This policy explains what personal data Velune collects, why we collect it, how we use it, and the rights you have over your information under the Nigeria Data Protection Regulation (NDPR).
This Privacy Policy describes how Velune ("we", "us", "our") collects, uses, stores, and protects your personal data when you access or use the Velune digital library platform — including our website, mobile web application, and Progressive Web App (PWA).
This policy is written in compliance with the Nigeria Data Protection Regulation (NDPR) 2019 and its implementing guidelines. By creating an account or using the Platform, you acknowledge that you have read and understood this policy.
Where this policy applies to children under 13, please refer specifically to Section 13 — Children's Privacy.
Velune is a digital library platform designed primarily for readers in Nigeria. For the purposes of data protection law, Velune is the Data Controller responsible for your personal data.
If you have any questions about how we handle your data, or wish to exercise any of your rights described in this policy, you can contact our Data Protection Officer at:
We collect personal data in the following categories, depending on how you interact with the Platform:
A. Account & Identity Data
B. Reading & Usage Data
C. Subscription & Payment Data
We do not store your full card number, CVV, bank account number, or any raw payment credentials. All payment details are processed and stored by Paystack or Stripe under their PCI-DSS compliant infrastructure.
D. Technical & Device Data
This technical data is collected automatically via Google Analytics (see Section 8 — Cookies & Storage).
E. Account Preferences
We use the data we collect for the following purposes:
| Purpose | Data Used |
|---|---|
| Creating and managing your account | Name, email, password hash, avatar URL, role |
| Authenticating you when you sign in (including via Google) | Email, encrypted credentials, OAuth tokens |
| Syncing reading progress, bookmarks, highlights, and favourites across sessions and devices | Book IDs, progress data, bookmark/highlight records |
| Processing and managing your Premium subscription | Subscription status, plan type, payment references |
| Enforcing content access rules (Free vs Premium, parental controls, adult content filtering) | Subscription status, parental control settings |
| Generating AI-powered book recommendations (Premium only) | Reading history, favourites, browse behaviour |
| Providing and improving platform search results | Search queries (anonymised after 90 days) |
| Monitoring platform performance and diagnosing technical issues | Technical & device data, error logs |
| Analysing aggregate usage trends to improve the Platform | Anonymised analytics data via Google Analytics |
| Sending transactional emails (account confirmation, password reset, subscription receipts, renewal reminders) | Email address, subscription data |
| Responding to your support enquiries | Email address, account data, query content |
| Complying with legal obligations and enforcing our Terms of Service | Any data reasonably necessary |
We do not use your personal data for targeted advertising, and we do not share your data with advertising networks.
Under the Nigeria Data Protection Regulation (NDPR) 2019, we must have a lawful basis for each type of processing we carry out. Our legal bases are:
You may choose to create a Velune account or sign in using your existing Google account via Google OAuth 2.0. If you choose to do so, please note the following:
full_name), email address, and profile photo URL (avatar_url). We do not receive your Google password or any Google payment information.Velune relies on a small number of carefully selected third-party services to operate. Each is a data processor acting under our instructions and under their own data protection commitments:
| Service | Role | Data Shared | Privacy Policy |
|---|---|---|---|
| Supabase | Database, authentication, and file storage infrastructure | All account data, reading data, and stored content (books metadata, user records). Data is stored on Supabase's servers (AWS infrastructure). | supabase.com/privacy |
| Google (OAuth) | Third-party authentication (optional) | Name, email, avatar URL — only when you choose to sign in with Google | policies.google.com/privacy |
| Google Analytics | Aggregated usage analytics | IP address (anonymised), device/browser type, pages visited, session duration. Data is pseudonymised by Google before we receive reports. | policies.google.com/privacy |
| Paystack | Nigerian Naira payment processing | Email address, subscription amount, and payment reference. Paystack independently collects card details — we never receive them. | paystack.com/privacy |
| Stripe | International card payment processing | Email address, subscription amount, and payment reference. Stripe independently collects card details — we never receive them. | stripe.com/privacy |
We do not use any other advertising networks, data brokers, or analytics providers beyond those listed above.
