Privacy Policy
Last updated: May 2026
1. Introduction
Vefa ("we", "us", "our") is committed to protecting your privacy. This policy explains what personal data we collect, how we use it, how long we retain it, and your rights under the UK GDPR and EU GDPR.
Data Controller: Vefa — hello@vefa.co
2. Data We Collect
- Account information: Name, email address, phone number, and preferred language.
- Call data: Voice call recordings, transcripts, call timestamps, duration, and outcome logs.
- Health and wellness data: Information shared during AI wellness check-in calls, including mood, physical condition, and any health-related details you voluntarily disclose.
- Emergency contact information: Names, phone numbers, and relationship details of your designated contacts.
- Payment information: Processed by Stripe. We do not store card details.
- Usage data: Login activity, feature usage, and device/browser information.
- Consent records: Timestamps and records of consents you have given.
3. Legal Basis for Processing
We process your data under the following legal bases (UK/EU GDPR Article 6 and Article 9):
| Data Type | Legal Basis |
|---|---|
| Account & payment data | Contract performance (Art. 6(1)(b)) |
| Voice recordings & transcripts | Explicit consent (Art. 6(1)(a) + Art. 9(2)(a)) |
| Health & wellness data | Explicit consent (Art. 9(2)(a)) |
| Emergency contact notifications | Vital interests (Art. 6(1)(d)) + Explicit consent |
| Service improvement (anonymised) | Legitimate interests (Art. 6(1)(f)) |
You may withdraw consent at any time via your account settings. Withdrawal does not affect the lawfulness of processing before withdrawal.
4. How We Use Your Data
- To provide the Vefa wellness check-in service
- To generate AI wellness summaries and monthly health reports
- To notify your emergency contacts when you cannot be reached
- To process payments and manage your subscription
- To improve our service using anonymised, aggregated data only
- To send service-related emails (account, alerts, reports)
We do not use your data to train third-party AI models. Anthropic's API processes data solely to generate your reports and does not use it for model training.
5. Data Sharing
We do not sell your data. We share data only with the following processors, all bound by Data Processing Agreements:
| Processor | Purpose | Location |
|---|---|---|
| Stripe | Payment processing | USA (EU-US DPF) |
| VAPI | AI voice call infrastructure | USA (SCC applied) |
| Anthropic | AI wellness report generation | USA (SCC applied) |
| Resend | Email notifications | USA (SCC applied) |
| Supabase | Database and storage | EU region |
| Vercel | Frontend hosting | USA (SCC applied) |
SCC: Standard Contractual Clauses — EU-approved data transfer mechanism.
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Until account deletion |
| Call transcripts — Basic plan | Not retained |
| Call transcripts — Standard plan | 1 month |
| Call transcripts — Premium plan | 3 months |
| Monthly health reports — Premium | Duration of subscription |
| Payment records | 7 years (legal obligation) |
| Consent records | Duration of account + 3 years |
| Audit logs | 12 months |
You may request early deletion of transcripts at any time via Settings.
7. Your Rights
Under UK/EU GDPR, you have the right to:
- Access — Request a copy of your personal data
- Rectification — Correct inaccurate data
- Erasure — Request deletion of your data ("right to be forgotten")
- Data portability — Receive your data in a machine-readable format
- Withdraw consent — At any time, without affecting prior processing
- Object — To processing based on legitimate interests
- Lodge a complaint — With your national supervisory authority
To exercise any right, contact us at hello@vefa.co. We will respond within 30 days.
UK users may also contact the ICO: ico.org.uk
EU users may contact their local data protection authority.
8. Data Security
We implement appropriate technical and organisational measures to protect your data, including encryption in transit (TLS), encryption at rest, access controls, and regular security reviews. In the event of a data breach, we will notify affected users and relevant authorities within 72 hours where required by law.
9. Cookies
We use essential cookies required for the service to function. For full details, see our Cookie Policy. You can manage cookie preferences at any time via the cookie settings link in the footer.
10. Children
Vefa is intended for users aged 18 and over. We do not knowingly collect data from individuals under 18.
11. Changes to This Policy
We may update this policy periodically. We will notify you by email of any material changes. The "Last updated" date at the top reflects the most recent revision.
12. Contact
Questions or requests regarding your data: hello@vefa.co