Legal

Privacy Policy

This policy explains what personal data Velune collects, why we collect it, how we use it, and the rights you have over your information under the Nigeria Data Protection Regulation (NDPR).

Effective: 6 May 2026
~12 min read
Compliant with: NDPR 2019
On this page
01 Introduction 02 Who We Are 03 Data We Collect 04 How We Use Your Data 05 Legal Basis (NDPR) 06 Google Sign-In 07 Third-Party Services 08 Cookies & Storage 09 Data Sharing 10 Data Security 11 Retention 12 Your Rights 13 Children's Privacy 14 International Transfers 15 Changes to Policy 16 Contact Us
Terms of Service
01 Introduction 02 Who We Are 03 Data We Collect 04 How We Use Your Data 05 Legal Basis (NDPR) 06 Google Sign-In 07 Third-Party Services 08 Cookies & Storage 09 Data Sharing 10 Data Security 11 Retention 12 Your Rights 13 Children's Privacy 14 International Transfers 15 Changes to Policy 16 Contact Us
01

Introduction

Your privacy matters to us. Velune collects only the data needed to deliver and improve the service. We do not sell your personal data, and we do not share it with advertisers.

This Privacy Policy describes how Velune ("we", "us", "our") collects, uses, stores, and protects your personal data when you access or use the Velune digital library platform — including our website, mobile web application, and Progressive Web App (PWA).

This policy is written in compliance with the Nigeria Data Protection Regulation (NDPR) 2019 and its implementing guidelines. By creating an account or using the Platform, you acknowledge that you have read and understood this policy.

Where this policy applies to children under 13, please refer specifically to Section 13 — Children's Privacy.

02

Who We Are

Velune is a digital library platform designed primarily for readers in Nigeria. For the purposes of data protection law, Velune is the Data Controller responsible for your personal data.

If you have any questions about how we handle your data, or wish to exercise any of your rights described in this policy, you can contact our Data Protection Officer at:

  • Email: privacy@velune.com
  • General enquiries: adminveluneapp@gmailcom
03

Data We Collect

We collect personal data in the following categories, depending on how you interact with the Platform:

A. Account & Identity Data

  • Full name (provided during registration or pulled from your Google profile if you sign in with Google)
  • Email address
  • Encrypted password (email/password accounts only — we never see your plain-text password)
  • Profile avatar URL (from Google when signing in with Google; from your upload if manually set)
  • Account role (user or admin) and subscription status

B. Reading & Usage Data

  • Books you have opened, read, and completed — including your reading progress (current page/position per book)
  • Books you have added to Favourites
  • Bookmarks, highlights, and personal notes you create within books
  • Search queries entered in the Platform's search bar
  • Categories and genres you browse

C. Subscription & Payment Data

  • Your current subscription plan (Free, Premium Monthly, or Premium Annual)
  • Payment references and transaction identifiers returned by our payment processors (Paystack or Stripe)
  • Subscription start date, renewal date, and cancellation date

We do not store your full card number, CVV, bank account number, or any raw payment credentials. All payment details are processed and stored by Paystack or Stripe under their PCI-DSS compliant infrastructure.

D. Technical & Device Data

  • IP address and approximate geographic location (country/city level)
  • Browser type, version, and operating system
  • Device type (desktop, tablet, mobile)
  • Pages visited, time spent on each page, and navigation path through the Platform
  • Referral source (how you arrived at the Platform)

This technical data is collected automatically via Google Analytics (see Section 8 — Cookies & Storage).

