Privacy Policy

Last updated: May 22, 2026

This Privacy Policy describes how HJB CodeForge (the “Company”) collects, uses, and shares personal information when you use Vrellix (the “Service”). The Company is based in Ottawa, Ontario, Canada.

1. What we collect

Account data. Name, email address, profile image (if you sign in via Google OAuth), and password (hashed by our auth provider, Clerk — we never see your password in plaintext).

Workspace data. Information you create inside the Service: contacts, companies, deals, tickets, emails, custom fields, files, automations, etc. You own this data.

Billing data. Payment processing is handled by Stripe. We see your billing email, country, last four digits of card, and invoice history. We do not see full card numbers, CVCs, or bank-account numbers.

Usage data. Standard server logs (IP address, user agent, timestamps, request paths) used for debugging, security, and aggregate analytics.

2. How we use it

• To operate the Service, including authentication, processing your workspace data, sending transactional email, and providing customer support.
• To process payments and manage subscriptions.
• To detect and prevent fraud, abuse, and security threats.
• To improve the Service through aggregated, de-identified analytics.
• To communicate with you about service updates, security notices, and (with your consent) marketing.

3. Third-party processors

We use the following sub-processors to operate the Service. Each is contractually bound to handle data only as needed to provide their service to us:

• Clerk — authentication, user identity
• Supabase — primary database (Postgres), encrypted at rest
• Upstash Redis — background job queue + cache
• Fly.io — API hosting
• Vercel — web app + marketing site hosting
• Resend — transactional email + outbound campaign delivery
• Stripe — payment processing, subscription management
• OpenRouter + DeepSeek — AI features (drafts, summaries, classifications). AI prompts include only the content you explicitly invoke AI on.
• Twilio — SMS sending (Scale plan)
• Google — Calendar OAuth + Gmail OAuth integrations (if you enable them)
• Microsoft — Outlook OAuth (if you enable it)

4. AI processing

When you use AI features (reply intent classification, draft generation, segment builder, recaps, etc.), the relevant text content is sent to OpenRouter, which routes it to a model (typically DeepSeek). We do not train models on your data. AI providers may temporarily retain prompts for abuse-prevention purposes per their own policies.

5. Cookies and tracking

Vrellix uses essential cookies for authentication and session management only. We do not use third-party advertising or behavioral tracking cookies in the app. The marketing site at vrellix.com does not require cookies for browsing.

6. Your rights

Depending on where you live, you may have the following rights under GDPR, CCPA/CPRA, PIPEDA, or other privacy laws:

• Access — view a copy of your personal data.
• Correction — request that we correct inaccurate data.
• Deletion — request deletion of your account and associated data.
• Portability — export your data (CSV on every plan, full bundle on Scale).
• Object — opt out of marketing email (a link is in every marketing message).

To exercise these rights, email privacy@vrellix.com. We respond within 30 days.

7. Data retention

We retain workspace data for as long as your account is active. After cancellation, we delete workspace data 30 days from the cancellation effective date (you may export beforehand). Server logs are retained for 90 days. Billing records are retained for 7 years for tax-compliance reasons.

8. Data security

All data is transmitted over TLS 1.2 or higher. Database storage is encrypted at rest. Workspace data is isolated by row-level security so customers cannot read each other's data even if they share infrastructure. We follow standard security practices including code review, dependency scanning, secret management, and audit logging.

No system is 100% secure. If we ever become aware of a breach involving your personal data, we will notify you without undue delay and in accordance with applicable law.

9. Data location

Primary data storage is in Supabase's North Virginia (US-East) region. Backups are stored in the same region. AI processing may transit through US-based vendors. By using the Service from outside the US, you consent to your data being processed in the US under the safeguards described in this policy.

10. Children

The Service is not directed to children under 16. We do not knowingly collect personal information from children under 16. If you believe a child has signed up, email us and we will delete the account.

11. Changes to this policy

Material changes will be announced at least 30 days in advance via email and in-app notice. We'll keep prior versions on file and link them here.

12. Contact

Privacy questions or requests: privacy@vrellix.com

Company: HJB CodeForge (Henning Botha, sole proprietor), Ottawa, Ontario, Canada.

If you're an EU resident, the data controller is HJB CodeForge. We have no EU representative; for GDPR-related requests please email privacy@vrellix.com.