Privacy Policy

1. Introduction and Scope

This Privacy Policy ("Policy") describes how Vela Studios LLC, a limited liability company organized under the laws of the Commonwealth of Virginia, United States ("Company," "we," "us," or "our"), collects, uses, discloses, retains, and protects information in connection with the Promplify™ prompt optimization service accessible at https://promplify.app and any associated application programming interfaces (APIs), subdomains, and successor URLs (collectively, the "Service").

This Policy applies to all individuals who access or use the Service in any capacity, including without limitation casual visitors, anonymous users, registered API consumers, and any person or entity submitting content through the Service interface or API ("you" or "User"). By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Policy. If you do not agree to this Policy, you must immediately discontinue all use of the Service.

This Policy does not apply to third-party websites, applications, or services linked to or referenced within the Service, including without limitation the privacy practices of Perplexity AI, Inc., Cloudflare, Inc., Supabase, Inc., or Google LLC. We encourage you to review the privacy policies of any third-party service you access.

In the event of any conflict between this Policy and any other agreement between you and the Company (including any Terms of Service), the terms most protective of the Company's interests shall govern with respect to liability, and the terms most protective of your privacy rights shall govern with respect to data processing.

2. Data Controller and Contact Information

For the purposes of the European Union General Data Protection Regulation ("GDPR"), the UK General Data Protection Regulation ("UK GDPR"), and any other applicable data protection legislation, the data controller is:

Entity: Vela Studios LLC

Jurisdiction: Commonwealth of Virginia, United States

Privacy Inquiries: privacy@velastudios.com

General Inquiries: legal@velastudios.com

Mailing Address: [Registered Agent Address, Virginia, United States]

We do not currently appoint a formal Data Protection Officer ("DPO") as we do not engage in large-scale systematic monitoring of individuals or large-scale processing of special categories of data within the meaning of GDPR Article 37. Should our processing activities change such that a DPO is required, we will update this Policy and publish the DPO's contact information.

3. Categories of Information Collected

We are committed to the principle of data minimization and collect only the information strictly necessary to provide, secure, and improve the Service. The following describes each category of information, the specific data elements within it, and how that data is handled.

Prompt Content

Data Elements: The problem description, clarifying question responses, and any text you type into the Service input field.

Handling & Storage: Transmitted in real time to the Perplexity Sonar API for processing. Not persisted in any Company database, log file, or backup system after the API response is returned to your browser. Exists transiently in server memory for the duration of the API request only.

Usage Metadata

Data Elements: Character counts of submitted text, response lengths, timestamps (UTC), API endpoint accessed, HTTP status codes, response latency, and rate-limit counter values.

Handling & Storage: Stored in Cloudflare KV and Supabase with a retention period of ninety (90) days. Automatically purged thereafter. Does not contain prompt text or personally identifying content.

Network Identifiers

Data Elements: A cryptographic one-way hash (SHA-256) of your IP address concatenated with a daily-rotating salt value. Your raw (plaintext) IP address is never stored.

Handling & Storage: Used exclusively for rate limiting and abuse prevention. Stored in Cloudflare KV with a maximum retention of ninety (90) days. The daily salt rotation ensures hashes cannot be correlated across days.

Session Token

Data Elements: A cryptographically random API key generated per browser session, prefixed with "pa_live_" or "pa_anon_" for internal classification.

Handling & Storage: Stored in your browser's sessionStorage (not localStorage or cookies). Automatically cleared when you close the browser tab. Used solely to authenticate API requests and enforce per-session rate limits. The hashed form is stored server-side in Cloudflare KV with a 24-hour TTL.

Feedback Data

Data Elements: Optional thumbs-up or thumbs-down rating and the anonymized session identifier associated with the rating.

Handling & Storage: Stored in Supabase linked to the anonymized session hash. No prompt text, IP address, or personally identifiable information is associated with feedback records.

Security Audit Logs

Data Elements: Request correlation identifiers (UUID v4), detected prompt injection attempts (flagged as boolean, text not stored), anomalous rate-limit events, and error codes.

Handling & Storage: Stored in Cloudflare KV for ninety (90) days to support security incident response. Logs contain only metadata; no prompt content or personal data is recorded.