E. Account Preferences

  • Parental control settings (Premium subscribers): whether adult content is blocked and any daily reading time limit set
  • UI preferences stored locally in your browser (e.g. theme, reader settings)
04

How We Use Your Data

We use the data we collect for the following purposes:

PurposeData Used
Creating and managing your account Name, email, password hash, avatar URL, role
Authenticating you when you sign in (including via Google) Email, encrypted credentials, OAuth tokens
Syncing reading progress, bookmarks, highlights, and favourites across sessions and devices Book IDs, progress data, bookmark/highlight records
Processing and managing your Premium subscription Subscription status, plan type, payment references
Enforcing content access rules (Free vs Premium, parental controls, adult content filtering) Subscription status, parental control settings
Generating AI-powered book recommendations (Premium only) Reading history, favourites, browse behaviour
Providing and improving platform search results Search queries (anonymised after 90 days)
Monitoring platform performance and diagnosing technical issues Technical & device data, error logs
Analysing aggregate usage trends to improve the Platform Anonymised analytics data via Google Analytics
Sending transactional emails (account confirmation, password reset, subscription receipts, renewal reminders) Email address, subscription data
Responding to your support enquiries Email address, account data, query content
Complying with legal obligations and enforcing our Terms of Service Any data reasonably necessary

We do not use your personal data for targeted advertising, and we do not share your data with advertising networks.

05

Legal Basis for Processing (NDPR)

Under the Nigeria Data Protection Regulation (NDPR) 2019, we must have a lawful basis for each type of processing we carry out. Our legal bases are:

  • Contract performance — processing necessary to deliver the service you have signed up for. This covers account creation, authentication, reading progress sync, subscription management, and content access control.
  • Legitimate interests — processing necessary for our legitimate business interests, where those interests are not overridden by your rights. This covers platform analytics (aggregated), search improvement, security monitoring, and AI recommendations.
  • Legal obligation — processing required to comply with Nigerian law, including tax and financial record-keeping obligations and responding to lawful requests from regulatory authorities.
  • Consent — where we rely on your consent (e.g. optional features or uses not covered above), we will ask for it explicitly and you may withdraw it at any time without affecting the lawfulness of prior processing.
You can opt out of AI recommendations — which rely on legitimate interests — at any time by emailing hello@velune.com. This will not affect your access to any other part of the Platform.
06

Google Sign-In

You may choose to create a Velune account or sign in using your existing Google account via Google OAuth 2.0. If you choose to do so, please note the following:

  • What Google shares with us: When you authorise the Google sign-in, Google provides us with your name (full_name), email address, and profile photo URL (avatar_url). We do not receive your Google password or any Google payment information.
  • How we store it: Your name and profile photo URL are stored in your Velune profile row in our database (hosted on Supabase). Your email is stored as part of your authentication record.
  • Google's own privacy practices: Your use of Google Sign-In is also governed by Google's Privacy Policy (policies.google.com/privacy). Velune is not responsible for Google's data practices.
  • Revoking access: You may revoke Velune's access to your Google account at any time via your Google Account settings at myaccount.google.com/permissions. Revoking access will prevent future sign-ins via Google but will not automatically delete your Velune account or your data.
If you sign in with Google, you will not have a Velune password. To delete your account or change your sign-in method, please contact us at hello@velune.com.
07

Third-Party Services

Velune relies on a small number of carefully selected third-party services to operate. Each is a data processor acting under our instructions and under their own data protection commitments:

ServiceRoleData SharedPrivacy Policy
Supabase Database, authentication, and file storage infrastructure All account data, reading data, and stored content (books metadata, user records). Data is stored on Supabase's servers (AWS infrastructure). supabase.com/privacy
Google (OAuth) Third-party authentication (optional) Name, email, avatar URL — only when you choose to sign in with Google policies.google.com/privacy
Google Analytics Aggregated usage analytics IP address (anonymised), device/browser type, pages visited, session duration. Data is pseudonymised by Google before we receive reports. policies.google.com/privacy
Paystack Nigerian Naira payment processing Email address, subscription amount, and payment reference. Paystack independently collects card details — we never receive them. paystack.com/privacy
Stripe International card payment processing Email address, subscription amount, and payment reference. Stripe independently collects card details — we never receive them. stripe.com/privacy

We do not use any other advertising networks, data brokers, or analytics providers beyond those listed above.

