Privacy Policy - VELARI

Effective date: 12 December 2025

This Privacy Policy explains how VELARI ("VELARI", "we", "us", "our") collects, uses, shares, and protects personal data in connection with:

  • our website at velarihq.com and related communications, where we act as a data controller, and
  • our software and services that help Search Funds, Private Equity firms, and M&A brokers identify, validate, and enrich potential targets and contacts (the "Services"), where we generally act as a data processor on behalf of our customers.

If you are a customer using the Services, your organisation's agreement with VELARI (for example, the Master Service Agreement and Data Processing Addendum) also governs how we process personal data on your organisation's behalf.

If anything in this Policy conflicts with your organisation's agreement with us, that agreement will usually control for processor-context data.

1. Who we are & how to contact us

Company: VELARI
Website: velarihq.com
Contact email for privacy: privacy@velarihq.com

For data protection purposes:

For website visitors, webinar sign-ups, sales enquiries, recruitment, and our own marketing lists, VELARI is the data controller.

For customer content that you upload to or connect with the Services (e.g. company records, contact details, notes, deal pipeline data, and related enrichments), VELARI acts as a data processor to your organisation, which is the controller. We process that data only in accordance with your instructions and our contract.

Our Services and website may link to third-party sites or services that we do not control. This Policy does not apply to those third parties. You should review their privacy policies before providing personal information to them.

2. Roles & scope

2.1 When we are controller

We are controller for:

  • visitors to velarihq.com and related pages;
  • people who contact us (e.g. demo requests, support enquiries, general enquiries);
  • business contacts and prospects we reach out to in a B2B context;
  • individuals applying for roles at VELARI; and
  • our own internal business operations (billing, vendor management, etc.).

2.2 When we are processor

We are processor for:

  • Customer content you upload or sync to the Services (e.g. company records, contact details, deal notes, tags and scoring);
  • Data we source, ingest, enrich, and verify on your behalf, including business contact and shareholder/owner information, in order to help you identify and reach relevant business contacts and potential targets; and
  • Any other personal data we process strictly on your documented instructions under the Data Processing Addendum.

In those cases, your organisation is the controller and decides:

  • which data is processed;
  • for what purposes; and
  • what legal basis applies.

This Policy describes our processor role at a high level, but your organisation's own privacy notice is the primary document for individuals whose data is processed in that context.

3. Information we collect

3.1 Information you provide to us (controller context)

Account & billing

Name, business email, job title/role, organisation;
Billing contact details, tax details, and payment-related information (payment card data is handled by our payment partner and not stored in full by us).

Communications

Information you provide in demo requests, support tickets, surveys, webinars, and other communications;
Records of our communications with you (e.g. email threads, meeting notes).

Recruitment

CV/resumé, cover letter, employment and education history, skills, professional qualifications, interview notes, and any other data you choose to share during a recruitment process.

3.2 Information we collect automatically

Usage & device data

When you use our website or Services, we automatically collect:

IP address, device identifiers, operating system, browser type and settings;
pages visited, features used, clicks, timestamps, and referral/exit URLs;
crash logs and diagnostic data generated by your interaction with the Services.

Cookies and similar technologies

We use cookies and similar technologies for:

  • essential functionality (e.g. login, security, session management);
  • analytics and performance; and
  • where applicable, marketing.

For more information, please see our Cookie Policy, which forms part of this Privacy Policy.

3.3 Information from third parties (B2B context)

We may receive information about you from:

  • Public registries and lawful open sources, such as company registers, corporate websites, press releases, and public filings;
  • Commercial data providers and professional platforms (e.g. business databases, professional networking platforms) that supply B2B contact and firmographic data;
  • Attribution and analytics partners to understand campaign performance and traffic sources.

We use this information primarily in a B2B context to help our customers identify and reach relevant business contacts, and to run our own marketing and sales operations in line with applicable law.

3.4 Information we process as processor (customer content)

In the processor context, we process:

  • Customer datasets you upload or sync to the Services;
  • Configuration and metadata: tags, scoring rules, workflows, and other settings;
  • Enrichment and validation data we add on your behalf (e.g. business contact details, professional roles, ownership/shareholder information where public, links to public sources);
  • Optional review comments and internal notes your users may add.

