Cookies

Velum uses only essential cookies required for authentication and session management. We do not use tracking cookies, advertising cookies, or analytics cookies. You can dismiss our cookie notice at any time. Your dismissal is recorded locally on your device with a timestamp for compliance purposes.

11. Push Notifications

If you choose to enable push notifications, Velum stores a push subscription token on our servers solely for the purpose of delivering study reminders you have requested. This token does not identify you personally and is used only to route notifications to your device. You can revoke notification permissions at any time through your browser settings or through the Notification Center in Velum.

12. Anki Integration (Beta)

Velum's Anki integration is a beta feature that connects directly to the AnkiConnect add-on running locally on your device. Velum reads only your deck names and due card counts. Your flashcard content, card text, images, and study history never leave your device and are never transmitted to Velum's servers. Any API key you provide for AnkiConnect is stored exclusively in your browser's local storage.

13. FERPA Notice

Velum is not an educational institution and does not act on behalf of any educational institution. The Family Educational Rights and Privacy Act (FERPA) does not govern Velum's operations. Velum does not access, store, or transmit education records as defined by FERPA.

14. Children's Privacy

Velum is intended for medical students (18+). We do not knowingly collect data from anyone under 18.

15. Consent Records

When you create a Velum account, we record that you agreed to our Terms of Service and Privacy Policy, including the version number and timestamp of your agreement. This record is stored securely and used solely for compliance purposes. If we make material changes to our Terms or Privacy Policy, we will ask for your consent again.

16. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email or in-app notice at least 14 days before taking effect.

17. Contact

For any privacy questions, data requests, or concerns:
Email: bykarishma21@gmail.com
Response time: within 30 days for all requests.

Velum is operated by an individual developer. A formal Data Protection Officer is not required at this scale, but all privacy requests are handled personally and promptly.