08

Cookies & Local Storage

Velune uses cookies and browser local storage to operate the Platform and improve your experience. Here is a breakdown of what we use and why:

TypeTechnologyPurposeDuration
Session & Auth Supabase auth cookies / localStorage Keeps you signed in between page loads and browser sessions. Stores your encrypted session token so you do not need to log in on every visit. Until sign-out or token expiry (~1 hour, auto-refreshed)
Preferences Browser localStorage (velune_* keys) Stores UI preferences such as reader settings, theme choice, and other local options. No personal data is included — these are convenience keys only. Until you clear browser data or uninstall PWA
Analytics Google Analytics (_ga, _gid cookies) Collects anonymised data about how users navigate the Platform to help us understand usage patterns and improve the service. IP addresses are anonymised. Up to 2 years (_ga); 24 hours (_gid)
PWA Cache Service Worker / Cache API Caches Platform assets and — for Premium subscribers — selected book content for offline reading. Stored locally on your device. Until you clear browser data, uninstall PWA, or subscription ends

You can control cookie behaviour through your browser settings. Disabling cookies may prevent some features — such as staying signed in — from working correctly. Clearing local storage will remove your saved preferences.

Analytics opt-out: You can opt out of Google Analytics tracking across all websites by installing the Google Analytics Opt-out Browser Add-on.

09

Data Sharing

We do not sell your personal data. We do not share your personal data with any third party for their own marketing, advertising, or commercial purposes.

We share your data only in the following limited circumstances:

  • With our service providers — as listed in Section 7, solely for the purpose of operating the Platform on our behalf. These providers are contractually bound to process your data only on our instructions.
  • Legal requirements — if we are required by Nigerian law, court order, or regulatory authority to disclose your data. Where permitted, we will notify you before any such disclosure.
  • Protection of rights — where necessary to enforce our Terms of Service, protect our legal rights, or prevent fraud, abuse, or harm to the Platform or its users.
  • Business transfers — in the event of a merger, acquisition, or sale of all or part of Velune's assets, your data may be transferred to the successor entity. We will notify you via email and in-app notice at least 30 days before any such transfer and give you the option to delete your account beforehand.
10

Data Security

We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, loss, destruction, or disclosure. These measures include:

  • Encryption in transit: All data transmitted between your browser and the Platform is encrypted using TLS (HTTPS). This includes authentication requests, reading data, and API calls.
  • Encryption at rest: Your data is stored in Supabase, which encrypts data at rest using AES-256 on AWS infrastructure.
  • Password security: Passwords are hashed using industry-standard algorithms (bcrypt) by Supabase's authentication layer. We never store or transmit plain-text passwords.
  • Row Level Security (RLS): Our database enforces Supabase Row Level Security policies so that each user can only access their own data. No user can read another user's bookmarks, reading progress, or profile information.
  • OAuth token handling: Google OAuth tokens are handled entirely by Supabase's authentication layer and are never stored in our application code or logs.
  • Payment security: Card and payment data is handled exclusively by Paystack and Stripe under their PCI-DSS compliant systems. We hold only a payment reference identifier, not card details.
  • Access controls: Administrative access to user data is restricted to authorised Velune team members who require it to operate the Platform.

While we employ robust security measures, no internet-based service can guarantee absolute security. In the event of a data breach that is likely to result in risk to your rights and freedoms, we will notify you and the relevant Nigerian authority within 72 hours of becoming aware, as required by the NDPR.

11

Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes described in this policy, unless a longer retention period is required by law. The following retention periods apply:

Data CategoryRetention Period
Account & profile data For the life of your account, then deleted within 30 days of account closure
Reading progress, bookmarks, highlights, favourites For the life of your account, then deleted within 30 days of account closure
Payment references & subscription records 7 years after the relevant transaction date (Nigerian tax and financial record-keeping requirements)
Search queries Anonymised after 90 days; raw query logs deleted at 90 days
Technical & device data (server logs) 90 days, then deleted
Google Analytics data 26 months (Google Analytics default retention setting)
Support correspondence 3 years from the date of the last interaction
Data required for legal proceedings or regulatory compliance Until the proceedings or obligation are fully resolved

When data reaches the end of its retention period, it is permanently deleted or irreversibly anonymised.

12

Your Rights

Under the Nigeria Data Protection Regulation (NDPR) 2019, you have the following rights regarding your personal data. You may exercise any of these rights by contacting us at privacy@velune.com:

Right of Access
Request a copy of all personal data we hold about you.
Right to Rectification
Ask us to correct inaccurate or incomplete data.
Right to Erasure
Request deletion of your personal data, subject to legal retention obligations.
Right to Portability
Receive your data in a structured, machine-readable format.
Right to Object
Object to processing based on legitimate interests, including AI recommendations.
Right to Restrict
Ask us to suspend processing while a dispute about accuracy or lawfulness is resolved.

We will respond to all valid requests within 30 days. In complex cases we may extend this by a further 60 days, with notice given within the initial 30-day period. We will not charge a fee for exercising your rights unless requests are manifestly unfounded or excessive, in which case a reasonable administrative fee may apply.

If you believe we have not handled your data lawfully, you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng.

13

Children's Privacy

Velune is not directed at children under 13. If you are aware that a child under 13 has provided us with personal data without parental consent, please contact us immediately at privacy@velune.com.

We do not knowingly collect personal data from children under 13 years of age. If you are under 13, you may not create a Velune account. If you are between 13 and 17, you may only use Velune with the knowledge and consent of a parent or legal guardian, who agrees to these terms on your behalf.

For users aged 13–17 on shared accounts, we strongly recommend that the account holder (parent or guardian) enable the parental controls available to Premium subscribers. These controls can restrict adult content and set daily reading time limits.

If we discover that we have inadvertently collected data from a child under 13, we will delete that data promptly. Parents or guardians who believe their child has registered a Velune account without consent should contact us at privacy@velune.com and we will take appropriate action within 48 hours.

14

International Data Transfers

Velune is designed primarily for use in Nigeria, but our infrastructure means that some of your data may be stored or processed outside Nigeria:

  • Supabase hosts your account and reading data on AWS infrastructure, which may include servers in the United States or other regions depending on Supabase's server configuration. Supabase operates under standard contractual clauses and their own data protection commitments.
  • Google Analytics processes anonymised analytics data on Google's global infrastructure, which may include servers outside Nigeria.
  • Stripe processes international payment data on infrastructure located in the United States and Ireland.

Where data is transferred outside Nigeria, we take steps to ensure that adequate protections apply, including contractual arrangements with our service providers that require them to protect your data to standards consistent with the NDPR.

By using Velune, you acknowledge and consent to these international transfers, where they are necessary to deliver the service.

15

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, the services we use, or applicable law. When we make material changes, we will:

  • Update the "Effective" date at the top of this page
  • Send you an email notification to the address registered to your account at least 14 days before the changes take effect
  • Display an in-app notice when you next sign in to the Platform

Your continued use of the Platform after the effective date of a revised policy constitutes your acceptance of the changes. If you do not agree, you should close your account before the changes take effect.

Minor changes — such as corrections of typos or clarifications that do not materially affect how your data is processed — may be made without advance notice.

We encourage you to review this policy periodically to stay informed about how we protect your data.

16

Contact Us

If you have any questions about this Privacy Policy, wish to exercise your data rights, or have a concern about how we have handled your personal data, please contact us:

  • Data Protection enquiries: adminveluneapp@gmailcom
  • General support: adminveluneapp@gmailcom
  • Response time: We aim to acknowledge all privacy requests within 5 business days and resolve them within 30 days

If you are not satisfied with our response, you may escalate your complaint to the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng.

Questions about your data?

Our team is here to help with any privacy questions or data requests. Reach out and we'll get back to you promptly.

adminveluneapp@gmailcom
Terms of Service · Pricing · Back to Home
Velune

A premium digital library for curious minds. Read, learn, and grow — without limits.

@_Velune
Product
Browse Books Pricing Tutorials
Company
About Contact Blog
Legal
Privacy Terms
© Velune. All rights reserved. Built for readers everywhere