Skip to content
DE Start Audit velonlabs.dev

Privacy Policy

Last updated: March 24, 2026

1. Controller

Alexander Sadomsky
c/o IP-Management #42121
Ludwig-Erhard-Str. 18
20459 Hamburg, Germany
Email: [email protected]

2. Overview

We take the protection of your personal data seriously. This privacy policy explains what data we collect when you visit our website, how we use it, and what rights you have under the EU General Data Protection Regulation (GDPR).

3. Hosting & Server Log Files

This website is hosted on a self-managed Linux server. When you visit our website, the web server automatically collects and stores information in server log files that your browser transmits. This includes:

  • IP address (anonymized after 7 days)
  • Date and time of the request
  • Requested URL and referrer URL
  • Browser type and version
  • Operating system

This data is processed based on Art. 6(1)(f) GDPR (legitimate interest) to ensure the security and stability of our website. Log files are automatically deleted after 14 days.

4. Cookies

4.1 Strictly necessary cookies

The following cookies/storage entries are strictly necessary for the operation of the website and do not require your consent under Art. 6(1)(f) GDPR:

  • velonlabs_cookie_consent (Local Storage) — Stores your cookie consent decision; persistent until manually cleared
  • lang (Cookie) — Stores your language preference (en/de); expires after 30 days
  • __cf_bm (Cloudflare) — Bot detection; expires after 30 minutes
  • cf_clearance (Cloudflare) — Security challenge clearance; expires after 30 minutes

4.2 Analytics cookies

This website does not use Google Analytics or any other third-party analytics cookies.

4.3 Advertising cookies

This website does not use advertising cookies, retargeting, or social media tracking pixels.

5. External Resources

All fonts and assets are self-hosted on our own server. The website uses the following external services:

  • Cloudflare — CDN, DNS and DDoS protection (see Section 9)
  • Stripe — Payment processing (see Section 7)
  • PayPal — Payment processing (see Section 7)

No data is transmitted to third-party services without a legal basis.

6. Contact Form

When you use our contact/audit request form, the following data is collected and processed for the purpose of handling your inquiry:

  • Name (required)
  • Server name (optional)
  • Discord username (required)
  • Description of your request (required)

This data is processed based on Art. 6(1)(b) GDPR (pre-contractual measures) where your inquiry relates to a potential service engagement, and Art. 6(1)(f) GDPR (legitimate interest in responding to inquiries).

When you submit the form, your data is transmitted via an encrypted (HTTPS) API connection to our server and forwarded to [email protected] via SMTP (IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany). IONOS processes this data exclusively within the EU. No data is stored on our server beyond the email delivery.

Your contact data will be stored only for the duration necessary to process your inquiry and any resulting business relationship, unless legal retention obligations apply (e.g., 6 years under German commercial law, 10 years under German tax law).

6.1 Cloudflare Turnstile (CAPTCHA)

Our contact form uses Cloudflare Turnstile, a CAPTCHA service provided by Cloudflare, Inc. (see Section 9 for Cloudflare details). When you interact with the contact form, Turnstile may process:

  • IP address
  • Browser type and version
  • Interaction data (mouse movements, keystrokes, timing)
  • A session token

This processing is based on Art. 6(1)(f) GDPR (legitimate interest in preventing spam and bot abuse). No additional cookies are set by Turnstile beyond the Cloudflare security cookies listed in Section 4. See Cloudflare’s Privacy Policy.

7. Payment Processing

When you make a payment on our website, your payment is processed by one of the following third-party payment service providers. We do not store your credit card details, bank account information, or PayPal credentials on our servers.

7.1 Stripe

For credit/debit card payments, we use Stripe, Inc. (354 Oyster Point Blvd, South San Francisco, CA 94080, USA) and its EU entity Stripe Payments Europe, Ltd. (1 Grand Canal Street Lower, Dublin 2, Ireland).