4. Information We Expressly Do Not Collect

The Service is designed to operate without collecting personally identifiable information. For the avoidance of doubt, we expressly do not collect:

Names, email addresses, phone numbers, or physical addresses (unless voluntarily provided via privacy@velastudios.com correspondence)
Account registration information (the Service does not require account creation)
HTTP cookies of any kind, including first-party, third-party, session, or persistent cookies
Tracking pixels, web beacons, fingerprinting scripts, or advertising identifiers
Third-party analytics SDKs (including but not limited to Google Analytics, Meta Pixel, Hotjar, Mixpanel, or Amplitude)
Device identifiers, hardware serial numbers, or mobile advertising IDs
Location data (GPS, Wi-Fi triangulation, or cell tower data)
Payment information, credit card numbers, or financial account data
Raw (plaintext) IP addresses
The content of your generated or optimized prompts (these are returned to your browser and not retained)

5. Purposes and Legal Bases for Processing

We process information for the following purposes. Where the GDPR or UK GDPR applies, we identify the legal basis for each processing activity.

Service Delivery

Description: Transmitting your prompt text to the Perplexity Sonar API and returning the optimized result to your browser.

Legal Basis: Art. 6(1)(b) — Performance of a contract (provision of the requested service at your initiation).

Rate Limiting & Abuse Prevention

Description: Enforcing daily and per-minute request limits to prevent resource exhaustion and protect service availability for all users.

Legal Basis: Art. 6(1)(f) — Legitimate interests (maintaining service integrity and preventing abuse). Balanced against minimal privacy impact of hashed IP data.

Security & Fraud Prevention

Description: Detecting and blocking prompt injection attacks, monitoring for anomalous API usage, and maintaining security audit logs.

Legal Basis: Art. 6(1)(f) — Legitimate interests (protecting the Service, its users, and our intellectual property from security threats).

Service Improvement

Description: Analyzing aggregated, anonymized usage metadata (not prompt content) to improve reliability, performance, and user experience.

Legal Basis: Art. 6(1)(f) — Legitimate interests (improving service quality based on non-personal aggregate statistics).

Legal Compliance

Description: Responding to lawful requests from governmental authorities and complying with applicable legal obligations.

Legal Basis: Art. 6(1)(c) — Legal obligation.

We do not process your data for profiling, automated decision-making with legal or similarly significant effects, targeted advertising, or sale to third parties.

6. Third-Party Service Providers (Sub-Processors)

To deliver the Service, we engage the following third-party service providers. Each provider processes data solely on our behalf and in accordance with contractual obligations requiring appropriate technical and organizational security measures.

Perplexity AI, Inc.

Purpose: AI language model inference via the Sonar API to analyze and optimize user-submitted prompts.

Data Processed: Prompt text (transient, per-request only). No persistent storage by Perplexity per their data processing terms.

Location: United States. Subject to Perplexity AI's Privacy Policy and DPA.

Cloudflare, Inc.

Purpose: Content delivery (Pages), serverless compute (Workers), key-value storage (KV), DDoS protection, and TLS termination.

Data Processed: Hashed IP addresses, session token hashes, rate limit counters, usage metadata, and security audit logs.

Location: Global edge network. Cloudflare is certified under the EU-U.S. Data Privacy Framework. Subject to Cloudflare's DPA.

Supabase, Inc.

Purpose: Cloud database hosting for anonymized usage metadata and feedback ratings.

Data Processed: Anonymized usage metadata, feedback ratings linked to anonymized session hashes. No prompt text or personal data.

Location: United States (AWS us-east-1). Subject to Supabase's DPA.

Google LLC

Purpose: Font delivery via Google Fonts CDN (Inter typeface).

Data Processed: Standard HTTP request metadata (user agent, referrer URL) incidental to font file download. No personally identifying data transmitted by the Service.

Location: Global CDN. Subject to Google's Privacy Policy. We are evaluating self-hosting to eliminate this dependency.

We require all sub-processors to maintain security measures no less protective than those described in this Policy. We will update this section if we add or replace any sub-processor. We do not sell, rent, lease, or trade personal information to any third party for any purpose.

7. International Data Transfers

The Service is operated from the United States. If you access the Service from outside the United States, including from the European Economic Area ("EEA"), the United Kingdom, or Switzerland, your information may be transferred to, processed in, and stored within the United States, which may not provide an equivalent level of data protection as your jurisdiction of residence.

