Velauth Privacy Policy
Last updated: June 2026
1. Overview
Velauth Ltd ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and protect your data when you use Velauth (the "Software").
2. Data We Collect
2.1 Identity and Account Data
When you create a Velauth account, we collect:
- Email address
- Organization name (if applicable)
- Role and permission level
- Account creation and last login timestamps
- IP address at login time
Storage: Identity data is stored in our Cloud Service (Appwrite, hosted on our VPS).
2.2 Active Directory Credentials
We never store Active Directory credentials.
When you connect the Software to Active Directory:
- Credentials are used only for the current operation (e.g., to reset a password or query user attributes)
- Credentials are not persisted to disk after the operation completes
- The Software does not transmit credentials to the Cloud Service
- Credentials are held in memory only for the duration of the operation and then cleared
2.3 Enrollment Tokens
Agent enrollment tokens are:
- Generated once per agent in the Cloud Service as a random 32-byte value
- Transmitted plaintext only once to the administrator (displayed in the UI)
- Sealed on the Domain Controller using DPAPI (Windows Data Protection API) with LocalMachine scope
- Never stored in plaintext on the agent machine
- Never transmitted to the Cloud Service in any form (not plaintext, not hashed)
The Cloud Service stores only a SHA-256 hash of the token to verify agent identity. A stolen token can be used only from the same Domain Controller (machine-pinned via DPAPI).
2.4 Telemetry Data
Telemetry is off by default — the Software collects nothing until you opt in via Settings → Privacy. If you enable it, the anonymous telemetry collected includes:
- Installation ID: SHA-256(random-UUID + Windows-MachineGuid) — unique per machine but not linked to your email
- Usage events: Actions taken in the Software (e.g., "user modified group", "password reset initiated") without user/group names
- Software version and deployment region
- Error events: Stack traces and error messages (without personal data)
- Performance metrics: Operation durations and success/failure counts
Collection: Telemetry is sent to PostHog, a third-party analytics service.
Opt-in: Telemetry is disabled by default. You can enable or disable it at any time in Software Settings → Privacy.
2.5 Crash Reports
When the Software crashes, it automatically sends a crash report to Sentry, including:
- Stack trace
- Software version and system information
- Last few log entries (without personal data)
Crash reports are used only to diagnose and fix bugs.
3. Data We Do NOT Collect
We do not collect or store:
- Active Directory user passwords or credentials
- Active Directory objects (users, groups, computers, OUs) — only operation audit logs
- Network traffic or DNS queries from your environment
- Files or documents from your systems
- Employee names, email addresses, or phone numbers (except your own account email)
4. How We Use Your Data
We use collected data to:
- Provide and maintain the Software and Cloud Service
- Identify and fix bugs and security vulnerabilities
- Improve Software performance and features
- Authenticate you and authorize operations
- Send service notifications (e.g., security alerts, account changes)
- Comply with legal obligations
We do not:
- Sell your data to third parties
- Use your data for marketing or advertising targeting
- Combine your data with third-party datasets
- Share your data with government agencies except as required by law
5. Third-Party Services
The Software uses the following third-party services:
PostHog (Telemetry)
- Receives anonymous telemetry data
- Privacy Policy: https://posthog.com/privacy
- Data storage: EU region (GDPR-compliant)
Sentry (Crash Reporting)
- Receives crash reports and error logs
- Privacy Policy: https://sentry.io/privacy/
- Data storage: EU region (GDPR-compliant)
Appwrite (Cloud Service Backend)
- Stores identity data, enrollment tokens (hashed), and audit logs
- Privacy Policy: https://appwrite.io/privacy
- Data storage: VPS in EU region
6. Data Retention
- Identity data: Retained for the duration of your account; deleted 30 days after account deletion
- Audit logs: Retained for 90 days (configurable); deleted automatically after retention period
- Telemetry data: Aggregated and anonymized; raw data deleted after 30 days
- Crash reports: Deleted after 90 days or when the bug is fixed, whichever is sooner
- Local DPAPI token: Deleted when you uninstall the Software or manually remove the agent
7. Data Security
We implement industry-standard security measures:
- HTTPS/TLS for all data in transit
- AES-256 encryption for data at rest in the Cloud Service
- DPAPI encryption for credentials and tokens on Windows systems
- Regular security audits and penetration testing
- Multi-factor authentication support for accounts
- Least-privilege access controls for staff
However, no security measure is 100% secure. We cannot guarantee absolute protection against all threats.
8. Your Rights (GDPR)
If you are located in the EU or UK, you have the following rights under GDPR:
- Right to access: You can request a copy of your data
- Right to rectification: You can correct inaccurate data
- Right to erasure: You can request deletion of your account and associated data
- Right to restrict processing: You can limit how we use your data
- Right to data portability: You can request your data in a machine-readable format
- Right to object: You can object to certain processing activities
- Right to lodge a complaint: You can file a complaint with your local data protection authority
To exercise these rights, contact [email protected].
9. Children
The Software is not intended for users under 18 years of age. We do not knowingly collect data from children. If you believe we have collected data from a child, please contact us immediately.
10. Updates to This Policy
We may update this Privacy Policy periodically. We will notify you of material changes by email or by posting the updated policy on our website.
Your continued use of the Software after changes constitutes acceptance of the updated Privacy Policy.
11. Contact
If you have questions about this Privacy Policy or our data practices, please contact:
- Email: [email protected]
- Address: Velauth Ltd, London, United Kingdom
- Website: https://velauth.com
Data Controller: Velauth Ltd, London, United Kingdom
Data Protection Officer: For inquiries, contact [email protected]
Last updated: June 2026