Plain English summary: Vella is an AI email management service. We access your email to do the job you've hired us for — nothing else. We do not sell your data. We do not use your emails for advertising. You can delete your account and all associated data at any time.
1. Who we are
Vella ("we", "us", "our") is an AI email intelligence service operated by Vella Ltd, a company registered in England and Wales. Our registered address is London, United Kingdom.
We are the data controller for the personal data we hold about you. If you have questions about this policy, please contact us at privacy@usevella.com.
2. What information we collect
We collect and process the following categories of information:
- Account information: Your name, email address, phone number, and billing information when you sign up.
- Email content: The content of emails in your connected inbox, as required to provide the service (reading, summarising, drafting replies).
- Communication preferences: Information you provide during onboarding about your communication style, VIP contacts, working hours, and preferences.
- Usage data: How you interact with our service, including which features you use and when.
- Payment data: Billing and payment information, processed by Stripe on our behalf. We do not store your full card details.
- Communications with us: Any correspondence you send us, including support requests and feedback.
3. How we use your information
| Purpose | Information used |
|---|
| Providing the email management service | Email content, preferences, account info |
| Processing payments and managing subscriptions | Billing info, account info |
| Sending your daily email digest | Email content, account info |
| Sending WhatsApp urgent alerts | Phone number, email content |
| Customer support and onboarding | Account info, communications |
| Improving our service | Usage data (aggregated and anonymised) |
| Complying with legal obligations | Any data required by law |
We will never use your email content to train AI models that serve other customers, and we will never use it for advertising or marketing purposes unrelated to your Vella subscription.
4. Legal basis for processing
Under UK GDPR and EU GDPR, we rely on the following legal bases:
- Contract performance: Processing necessary to deliver the service you've subscribed to.
- Legitimate interests: Security monitoring, service improvement (using anonymised data), and fraud prevention — where these don't override your rights.
- Legal obligation: Where we are required to process data by applicable law.
- Consent: Where we ask for your specific agreement, such as for optional communications.
5. Who we share data with
We share data only with service providers essential to operating Vella:
- Google: Your inbox is accessed via Google's official APIs. Your email data remains within Google's infrastructure and is subject to Google's own security standards.
- Stripe: Payment processing. Stripe is PCI-DSS compliant and handles all card data.
- Anthropic / AI providers: Email content is sent to large language model APIs solely to generate summaries and draft replies on your behalf. These providers are contractually prohibited from using your data for their own model training.
- Twilio / WhatsApp: Used to deliver urgent alerts to your phone number if you have enabled this feature.
- Netlify: Our hosting provider. Form submissions and website data may be processed by Netlify.
We do not sell your personal data to any third party, ever.
We may disclose data if required to do so by law or in response to a valid legal request from authorities, but we will inform you where legally permitted to do so.
6. Your email data
Because email access is central to what Vella does, we want to be especially clear about how it is handled:
- We access your inbox only via official OAuth-authenticated APIs (Google Gmail API). We never ask for or store your email password.
- Email content is processed in memory to generate summaries and drafts. We do not build a permanent, searchable database of your email history.
- Drafted replies are stored temporarily so you can review and send them. They are deleted within 30 days if not sent.
- You can revoke our access to your inbox at any time via your Google account settings, or by cancelling your Vella subscription.
- We apply the principle of minimum access: we request only the Gmail scopes necessary to provide the service.
Vella's use of Google user data is limited to providing the email management service described in this policy and our Terms of Service. We do not transfer Google user data to third parties except as described above, and strictly in support of providing the service.
7. How long we keep your data
- Account data: Retained for the duration of your subscription, plus up to 90 days after cancellation to allow for reactivation or dispute resolution.
- Email-derived data (summaries, drafts): Deleted within 30 days of creation, or immediately upon account deletion.
- Communication preferences / onboarding profile: Retained while your account is active and deleted upon request or cancellation.
- Billing records: Retained for 7 years as required by UK tax law.
- Support communications: Retained for 2 years.
You can request immediate deletion of all your data at any time by emailing privacy@usevella.com. We will action deletion requests within 30 days.
8. Your rights
Under UK and EU data protection law, you have the following rights:
- Right of access: Request a copy of the personal data we hold about you.
- Right to rectification: Ask us to correct inaccurate or incomplete data.
- Right to erasure: Ask us to delete your personal data ("right to be forgotten").
- Right to restrict processing: Ask us to pause processing in certain circumstances.
- Right to data portability: Request your data in a structured, machine-readable format.
- Right to object: Object to processing based on legitimate interests.
- Rights related to automated decision-making: We do not make solely automated decisions with significant legal effects on you.
To exercise any of these rights, email privacy@usevella.com. We will respond within 30 days. If you are not satisfied with our response, you have the right to complain to the UK Information Commissioner's Office (ICO) at ico.org.uk.
9. Cookies
Our website uses a minimal set of cookies:
- Essential cookies: Required for the website to function (e.g., session management during checkout). These cannot be disabled.
- Stripe cookies: Set by Stripe's payment scripts to prevent fraud and process payments securely.
We do not use advertising, tracking, or analytics cookies. We do not use Google Analytics or similar third-party tracking tools.
10. International transfers
Some of our service providers (including AI API providers) operate in the United States. When we transfer your data outside the UK or EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the relevant authorities, or we rely on providers certified under equivalent data protection frameworks.
11. Security
We take the security of your data seriously. Measures we apply include:
- All data transmitted between your browser and our service is encrypted using TLS.
- OAuth 2.0 authentication for inbox access — we never store your email password.
- Access to production systems is restricted to authorised personnel only.
- We regularly review and update our security practices.
In the event of a data breach that poses a risk to your rights, we will notify the ICO within 72 hours and inform affected users as required by law.