Where such transfer occurs, we rely on the following lawful transfer mechanisms as applicable:

The EU-U.S. Data Privacy Framework, UK Extension, and Swiss-U.S. Data Privacy Framework, to the extent our sub-processors are certified participants.
Standard Contractual Clauses ("SCCs") adopted by the European Commission (Decision 2021/914) incorporated into our data processing agreements with sub-processors, supplemented by transfer impact assessments where required.
Binding corporate rules of sub-processors, where applicable and approved by a competent supervisory authority.

If you have concerns regarding the adequacy of international transfer safeguards, please contact privacy@velastudios.com.

8. Data Retention and Deletion

We retain information only for as long as necessary to fulfill the purposes described in this Policy, comply with legal obligations, and enforce our rights. The following schedule applies:

Data Type	Retention Period	Deletion Mechanism
Prompt Content	Zero (0) seconds post-response	Not stored. Exists only in transient server memory during the API request lifecycle. Automatically garbage-collected upon response delivery.
Usage Metadata	90 days	Automated TTL-based expiration in Cloudflare KV. Scheduled deletion job in Supabase executing daily at 00:00 UTC.
Hashed Network Identifiers	90 days	Automated TTL-based expiration in Cloudflare KV. Daily salt rotation renders prior-day hashes non-correlatable.
Session Tokens (server-side)	24 hours	Automated TTL-based expiration in Cloudflare KV.
Feedback Ratings	12 months	Scheduled deletion job in Supabase. Ratings older than 12 months are permanently deleted.
Security Audit Logs	90 days (extended during active investigations)	Automated TTL-based expiration in Cloudflare KV. Extended to the duration of an active investigation if a security incident is detected.

9. Security Measures

We implement technical and organizational security measures designed to protect the information processed through the Service against unauthorized access, alteration, disclosure, or destruction. These measures include, but are not limited to:

Encryption in Transit: All data transmitted between your browser and the Service, and between the Service and its sub-processors, is encrypted using TLS 1.2 or higher. The Service enforces HTTPS exclusively and issues HTTP Strict Transport Security (HSTS) headers.
Encryption at Rest: Server-side data stored in Cloudflare KV and Supabase is encrypted at rest using AES-256 or equivalent encryption provided by the hosting infrastructure.
Input Sanitization: All user-submitted content is validated, sanitized, and structurally isolated before processing to mitigate injection attacks, including prompt injection specific to AI/LLM systems.
Access Control: API access is gated by cryptographically generated Bearer tokens with automatic session expiration. Administrative access to infrastructure is restricted by multi-factor authentication and least-privilege role assignment.
Security Headers: The Service deploys Content Security Policy (CSP), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy headers in conformance with OWASP security header recommendations.
Rate Limiting: Multi-factor rate limiting (token-bound and IP-bound) with sliding-window enforcement and exponential backoff to prevent resource exhaustion and denial-of-service attacks.
Monitoring: Structured security audit logging with real-time anomaly detection for prompt injection attempts, API key compromise indicators, and usage spikes exceeding baseline thresholds.

No method of electronic transmission or storage is completely secure. While we strive to use commercially reasonable means to protect your information, we cannot guarantee absolute security. We do not warrant, represent, or guarantee that your information will be immune from loss, misuse, attack, or disclosure by third parties, and we disclaim any liability relating thereto to the maximum extent permitted by applicable law.

10. Artificial Intelligence and Automated Processing Disclosure

The core function of the Service involves transmitting User-submitted prompt text to a third-party large language model ("LLM") operated by Perplexity AI, Inc. (the "Sonar" model) for automated analysis and optimization. You should be aware of the following:

No Human Review: Your prompt text is processed entirely by automated systems. No Company employee or contractor reads, reviews, or has access to the content of your prompts.
No Training on Your Data: We do not use your prompt text to train, fine-tune, or improve any AI model. Your prompt text is not retained after the API response is delivered to your browser. Perplexity AI's use of input data is governed by their own privacy policy and data processing terms, which we encourage you to review.
AI Output Limitations: The Service generates optimized prompt suggestions based on probabilistic language model inference. Outputs may be inaccurate, incomplete, or unsuitable for any particular purpose. The Company makes no representations or warranties regarding the accuracy, completeness, fitness, or suitability of AI-generated outputs.
Prompt Injection Defenses: The Service employs multi-layered defenses against adversarial prompt injection attacks, including input sanitization, structural isolation of user content from system instructions, canary token detection, and output filtering. These defenses are designed to protect the integrity of the Service and the confidentiality of our proprietary processing logic.
No Profiling or Automated Decisions: The Service does not profile Users, make automated decisions with legal or similarly significant effects, or use automated decision-making technology ("ADMT") as defined under the California Consumer Privacy Act and its amendments.

