Privacy Policy
Last updated: June 26, 2026
Your privacy is important to us, and so is our responsibility to be transparent about how we collect, use, and share information about You. This Privacy Policy (“Policy”) describes Our data practices in connection with the Vellum, LLC platform and all associated websites, applications, and services (collectively, the “Services”).
Vellum, LLC (“Company,” “We,” “Us,” or “Our”) is committed to protecting Your privacy and to compliance with the General Data Protection Regulation (“GDPR”), the California Consumer Privacy Act (“CCPA”) / California Privacy Rights Act (“CPRA”), and all other applicable data protection laws.
By accessing or using the Services, You acknowledge and consent to the practices described in this Policy. If You do not agree, please do not use the Services.
1. Information We Collect
1.1 Information You Provide Directly.
- Account Information: Full name, business email address, phone number, company name, job title and function, business address, and account credentials.
- Billing Information: Billing address, payment method details, and transaction history. We do not collect or store credit card numbers. All payment card processing is handled by our PCI DSS Level 1 certified payment processor(s).
- Your Content: Documents, files, drawings, annotations, markups, comments, and other content You upload, create, or share through the Services.
- Communications: Information You provide when contacting support, submitting feedback, responding to surveys, subscribing to updates, or communicating with Us.
1.2 Information Collected Automatically. When You access or use the Services, We automatically collect:
- Device and Connection Data: IP address, device ID, device type, operating system, browser type and version, screen resolution, and connection information.
- Usage Data: Pages and features accessed, actions taken within the Services, time spent on features, click patterns, search terms, frequency and duration of use, and other interaction data.
- Log Data: Server logs recording access times, referring URLs, error logs, and diagnostic data.
- Location Data: Approximate geographic location derived from Your IP address.
1.3 Information from Third-Party Sources. We may receive information about You from authentication providers (e.g., Google, Microsoft, Apple) when You use single sign-on (limited to email address, first name, and last name); integration partners when You connect third-party services; Your employer or organization administrator, if Your Account is part of an enterprise or team subscription; and authorized resellers or distributors who facilitate Your access to the Services.
2. How We Use Your Information
We use the information We collect to:
- Provide and operate the Services, including hosting, processing, transmitting, and displaying Your Content.
- Administer Your Account, including authentication, billing, and subscription management.
- Improve and develop the Services, including analyzing usage patterns, diagnosing bugs, conducting internal research, and developing new features.
- Provide customer support and respond to Your inquiries.
- Communicate with You about product updates, service announcements, security alerts, billing notifications, and administrative messages.
- Personalize Your experience, including tailoring features, content, and recommendations.
- Ensure security and protect against fraud, unauthorized access, and misuse of the Services.
- Comply with legal obligations and enforce Our Terms of Service.
- Send marketing communications, including information about new features, products, and promotions. You may opt out at any time (see Section 7).
We do not use Your Content (documents, drawings, annotations) for advertising purposes. We do not sell Your Content to third parties. We do not use Your Content to train machine learning or AI models unless You provide separate, express consent.
3. How We Share Your Information
3.1 Service Providers. We engage trusted third-party companies to perform functions on Our behalf, including cloud hosting, payment processing, analytics, customer support, and email delivery. These providers are contractually bound to use Your information only as necessary to provide services to Us and are subject to confidentiality obligations.
3.2 Collaboration Partners. When You use the Services’ collaboration features to share content with other users, those users will have access to Your Content and associated metadata (such as Your name and annotations) in accordance with the permissions You set.
3.3 Corporate Affiliates. We may share information with Our corporate affiliates and subsidiaries for purposes consistent with this Policy, including account administration, support, security, and service improvements.
3.4 Legal Compliance and Protection. We may disclose Your information to government agencies, regulatory bodies, or law enforcement as required, authorized, or permitted by law, or as necessary to: (a) comply with legal process; (b) enforce Our Terms of Service; (c) protect the rights, property, or safety of the Company, Our users, or the public.
3.5 Business Transfers. If the Company is involved in a merger, acquisition, reorganization, bankruptcy, or sale of assets, Your information may be transferred as part of that transaction. We will provide notice before Your information becomes subject to a different privacy policy.
3.6 Aggregated and De-identified Data. We may share aggregated or de-identified information that cannot reasonably be used to identify You for purposes such as industry analysis, benchmarking, and product development.
We do not share personal information with third parties for their direct marketing purposes. We do not sell personal information as defined under the CCPA/CPRA.
4. Cookies and Tracking Technologies
4.1 Types of Technologies. We use cookies (session and persistent), web beacons, pixels, device identifiers, and similar technologies to provide functionality, recognize You across sessions and devices, and analyze usage patterns. See our Cookie Policy for the full inventory.
