Privacy Policy

V31L LTD | Company Number: 16890413 | Registered in England and Wales

Last Updated: December 2025

1. Introduction

This Privacy Policy explains how V31L LTD ("We," "Us," "Our"), a company registered in England and Wales (Company Number 16890413), collects, uses, and protects your information when you use Veil ("the Platform").

We are committed to protecting your privacy. Veil is built on the principle that private communication should remain private. This policy describes what data we collect, what we cannot access due to our end-to-end encryption, and your rights under UK data protection law.

2. Data Controller

V31L LTD is the data controller for your personal data:

3. What We Collect

Account Information (Required):

• Username: Account identification (stored as plaintext)
• Password: Authentication (stored as bcrypt hash - irreversible)
• Public encryption key: Enables E2EE messaging (stored as plaintext)
• Encrypted recovery data: Account recovery (stored as encrypted blob)
• Account creation timestamp: Service operation

Profile Information (Optional):

• About text and bio (profile display)
• Profile picture (encrypted at rest)

Email Address (Optional):

• Email address for password reset and payment receipts (stored encrypted)
• Email hash for enumeration protection (SHA-256)

Technical Data (Automatic):

• IP address for security and abuse prevention (not persistently stored)
• Device information for service compatibility (session only)

4. What We CANNOT Access (End-to-End Encrypted)

5. Metadata We Can Access

While message content is encrypted, we do process certain metadata necessary to operate the service:

Message Metadata:

• Sender and recipient user IDs
• Timestamps (sent, delivered, read)
• Message IDs and delivery status

Usage Metadata:

• Last active timestamp
• Online/offline status
• Read receipts (if enabled)

Hub Metadata:

• Hub membership lists
• Roles and permissions
• Join timestamps

This metadata is necessary to route encrypted messages and provide service functionality.

6. Legal Basis for Processing (UK GDPR)

We process your personal data under the following legal bases:

• Account creation and authentication: Contractual necessity (Article 6(1)(b))
• Message routing and delivery: Contractual necessity
• Security and abuse prevention: Legitimate interests (Article 6(1)(f))
• Email for password reset: Consent (Article 6(1)(a))
• Payment receipts by email: Consent
• Legal compliance: Legal obligation (Article 6(1)(c))

7. Data Retention

• Account data: Until account deletion
• Encrypted messages: Until deleted by user or chat deleted
• Password reset tokens: 24 hours
• Email verification tokens: 24 hours
• Deleted messages: Immediately purged from our servers

Self-Destruct Messages: When you send a self-destruct message, it is automatically deleted from our servers after the specified time period. Due to E2EE, we cannot access the content before or after deletion.

8. Your Rights (UK GDPR)

Under the UK General Data Protection Regulation, you have the following rights:

• Right of Access: You may request a copy of the personal data we hold about you. Note that we cannot provide copies of encrypted message content as we cannot access it.
• Right to Rectification: You may update your account information through your settings.
• Right to Erasure: You may delete your account at any time. This permanently removes your account data from our servers.
• Right to Restrict Processing: You may request restriction of processing in certain circumstances.
• Right to Data Portability: You may request your account data in a structured, machine-readable format.
• Right to Object: You may object to processing based on legitimate interests.
• Right to Withdraw Consent: Where processing is based on consent (e.g., optional email), you may withdraw consent at any time through your account settings.

To exercise these rights, contact admin@v31l.chat.

Right to Complain: You have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection:

• Website: ico.org.uk
• Helpline: 0303 123 1113

9. Email Usage

If you choose to provide an email address:

Used For:

• Password reset requests
• Payment receipts (only if opted-in)
• Critical security alerts
• Subscription expiry notifications (7 days before)

Never Used For:

• Marketing communications
• Promotional emails
• Third-party advertising
• Selling or sharing with advertisers

10. Third-Party Services

Minimal Dependencies: Veil is designed with minimal third-party dependencies:

• Self-hosted email server: Password reset, receipts (email address if provided)
• Push notification services: Message alerts (device tokens only)

We do not use:

• Third-party analytics
• Advertising networks
• Social media trackers
• Data brokers

11. Data Location and Security

Data Storage: Your data is stored on servers located in the United Kingdom.

Security Measures:

• End-to-end encryption for all private communications
• Bcrypt password hashing
• TLS encryption in transit
• Regular security audits
• Access controls and logging

12. Children's Privacy

Veil is not intended for children under 13. We do not knowingly collect personal data from children under 13. If we learn we have collected data from a child under 13, we will delete it promptly.

13. International Transfers

We primarily store and process data in the United Kingdom. If data is transferred outside the UK, we ensure appropriate safeguards are in place in compliance with UK GDPR.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes through Veil or by other reasonable means. The "Last Updated" date at the top indicates when the policy was last revised.

15. Contact

For privacy enquiries or to exercise your data protection rights: