Privacy Policy
Last updated: April 6, 2026
This Privacy Policy explains how Velox Link Ltd ("VeloxLink", "we", "us", or "our") collects, uses, stores, and protects your data when you use any of our products: VeloxLink WMS, VeloxLink Packaging Compliance, VeloxLink Textile Compliance, and VeloxLink Battery Compliance (collectively, "the Services").
Velox Link Ltd is a company registered in England and Wales. Our registered address is 10 Victoria Road South, Southsea, PO5 2DA, United Kingdom.
1. Data We Collect
The data we collect depends on which product you use. We collect the minimum data necessary to provide each Service.
1.1 All Products
- Account information — email address, name, and organisation name used for authentication and account management.
- Usage data — pages visited within the application, features used, and error logs. We do not use third-party analytics trackers.
- Billing data — subscription plan, billing cycle, and payment status. Payment processing is handled by Shopify Billing (for Shopify apps) or Stripe, Inc. (for VeloxLink WMS). We store your Stripe Customer ID and Subscription ID to manage your subscription. We do not store your full credit card number, CVV, expiry date, or bank account details — all payment information is held and processed by Stripe in accordance with PCI DSS Level 1 compliance. Your payment data is governed by Stripe's Privacy Policy.
1.2 VeloxLink WMS
- Product data — SKUs, product names, categories, prices, cost prices, stock levels, reorder points, barcodes, and supplier information.
- Order data — order IDs, dates, SKUs, quantities, and channel source. Synced from connected integrations (Amazon, Shopify, eBay, Etsy, Walmart, ShipStation, ShipBob, Shippo, Royal Mail).
- Warehouse data — warehouse names, locations, and per-warehouse stock quantities.
- Purchase order data — PO numbers, line items, supplier details, delivery dates, and receive history.
- Integration credentials — API keys, access tokens, and refresh tokens for connected platforms. These are encrypted at rest and never exposed in the UI after initial entry.
1.3 VeloxLink Packaging Compliance (Shopify App)
- Store information — your Shopify shop domain.
- Order data — order IDs, dates, SKUs, quantities, and destination country/region. We do not store customer names, emails, addresses, or payment information.
- Product data — product and variant IDs and titles, used for mapping products to packaging specifications.
- Packaging specifications — spec names, material types, weights, recycled content percentages, Canada resin codes, LUCID categories, CITEO recyclability classes, and EU PPWR compliance fields.
- Configuration data — compliance registration numbers (HMRC PPT, LUCID, ADEME, CalRecycle, etc.), dual system operator selections, and shipping uplift settings.
1.4 VeloxLink Textile Compliance (Shopify App)
- Store information — your Shopify shop domain.
- Order data — order IDs, dates, SKUs, quantities, and destination country/region. We do not store customer names, emails, addresses, or payment information.
- Product data — product and variant IDs, titles, and descriptions (descriptions are scanned by the Green Claims Scanner).
- Textile specifications — fiber compositions, per-unit weights, product categories, target demographics, country of manufacture, care instructions, Refashion category codes, and eco-modulation data.
- Certification records — certificate types (GOTS, OEKO-TEX, Bluesign, etc.), certificate numbers, expiry dates, and evidence document URLs.
- REACH/SVHC declarations — substance names, CAS numbers, and concentrations for products containing Substances of Very High Concern.
- Configuration data — Refashion ID, SYDEREP number, UPV registration number, and other EPR registration IDs.
1.5 VeloxLink Battery Compliance (Shopify App)
- Store information — your Shopify shop domain.
- Product data — product IDs, titles, battery specifications (chemistry type, capacity, weight, cell count), and AI-assisted battery detection results.
- Jurisdiction registrations — EPR registration IDs and compliance obligation statuses across EU member states, US states, Canadian provinces, UK, and other markets.
- Filing and export data — compliance reports, volume declarations, obligation tracking, and evidence pack exports.
- Audit trail — immutable records of all compliance-related actions for regulatory accountability.
2. How We Use Your Data
We use your data exclusively to provide the Services:
- Calculate compliance totals (packaging weights, textile fees, battery volumes) per jurisdiction.
- Generate regulatory export files (CSV, XML, JSON, ZIP) in the format each authority requires.
- Sync inventory, orders, and stock levels across connected sales channels (WMS).
- Calculate reorder suggestions, velocity metrics, and purchase order quantities (WMS).
- Display dashboards, compliance reports, and readiness scores within each application.
- Track order volumes for billing purposes.
- Send transactional notifications (deadline reminders, webhook health alerts, certification expiry warnings).
We do not sell, rent, or share your data with third parties. We do not use your data for advertising, profiling, behavioural targeting, or any purpose unrelated to providing the Services.