11. Your Rights Under Applicable Data Protection Laws

11.1 European Economic Area, United Kingdom, and Switzerland (GDPR / UK GDPR)

If you are located in the EEA, United Kingdom, or Switzerland, you may exercise the following rights under GDPR and UK GDPR, subject to applicable exceptions and limitations:

Right of Access (Art. 15): You may request confirmation of whether we process personal data about you and, if so, obtain a copy.
Right to Rectification (Art. 16): You may request correction of inaccurate personal data.
Right to Erasure (Art. 17): You may request deletion of personal data where the data is no longer necessary for the purposes for which it was collected, or where processing is based on consent and consent is withdrawn.
Right to Restriction (Art. 18): You may request restriction of processing under certain circumstances.
Right to Data Portability (Art. 20): You may request your personal data in a structured, commonly used, machine-readable format.
Right to Object (Art. 21): You may object to processing based on legitimate interests at any time. We will cease processing unless we demonstrate compelling legitimate grounds.
Right to Lodge a Complaint: You have the right to lodge a complaint with your local supervisory authority.

Because the Service does not collect personally identifying information under normal operation, we may be unable to verify your identity or locate data attributable to you. In such cases, we will inform you of this limitation and the reasons therefor. To exercise any right, contact privacy@velastudios.com. We will respond within thirty (30) days, or within the extended timeframe permitted by law if the request is complex or voluminous.

11.2 California Residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, "CCPA"), may afford you the following rights:

Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collection, and the categories of third parties with whom we share it.
Right to Delete: You may request deletion of personal information we have collected from you, subject to statutory exceptions.
Right to Correct: You may request correction of inaccurate personal information.
Right to Opt-Out of Sale or Sharing: We do not sell or "share" (as defined under CCPA) personal information to third parties for cross-context behavioral advertising. Accordingly, no opt-out mechanism is required. If our practices change, we will provide a conspicuous "Do Not Sell or Share My Personal Information" link.
Right to Limit Use of Sensitive Personal Information: We do not collect sensitive personal information as defined under CCPA §1798.140(ae).
Right to Non-Discrimination: We will not discriminate against you for exercising any CCPA right.

To submit a verifiable consumer request, contact privacy@velastudios.com. You may also designate an authorized agent to make requests on your behalf, provided the agent presents written authorization and proof of identity. We will respond within forty-five (45) days, with a possible extension of an additional forty-five (45) days where reasonably necessary, with notice.

In the preceding twelve (12) months, we have not sold personal information, have not shared personal information for cross-context behavioral advertising, and have not used or disclosed sensitive personal information for purposes other than those permitted by CCPA §1798.121(a).

11.3 Virginia Residents (VCDPA)

If you are a Virginia resident, the Virginia Consumer Data Protection Act ("VCDPA") may afford you rights to access, correct, delete, obtain a copy of your personal data, and opt out of the processing of personal data for targeted advertising, sale, or profiling. We do not engage in any of these activities. To exercise any right, contact privacy@velastudios.com.

11.4 Other U.S. State Privacy Laws

If you are a resident of Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), or any other U.S. state with an applicable consumer privacy statute, you may have similar rights to access, correct, delete, and opt out. Contact privacy@velastudios.com to exercise any applicable right. We will process your request in accordance with the law of your state of residence.

12. Children's Privacy

The Service is not directed to, and is not intended for use by, individuals under the age of sixteen (16). We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe that your child has provided personal information through the Service, please contact privacy@velastudios.com immediately, and we will take reasonable steps to delete such information. If we become aware that we have inadvertently collected personal information from a child under 16, we will delete that information without undue delay.

13. Cookies and Tracking Technologies

The Service does not use HTTP cookies. We do not set first-party cookies, third-party cookies, session cookies, persistent cookies, or any other cookie-based storage mechanism.

We use the browser's sessionStorage API to store a temporary session token during your active use of the Service. Unlike cookies, sessionStorage data is: (a) accessible only to scripts running on the same origin (promplify.app), (b) never transmitted automatically in HTTP request headers, (c) automatically and irrevocably cleared when the browser tab is closed, and (d) not shared across browser tabs or windows.