Velune uses cookies and browser local storage to operate the Platform and improve your experience. Here is a breakdown of what we use and why:
| Type | Technology | Purpose | Duration |
|---|---|---|---|
| Session & Auth | Supabase auth cookies / localStorage | Keeps you signed in between page loads and browser sessions. Stores your encrypted session token so you do not need to log in on every visit. | Until sign-out or token expiry (~1 hour, auto-refreshed) |
| Preferences | Browser localStorage (velune_* keys) |
Stores UI preferences such as reader settings, theme choice, and other local options. No personal data is included — these are convenience keys only. | Until you clear browser data or uninstall PWA |
| Analytics | Google Analytics (_ga, _gid cookies) |
Collects anonymised data about how users navigate the Platform to help us understand usage patterns and improve the service. IP addresses are anonymised. | Up to 2 years (_ga); 24 hours (_gid) |
| PWA Cache | Service Worker / Cache API | Caches Platform assets and — for Premium subscribers — selected book content for offline reading. Stored locally on your device. | Until you clear browser data, uninstall PWA, or subscription ends |
You can control cookie behaviour through your browser settings. Disabling cookies may prevent some features — such as staying signed in — from working correctly. Clearing local storage will remove your saved preferences.
Analytics opt-out: You can opt out of Google Analytics tracking across all websites by installing the Google Analytics Opt-out Browser Add-on.
We share your data only in the following limited circumstances:
We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, loss, destruction, or disclosure. These measures include:
While we employ robust security measures, no internet-based service can guarantee absolute security. In the event of a data breach that is likely to result in risk to your rights and freedoms, we will notify you and the relevant Nigerian authority within 72 hours of becoming aware, as required by the NDPR.
We retain your personal data only for as long as necessary to fulfil the purposes described in this policy, unless a longer retention period is required by law. The following retention periods apply:
| Data Category | Retention Period |
|---|---|
| Account & profile data | For the life of your account, then deleted within 30 days of account closure |
| Reading progress, bookmarks, highlights, favourites | For the life of your account, then deleted within 30 days of account closure |
| Payment references & subscription records | 7 years after the relevant transaction date (Nigerian tax and financial record-keeping requirements) |
| Search queries | Anonymised after 90 days; raw query logs deleted at 90 days |
| Technical & device data (server logs) | 90 days, then deleted |
| Google Analytics data | 26 months (Google Analytics default retention setting) |
| Support correspondence | 3 years from the date of the last interaction |
| Data required for legal proceedings or regulatory compliance | Until the proceedings or obligation are fully resolved |
When data reaches the end of its retention period, it is permanently deleted or irreversibly anonymised.
Under the Nigeria Data Protection Regulation (NDPR) 2019, you have the following rights regarding your personal data. You may exercise any of these rights by contacting us at privacy@velune.com:
We will respond to all valid requests within 30 days. In complex cases we may extend this by a further 60 days, with notice given within the initial 30-day period. We will not charge a fee for exercising your rights unless requests are manifestly unfounded or excessive, in which case a reasonable administrative fee may apply.
If you believe we have not handled your data lawfully, you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng.
We do not knowingly collect personal data from children under 13 years of age. If you are under 13, you may not create a Velune account. If you are between 13 and 17, you may only use Velune with the knowledge and consent of a parent or legal guardian, who agrees to these terms on your behalf.
For users aged 13–17 on shared accounts, we strongly recommend that the account holder (parent or guardian) enable the parental controls available to Premium subscribers. These controls can restrict adult content and set daily reading time limits.
If we discover that we have inadvertently collected data from a child under 13, we will delete that data promptly. Parents or guardians who believe their child has registered a Velune account without consent should contact us at privacy@velune.com and we will take appropriate action within 48 hours.
Velune is designed primarily for use in Nigeria, but our infrastructure means that some of your data may be stored or processed outside Nigeria:
Where data is transferred outside Nigeria, we take steps to ensure that adequate protections apply, including contractual arrangements with our service providers that require them to protect your data to standards consistent with the NDPR.
By using Velune, you acknowledge and consent to these international transfers, where they are necessary to deliver the service.
We may update this Privacy Policy from time to time to reflect changes in our data practices, the services we use, or applicable law. When we make material changes, we will:
Your continued use of the Platform after the effective date of a revised policy constitutes your acceptance of the changes. If you do not agree, you should close your account before the changes take effect.
Minor changes — such as corrections of typos or clarifications that do not materially affect how your data is processed — may be made without advance notice.
We encourage you to review this policy periodically to stay informed about how we protect your data.
If you have any questions about this Privacy Policy, wish to exercise your data rights, or have a concern about how we have handled your personal data, please contact us:
If you are not satisfied with our response, you may escalate your complaint to the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng.
Our team is here to help with any privacy questions or data requests. Reach out and we'll get back to you promptly.
adminveluneapp@gmailcom