3. Legal Basis for Processing (GDPR)
We process your data under the following legal bases:
| Purpose | Legal basis |
|---|
| Providing the Services | Performance of contract (Art. 6(1)(b) GDPR) |
| Billing and subscription management | Performance of contract (Art. 6(1)(b) GDPR) |
| Service improvement and error monitoring | Legitimate interests (Art. 6(1)(f) GDPR) |
| Compliance with legal obligations | Legal obligation (Art. 6(1)(c) GDPR) |
4. Data Storage and Security
- All data is stored in secured PostgreSQL databases hosted on cloud infrastructure with encryption at rest (AES-256).
- All communication between your browser, Shopify/third-party platforms, and our servers is encrypted via TLS 1.2+ (HTTPS).
- Webhook payloads from Shopify are verified using HMAC-SHA256 signatures before processing.
- Integration credentials (API keys, tokens) are encrypted at rest using application-level encryption.
- All database queries are scoped to your account (shop domain or organisation ID) — no user can access another user's data.
- Access to production systems is restricted to authorised personnel with multi-factor authentication.
5. Data Retention
| Event | Retention period |
|---|
| Active subscription | Data retained for the duration of your subscription |
| App uninstalled (Shopify apps) | 30 days, then permanently deleted |
| Account closed (WMS) | 30 days, then permanently deleted |
| Deletion request received | Deleted within 30 days of request |
| Billing records | Retained for 7 years as required by UK tax law |
You can request immediate deletion at any time by emailing privacy@veloxlink.com.
6. Your Rights (GDPR / UK GDPR)
Under the General Data Protection Regulation (EU and UK), you have the following rights:
- Right of access (Art. 15) — request a copy of all data we hold about your account.
- Right to rectification (Art. 16) — correct inaccurate or incomplete data.
- Right to erasure (Art. 17) — request deletion of your data ("right to be forgotten").
- Right to restrict processing (Art. 18) — request that we limit how we use your data.
- Right to data portability (Art. 20) — receive your data in a structured, machine-readable format (CSV/JSON).
- Right to object (Art. 21) — object to processing based on legitimate interests.
To exercise any of these rights, email privacy@veloxlink.com. We will respond within 30 days.
You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk or with your local EU data protection authority.
7. Shopify GDPR Webhooks
Our Shopify applications respond to all mandatory Shopify GDPR webhooks:
- customers/data_request — we return the data we hold related to the specified customer (limited to order IDs, dates, SKUs, quantities, and country codes).
- customers/redact — we delete any data associated with the specified customer.
- shop/redact — we delete all data associated with the uninstalled shop (after the 30-day retention period).
8. Cookies and Tracking
Our Shopify applications (Packaging Compliance, Textile Compliance, Battery Compliance) do not use cookies, analytics trackers, or third-party scripts. They run within the Shopify admin iframe and rely on Shopify's session authentication.
The VeloxLink website (veloxlink.com) uses a single functional cookie to record your cookie consent preference. We do not use analytics or advertising cookies.
VeloxLink WMS (app.veloxlink.com) uses essential authentication cookies managed by Clerk (our authentication provider) and does not use third-party analytics or advertising cookies.
9. Third-Party Services
We use the following third-party services to operate the Services:
| Service | Purpose | Data shared |
|---|
| Shopify | Authentication, billing, order/product data (compliance apps) | Shop domain, app charges |
| Clerk | Authentication (WMS) | Email, name |
| Stripe, Inc. | Payment processing, subscription management, invoicing (WMS) | Stripe Customer ID, Subscription ID, plan tier, payment method token, invoice data. Full card details are held by Stripe — never by us. See Stripe's Privacy Policy. |
| Railway / Cloud hosting | Application and database hosting | All application data (encrypted) |
| Amazon, eBay, Etsy, Walmart, etc. | Order sync and stock push (WMS, when connected by you) | Product IDs, stock quantities, order data |
We do not integrate with advertising networks, data brokers, or behavioural analytics platforms.
10. International Data Transfers
Velox Link Ltd is incorporated in England and Wales. Your data may be stored and processed on cloud infrastructure located outside the European Economic Area (EEA), including in the United States.
Where data is transferred outside the EEA or UK, we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission.
- Adequacy decisions where available.
- Encryption of data in transit and at rest.
11. Children's Privacy
Our Services are not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at privacy@veloxlink.com.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via the relevant application or by email. The "Last updated" date at the top of this page will be revised. Continued use of the Services after changes constitutes acceptance of the updated policy.
13. Contact
For privacy-related inquiries, data access requests, or concerns:
Data Controller: Velox Link Ltd
Email: privacy@veloxlink.com
Address: 10 Victoria Road South, Southsea, PO5 2DA, United Kingdom
Company number: Registered in England and Wales