When you initiate a Stripe payment, you are redirected to a Stripe-hosted checkout page. Stripe may process the following data:

  • Name and email address
  • Payment card details (card number, expiry date, CVC)
  • Billing address
  • IP address and browser information
  • Transaction amount and description

This data is processed based on Art. 6(1)(b) GDPR (performance of a contract). Stripe is PCI DSS Level 1 certified and processes EU customer data primarily within the EU. For transfers to the USA, Stripe is certified under the EU-US Data Privacy Framework. See Stripe’s Privacy Policy.

7.2 PayPal

For PayPal payments, we use PayPal (Europe) S.à r.l. et Cie, S.C.A. (22-24 Boulevard Royal, L-2449 Luxembourg).

When you choose to pay via PayPal, you interact directly with PayPal’s embedded payment interface. PayPal may process the following data:

  • PayPal account information (name, email address)
  • IP address and device/browser information
  • Transaction amount and description
  • Shipping/billing address (if applicable)

This data is processed based on Art. 6(1)(b) GDPR (performance of a contract). PayPal is subject to European banking regulations and processes data within the EU. See PayPal’s Privacy Policy.

7.3 Data we receive from payment processors

After a successful payment, we receive only the following information from the payment processor:

  • Transaction ID / reference number
  • Payment status (completed, pending, failed)
  • Transaction amount
  • Payer name and email address

This data is stored for contractual fulfillment and legal retention obligations (see Section 11).

8. Discord

Our website contains a link to our Discord server. When you click this link, you leave velonlabs.io and are subject to Discord’s Privacy Policy. No data is transmitted to Discord until you actively click the link.

9. Cloudflare (CDN & Security)

This website uses Cloudflare, Inc. (101 Townsend St, San Francisco, CA 94107, USA) as a Content Delivery Network (CDN) and for DDoS protection.

When you visit this website, your connection is routed through Cloudflare’s network. Cloudflare may process the following data:

  • IP address
  • Browser type, language, and referring page
  • Date and time of request
  • Cloudflare security cookies (e.g., __cf_bm, cf_clearance) for bot detection

This data is processed based on Art. 6(1)(f) GDPR (legitimate interest in website security and performance). Cloudflare is certified under the EU-US Data Privacy Framework. See Cloudflare’s Privacy Policy.

10. Data Security

This website uses TLS/SSL encryption (HTTPS) for all data transmission. All form inputs are sanitized to prevent injection attacks. Server access is restricted to SSH key-based authentication with firewall protection. Payment data is processed exclusively by PCI DSS-certified providers (Stripe, PayPal) and is never stored on our servers.

11. Data Retention

We retain personal data only as long as necessary to fulfill the purposes for which it was collected, or as required by law:

  • Server log files: 14 days (automatically deleted)
  • Contact form inquiries: Until inquiry is resolved, then deleted unless a business relationship is established
  • Payment transaction data: 10 years (German tax law, §147 AO)
  • Invoice data: 10 years (German tax law, §147 AO) / 6 years (German commercial law, §257 HGB)
  • Contractual data: 6 years (German commercial law, §257 HGB) / 10 years (German tax law, §147 AO)
  • Cookie consent preference: Until manually cleared by the user

12. Your Rights

Under the GDPR, you have the following rights:

  • Right of access (Art. 15 GDPR) — obtain information about your stored data
  • Right to rectification (Art. 16 GDPR) — correct inaccurate data
  • Right to erasure (Art. 17 GDPR) — request deletion of your data
  • Right to restriction (Art. 18 GDPR) — restrict processing of your data
  • Right to data portability (Art. 20 GDPR) — receive your data in a structured format
  • Right to object (Art. 21 GDPR) — object to data processing based on legitimate interest
  • Right to withdraw consent (Art. 7(3) GDPR) — withdraw any consent previously given

To exercise any of these rights, please contact us at [email protected]. We will respond within one month of receiving your request.

13. Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data violates the GDPR. The competent supervisory authority is:

Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit
Ludwig-Erhard-Str. 22
20459 Hamburg, Germany
datenschutz-hamburg.de

14. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices or legal requirements. The date at the top of this page indicates when this policy was last revised.