Because the Service does not use cookies or equivalent tracking technologies, a cookie consent banner is not required under the ePrivacy Directive (Directive 2002/58/EC, as amended) or its national implementations. If we implement cookies or similar technologies in the future, we will update this Policy and deploy an appropriate consent mechanism in advance of any such deployment.

14. Data Breach Notification

In the event of a personal data breach (as defined under GDPR Article 4(12)) that is likely to result in a risk to the rights and freedoms of natural persons, we will:

Notify the relevant supervisory authority within seventy-two (72) hours of becoming aware of the breach, in accordance with GDPR Article 33, to the extent applicable.
Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms, in accordance with GDPR Article 34, to the extent applicable.
Comply with applicable U.S. state breach notification statutes, including the Virginia Personal Information Privacy Act (§18.2-186.6), the California Civil Code §1798.82, and any other applicable state law, within the timeframes prescribed therein.
Document the facts of the breach, its effects, and the remedial actions taken, and maintain such documentation for a minimum of five (5) years.

15. Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL VELA STUDIOS LLC, ITS MEMBERS, MANAGERS, OFFICERS, EMPLOYEES, AGENTS, AFFILIATES, OR LICENSORS (COLLECTIVELY, THE "COMPANY PARTIES") BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, INCLUDING WITHOUT LIMITATION DAMAGES FOR LOSS OF PROFITS, GOODWILL, DATA, OR OTHER INTANGIBLE LOSSES, ARISING OUT OF OR RELATED TO:

Your use of, or inability to use, the Service;
Any unauthorized access to or alteration of your data transmitted through the Service;
Any third-party conduct or content, including without limitation the processing of your prompt text by Perplexity AI, Inc. or any other sub-processor;
The accuracy, completeness, or suitability of any AI-generated output provided by the Service;
Any security breach, data loss, or system failure, regardless of the cause thereof;
Any reliance on information or output provided by the Service.

THE AGGREGATE LIABILITY OF THE COMPANY PARTIES FOR ALL CLAIMS ARISING OUT OF OR RELATED TO THIS POLICY OR YOUR USE OF THE SERVICE SHALL NOT EXCEED THE GREATER OF: (A) THE AMOUNT YOU PAID TO THE COMPANY FOR ACCESS TO THE SERVICE DURING THE TWELVE (12) MONTHS PRECEDING THE CLAIM, OR (B) ONE HUNDRED UNITED STATES DOLLARS (USD $100.00).

THE FOREGOING LIMITATIONS SHALL APPLY WHETHER THE ALLEGED LIABILITY IS BASED ON CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, OR ANY OTHER LEGAL THEORY, EVEN IF THE COMPANY PARTIES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITATIONS MAY NOT APPLY TO YOU. IN SUCH JURISDICTIONS, LIABILITY IS LIMITED TO THE FULLEST EXTENT PERMITTED BY LAW.

16. Disclaimer of Warranties

THE SERVICE IS PROVIDED ON AN "AS IS" AND "AS AVAILABLE" BASIS, WITHOUT WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE. THE COMPANY PARTIES EXPRESSLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND ANY WARRANTIES ARISING FROM COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

WITHOUT LIMITING THE FOREGOING, THE COMPANY PARTIES MAKE NO WARRANTY THAT: (A) THE SERVICE WILL MEET YOUR REQUIREMENTS OR EXPECTATIONS; (B) THE SERVICE WILL BE UNINTERRUPTED, TIMELY, SECURE, OR ERROR-FREE; (C) THE RESULTS OBTAINED FROM THE SERVICE WILL BE ACCURATE, RELIABLE, OR COMPLETE; (D) ANY ERRORS IN THE SERVICE WILL BE CORRECTED; OR (E) AI-GENERATED OUTPUTS WILL BE FREE FROM BIAS, HALLUCINATION, OR FACTUAL INACCURACY.

YOU EXPRESSLY ACKNOWLEDGE AND AGREE THAT YOUR USE OF THE SERVICE IS AT YOUR SOLE RISK AND THAT THE ENTIRE RISK AS TO SATISFACTORY QUALITY, PERFORMANCE, ACCURACY, AND EFFORT IS WITH YOU.

17. Indemnification

You agree to indemnify, defend, and hold harmless the Company Parties from and against any and all claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees and court costs) arising out of or related to: (a) your use of the Service; (b) your violation of this Policy or any applicable law; (c) the content you submit to the Service, including any claim that such content infringes or misappropriates the intellectual property rights or privacy rights of any third party; or (d) your violation of any rights of another person or entity.

