Privacy Policy — Veltrace

Data controller

Who we are.

Veltrace is operated by BB/aH Labs Ltd, a company registered in England and Wales. When this policy says "Veltrace", "we", "us", or "our", it refers to BB/aH Labs Ltd.

We are the data controller for personal data collected through this website and the Veltrace platform. For any privacy-related questions, contact us at hello@veltrace.co.uk.

Data collection

What data we collect.

We collect the minimum data necessary to provide the service. This falls into two categories: data you give us directly, and data we collect automatically.

Data you provide

Account data: your email address and name when you create an account.
Payment data: billing details are handled directly by our payment processor (Stripe) and are never stored on Veltrace servers.
Communications: any messages you send us via email, including support requests.

Data we collect automatically

Usage data: pages visited, features used, and interactions within the dashboard — used to improve the product.
Session data: authentication tokens stored in your browser to keep you signed in.
Log data: standard server logs including IP address, browser type, and request timestamps. Retained for 30 days.

Creator data (not personal data)

Veltrace tracks publicly available metrics for content creators — subscriber counts, view counts, and post frequency — sourced from official platform APIs. This is not personal data about you as a user. See the section below on API usage for details.

Purpose & lawful basis

How we use your data.

We only use your data for the purposes listed below. For each purpose we identify the lawful basis under UK GDPR.

Providing the service — authenticating your account, loading your dashboard, and personalising your experience. Lawful basis: performance of a contract.
Billing and subscription management — processing payments and managing plan changes. Lawful basis: performance of a contract.
Product improvement — analysing aggregated usage patterns to improve features. Lawful basis: legitimate interests.
Service communications — sending transactional emails such as account confirmations, password resets, and data digests (paid plans). Lawful basis: performance of a contract.
Security and fraud prevention — detecting and preventing abuse or unauthorised access. Lawful basis: legitimate interests.

We do not sell your personal data. We do not use your data for advertising or share it with advertising networks.

Third-party APIs

YouTube and Twitch API usage.

Veltrace uses official APIs to retrieve publicly available creator metrics. No private or authenticated creator data is accessed. We do not collect data about Veltrace users' YouTube or Twitch accounts.

YouTube Data API v3

We use the YouTube Data API to retrieve public channel statistics (subscriber count, view count, video count) and recent upload metadata for tracked creators. All data retrieved is publicly visible on YouTube. Our use of YouTube API Services is subject to the YouTube Terms of Service. By using Veltrace you also acknowledge the Google Privacy Policy. You can manage your Google data at Google Security Settings.

Twitch Helix API

We use the Twitch API to retrieve public broadcaster data including follower counts and recent stream activity for tracked creators. All data retrieved is publicly visible on Twitch. Our use of the Twitch API is subject to the Twitch Terms of Service and Twitch Privacy Notice.

Data retrieved from both APIs is stored on our servers and retained for 30 days for the purpose of calculating score history. It is not shared with third parties and is not used for any purpose other than computing Veltrace Momentum Scores.

Cookies

How we use cookies.

We use only essential cookies necessary for the service to function. We do not use advertising cookies, tracking pixels, or third-party analytics cookies.

Cookie	Purpose	Duration
sb-auth-token	Stores your Supabase authentication session so you remain signed in between visits.	Until sign-out or 1 week
cookie_consent	Records that you have acknowledged our cookie notice, so we don't show it on every visit.	1 year

Because we only use strictly necessary cookies, we do not require your consent to set them under PECR (Privacy and Electronic Communications Regulations). You may disable cookies in your browser settings, but doing so will prevent you from staying signed in to Veltrace.

Third parties

Who we share data with.

We use a small number of trusted sub-processors to operate the service. Each is bound by data processing agreements and GDPR-compliant terms.

Supabase — database, authentication, and storage. Data is hosted in the EU (AWS eu-west-2). Supabase Privacy Policy.
Stripe — payment processing. Card data is processed and stored by Stripe; Veltrace never sees full card numbers. Stripe Privacy Policy.
Netlify — website hosting and CDN. Standard web server logs are processed. Netlify Privacy Policy.

We do not sell, rent, or share your personal data with any other third parties. We will not disclose your data to law enforcement unless legally compelled to do so, in which case we will notify you where permitted.

Retention

How long we keep your data.

Account data (email, name): retained for the lifetime of your account, plus 30 days after deletion to allow for recovery if requested.
Score history and creator data: retained for 30 days on a rolling basis.
Server logs: retained for 30 days then automatically deleted.
Billing records: retained for 7 years as required by UK tax law.

When you delete your account, all personal data is permanently removed within 30 days, except where retention is required by law.

Your rights

Your rights under UK GDPR.

The UK General Data Protection Regulation gives you the following rights in relation to your personal data. You can exercise any of these by emailing hello@veltrace.co.uk. We will respond within 30 days.

Right of access

Request a copy of the personal data we hold about you (a Subject Access Request).

Right to rectification

Request correction of inaccurate or incomplete personal data.

Right to erasure

Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.

Right to restrict processing

Ask us to pause processing of your data in certain circumstances, for example while a complaint is investigated.

Right to data portability

Receive your personal data in a structured, machine-readable format so you can transfer it to another provider.

Right to object

Object to processing based on legitimate interests. We will stop unless we can demonstrate compelling grounds that override your rights.

If you believe we have not handled your data lawfully, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) — the UK's supervisory authority for data protection. You can do this at ico.org.uk/make-a-complaint or by calling 0303 123 1113.

Policy changes

Changes to this policy.

We may update this Privacy Policy from time to time. When we make material changes we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email. Continued use of Veltrace after changes take effect constitutes acceptance of the updated policy.

Contact

Get in touch.

For any privacy questions, data requests, or concerns, contact us at:

Data Controller

BB/aH Labs Ltd
For data-related enquiries: hello@veltrace.co.uk
We aim to respond to all requests within 30 days as required by UK GDPR.

Email us