We process this data solely as necessary to provide the Services under your organisation's instructions.

3.5 Children's data

Our Services are intended for business users and are not directed to children under 16. We do not knowingly collect information about children. If you believe we have collected personal data about a child, please contact us at privacy@velarihq.com and we will take appropriate steps to delete it.

4. How we use information (controller context)

We use personal data as controller to:

Provide and secure the website and Services

Authenticate users, operate core features, maintain performance, prevent fraud and abuse, and ensure availability and security.

Process data on your behalf (as part of running your account)

Ingest, enrich, verify, deduplicate, score, and export data to your systems;
Provide support, troubleshooting, and configuration assistance.

Improve and develop the Services

Conduct analytics, testing, research, quality assurance, and model and rules tuning;
Understand how customers use features to improve usability and performance.

Communicate with you

Respond to demo requests, support tickets, and other enquiries;
Send service notifications, transactional messages, and security alerts;
Send marketing communications and product updates where permitted by law (see "B2B Marketing" below).

Comply with legal obligations and enforce our terms

Respond to lawful requests from authorities;
Comply with applicable laws;
Protect our rights, safety, and the rights and safety of others.

4.1 Legal bases (EEA/UK)

Where the GDPR or UK GDPR applies, our main legal bases are:

Contract (Art. 6(1)(b))

To provide the Services to your organisation, manage your account, and respond to requests made in the context of entering into or performing a contract.

Legitimate interests (Art. 6(1)(f))

For example:

  • Running, securing, and improving our website and Services;
  • B2B marketing to business contacts;
  • Preventing fraud and misuse;
  • Protecting our legal rights and managing risk.

We balance these interests against your rights and expectations and take steps to minimise impact.

Consent (Art. 6(1)(a))

Where required by law for specific activities, such as certain cookies/trackers or particular marketing communications. You can withdraw consent at any time, without affecting the lawfulness of processing before withdrawal.

For processor activities, your organisation's legal basis applies. We process data only on their instructions.

5. Sharing & disclosures

We may share personal data (in both controller and processor contexts) with:

Vendors and service providers

Cloud hosting, infrastructure, storage, email delivery, analytics, support tools, payment processors, and similar providers. They may access personal data only to perform services for us and are bound by confidentiality and data protection obligations.

Your direction

For example, exporting data to your CRM, sequencing tool, data warehouse, or other systems you integrate with the Services.

Professional advisers

Legal, audit, accounting, and other advisers, under confidentiality obligations.

Corporate transactions

In connection with a merger, acquisition, financing, or sale of all or part of our business, subject to appropriate confidentiality and data protection protections.

Legal reasons

Where necessary to comply with law, regulation, legal process, or lawful requests from authorities; to enforce our agreements; or to protect the rights, property, or safety of VELARI, our customers, or others.

We do not sell personal information. For California's CPRA, we also do not "share" personal information for cross-context behavioural advertising without your consent.

6. International transfers

We may process and store information in countries other than the country where it was collected. When transferring personal data from the EEA/UK/Switzerland, we rely on appropriate safeguards such as:

  • European Commission Standard Contractual Clauses (and the UK Addendum, where applicable);
  • Other mechanisms approved by data protection authorities; and
  • Additional technical and organisational measures where required.

You can contact us at privacy@velarihq.com for more information on the safeguards we use.

7. Data retention

We retain personal data only for as long as necessary for the purposes described in this Policy or as required by law.

Examples:

  • Website and usage data: kept for a limited period (typically up to 12 months) for security, analytics, and troubleshooting, and may be aggregated or anonymised for longer-term analysis.
  • Account and billing records: kept for the duration of the customer relationship and for a reasonable period afterwards (typically up to 7 years) to comply with accounting and tax obligations and to handle potential disputes.
  • Marketing data: retained until you opt out of marketing or until we determine it is no longer accurate or useful for this purpose.
  • Recruitment data: retained for the duration of the recruitment process and, if you are not hired, for up to 24 months, unless you consent to a longer period or law permits/obliges a different period.

For customer content (processor data), we retain it according to:

  • your organisation's settings and instructions; and
  • the terms of your contract with us.

At contract end or upon your instruction, we delete or return customer content, subject to any legal retention requirements and technical limitations (e.g. backups with limited access and time-bound retention).