This indemnification obligation shall survive the termination of your use of the Service and shall apply regardless of the form of action, whether in contract, tort, strict liability, or otherwise.

18. Dispute Resolution and Governing Law

18.1 Governing Law

This Policy and any dispute arising out of or related to it or your use of the Service shall be governed by and construed in accordance with the laws of the Commonwealth of Virginia, United States, without regard to its conflict-of-law principles. To the extent that any provisions of this Policy conflict with mandatory provisions of the GDPR, UK GDPR, CCPA, or any other applicable privacy statute that cannot be waived by agreement, such mandatory provisions shall prevail solely to the extent of the conflict.

18.2 Informal Resolution

Before initiating any formal dispute resolution proceeding, you agree to first contact us at legal@velastudios.com and attempt to resolve the dispute informally for a period of at least sixty (60) days from the date of your initial notification. Most disputes can be resolved through good-faith negotiation.

18.3 Binding Arbitration

If the dispute is not resolved informally within sixty (60) days, any controversy or claim arising out of or relating to this Policy shall be settled by binding arbitration administered by the American Arbitration Association ("AAA") under its Commercial Arbitration Rules, as modified by this Section. The arbitration shall be conducted by a single arbitrator in Fairfax County, Virginia, or, at the election of the claimant, by videoconference. The arbitrator's award shall be final and binding and may be entered as a judgment in any court of competent jurisdiction.

18.4 Class Action and Jury Trial Waiver

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, YOU AND THE COMPANY EACH WAIVE THE RIGHT TO A JURY TRIAL AND THE RIGHT TO PARTICIPATE IN A CLASS ACTION, COLLECTIVE ACTION, PRIVATE ATTORNEY GENERAL ACTION, OR OTHER REPRESENTATIVE PROCEEDING OF ANY KIND. This waiver applies to any claims arising under this Policy, the Terms of Service, or any related agreement. If this waiver is found unenforceable as to a particular claim, that claim (and only that claim) shall be severed and may proceed in court, while all remaining claims shall proceed in arbitration.

18.5 Exceptions

Nothing in this Section shall preclude either party from seeking injunctive or other equitable relief in a court of competent jurisdiction to prevent irreparable harm pending the outcome of arbitration. Claims for statutory damages under privacy statutes (including GDPR, CCPA, or state breach notification laws) that cannot lawfully be submitted to arbitration shall be resolved in the state or federal courts located in Fairfax County, Virginia, and each party consents to the exclusive jurisdiction and venue of such courts for such claims.

19. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:

We will update the "Last Updated" date at the top of this document.
For material changes that expand our processing of personal data or reduce your rights, we will provide prominent notice on the Service (such as a banner notification) at least thirty (30) days before the changes take effect.
Where required by GDPR, CCPA, or other applicable law, we will obtain your consent to material changes prior to their effectiveness.

Your continued use of the Service after the effective date of any updated Policy constitutes your acceptance of such changes. If you do not agree with the updated Policy, your sole remedy is to discontinue use of the Service. We recommend reviewing this Policy periodically.

Prior versions of this Policy are available upon written request to privacy@velastudios.com.

20. Severability

If any provision of this Policy is held by a court or arbitrator of competent jurisdiction to be invalid, illegal, or unenforceable, such provision shall be modified to the minimum extent necessary to make it valid, legal, and enforceable, or if such modification is not possible, severed from this Policy. The invalidity or unenforceability of any provision shall not affect the validity or enforceability of the remaining provisions, which shall continue in full force and effect.

21. Entire Agreement

This Policy, together with our Terms of Service (when published), constitutes the entire agreement between you and the Company regarding the collection, use, and protection of your information in connection with the Service, and supersedes all prior or contemporaneous communications, representations, or agreements, whether oral or written, regarding such subject matter.

22. Contact Information

If you have questions, concerns, or requests regarding this Policy or our data practices, you may contact us through the following channels:

Privacy Inquiries: privacy@velastudios.com

Legal Inquiries: legal@velastudios.com

Mailing Address: Promplify LLC, [Registered Agent Address], Virginia, United States

We aim to respond to all privacy-related inquiries within thirty (30) days of receipt. For requests submitted under GDPR, we will respond within one (1) month, extendable by two (2) additional months for complex requests with notice. For requests submitted under CCPA, we will respond within forty-five (45) days, extendable by forty-five (45) additional days with notice.