8. Security

We use technical and organisational measures appropriate to the risk, including:

  • encryption in transit;
  • access controls and least-privilege principles;
  • secure development and deployment practices;
  • logging, monitoring, and incident response processes;
  • employee training and confidentiality commitments; and
  • vendor due diligence and contractual safeguards.

No system is 100% secure, but we work continuously to protect information against unauthorised access, use, alteration, and destruction.

9. Your rights (GDPR/UK GDPR and similar laws)

Where applicable law grants you rights (e.g. under the GDPR or UK GDPR), you may have the right to:

  • Access your personal data and receive information about how we process it;
  • Rectify inaccurate or incomplete personal data;
  • Erase your personal data in certain circumstances ("right to be forgotten");
  • Restrict our processing in certain cases;
  • Data portability, to receive your data in a structured, commonly used, machine-readable format and to transmit it to another controller;
  • Object to processing based on our legitimate interests, on grounds relating to your particular situation;
  • Object at any time to processing for direct marketing; and
  • Withdraw consent where we rely on consent.

To exercise your rights in relation to data for which VELARI is controller (e.g. website leads, sales contacts, recruitment), contact us at privacy@velarihq.com.

You also have the right to lodge a complaint with your local data protection authority, in particular in the EEA/UK country where you live or work, or where you believe your rights have been infringed.

9.1 When we act as processor

For personal data we process on behalf of a customer (customer content, enriched contact data, etc.), your organisation is the controller. If you contact us directly about such data, we may:

  • refer you to the relevant customer/controller; or
  • pass your request on to them, where we are able to identify them.

We support our customers in responding to rights requests, as required by our contracts and applicable law.

10. B2B marketing

We may send product updates, invitations, and other marketing communications to business emails of customers and prospective customers:

  • based on our legitimate interests in promoting our Services; or
  • under applicable soft opt-in rules; or
  • where you have provided consent, if required by law.

You can opt out of marketing at any time:

Opting out of marketing will not affect service or transactional emails (e.g. security alerts, billing notices).

11. Automated processing & scoring

Our Services perform algorithmic processing, including:

  • scoring and ranking of company and contact records;
  • enrichment and validation (e.g. adding business contact details or firmographic attributes);
  • prioritisation of potential targets and contacts for you to review.

These activities are intended to help your organisation prioritise and evaluate opportunities more efficiently. They do not produce legal or similarly significant effects on individuals solely by automated means within the meaning of Article 22 GDPR.

Customers control how they use scores, enrichments, and suggested contacts in their own workflows.

12. Third-party links

Our website and Services may contain links to third-party websites, services, or integrations. We are not responsible for the privacy practices of those third parties. We encourage you to read their privacy policies before providing any personal data to them.

13. California privacy notice (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), may provide you with specific rights regarding your personal information.

13.1 Categories of personal information

In the last 12 months, we have collected the following categories of personal information (as defined by CCPA/CPRA) for business purposes:

  • Identifiers (e.g. name, business email, IP address);
  • Internet or network activity (e.g. usage data related to our website and Services);
  • Professional or employment-related information (e.g. job title, employer, professional biography);
  • Inferences drawn from the above to support B2B interests (e.g. likelihood to be interested in certain offerings).

We do not use sensitive personal information for purposes that would require a "right to limit" under CPRA and do not use it to infer characteristics.

13.2 Your CCPA/CPRA rights

Subject to certain exceptions, California residents have the right to:

  • Know/access the categories and specific pieces of personal information we collect, use, disclose, sell, or share;
  • Correct inaccurate personal information;
  • Delete personal information;
  • Opt out of sale or sharing of personal information;
  • Not be discriminated against for exercising their rights.

We do not sell personal information, and we do not share personal information for cross-context behavioural advertising without your consent.

To submit a request, contact us at privacy@velarihq.com. If we act as a service provider for your organisation, we may refer your request to them.

14. Changes to this Policy

We may update this Privacy Policy from time to time. When we do:

  • we will change the "Effective date" at the top; and
  • if changes materially affect your rights or how we use your data, we will provide additional notice where required by law (for example, by email or a notice on our website).

15. Contact us

If you have questions or requests regarding this Privacy Policy or our data practices, please contact:

Email: privacy@velarihq.com