4.2 Purposes. We use these technologies for essential operations (authentication, security, load balancing, and core functionality — these cannot be disabled); analytics (understanding how users interact with the Services); preferences (remembering Your settings, language, and display preferences); and marketing (measuring the effectiveness of communications).
4.3 Your Choices. You may control cookies through Your browser settings. Disabling cookies may limit Your ability to use certain features. If You reside in the European Economic Area, United Kingdom, or Switzerland, non-essential cookies will only be used with Your affirmative consent as presented through Our cookie consent mechanism.
4.4 Global Privacy Control. We honor the Global Privacy Control (GPC) signal as an opt-out request for the sale or sharing of personal information. We do not currently respond to browser-level Do Not Track (DNT) signals due to the lack of a uniform industry standard.
5. International Data Transfers
Your information may be transferred to, processed, and stored in countries other than Your country of residence, including the United States, where Our servers and service providers are located. These countries may have data protection laws that differ from those in Your jurisdiction.
For transfers of personal data from the European Economic Area, United Kingdom, or Switzerland, We rely on Standard Contractual Clauses approved by the European Commission; Data Privacy Framework certifications (EU-U.S. DPF, UK Extension, Swiss-U.S. DPF), where applicable; and Your consent, where obtained. You may obtain a copy of the applicable Standard Contractual Clauses by contacting Us at legal@vellumdraw.com.
6. Data Retention
6.1 Account Data. We retain Your account information for as long as Your Account is active, as necessary to provide the Services, and as required to comply with Our legal obligations.
6.2 Your Content. We retain Your Content for the duration of Your subscription and for thirty (30) days following termination to allow retrieval. After this period, Your Content may be permanently deleted.
6.3 Usage and Log Data. We retain automatically collected usage and log data for a period reasonably necessary to fulfill the purposes described in this Policy, typically no longer than twenty-four (24) months. Audit logs may be retained for longer periods as necessary for security, compliance, and service integrity purposes.
6.4 Post-Deletion. When You request deletion of Your Account, We will delete or de-identify Your personal information within thirty (30) days, except for: (a) information We are required to retain by law; (b) information necessary to protect against fraud or enforce Our Terms; and (c) backup copies that will be deleted in the ordinary course of Our backup rotation cycle.
7. Your Rights and Choices
Depending on Your jurisdiction, You may have the right to: access a copy of the personal information We hold about You; request correction of inaccurate or incomplete information; request deletion (subject to legal retention requirements); request data portability; opt out of marketing emails via the “unsubscribe” link or by contacting Us; withdraw consent where We rely on it; request restriction of processing; object to processing based on legitimate interests; and not be discriminated against for exercising Your privacy rights.
To exercise any of these rights, please contact Us at legal@vellumdraw.com. We will respond to all requests within thirty (30) days. We may require verification of Your identity before fulfilling requests.
For residents of the EEA, UK, or Switzerland: If You are unsatisfied with Our response, You have the right to lodge a complaint with Your local data protection supervisory authority.
For California residents: You have additional rights under the CCPA/CPRA, including the right to know, delete, correct, and opt out of the sale or sharing of personal information. To submit a request, contact legal@vellumdraw.com.
8. Data Security
We implement and maintain industry-standard administrative, physical, and technical safeguards designed to protect the confidentiality, integrity, and availability of Your information, including encryption of data at rest and in transit using TLS/SSL protocols; access controls limiting access to authorized personnel; periodic penetration testing and vulnerability assessments; logical separation of customer data; employee training on data protection; and incident response procedures.
No method of electronic transmission or storage is 100% secure. While We strive to protect Your information, We cannot guarantee its absolute security.
9. Children's Privacy
The Services are designed for professional use and are not directed to individuals under the age of 18. We do not knowingly collect personal information from anyone under the age of 16. If We discover that We have collected personal information from a child under 16, We will promptly delete that information.
10. Third-Party Links and Integrations
The Services may contain links to third-party websites or integrate with third-party services. We do not control and are not responsible for the privacy practices of these third parties. We encourage You to review the privacy policies of any third-party services You connect to or access through the Services.
11. Changes to This Policy
We reserve the right to modify this Policy at any time. For material changes, We will notify You via email or through a prominent notice within the Services at least thirty (30) days before the changes take effect. Your continued use of the Services after the effective date of any modifications constitutes Your acceptance of the updated Policy.
12. Contact Us
If You have questions, concerns, or requests regarding this Privacy Policy or Our data practices, please contact:
Data Protection Officer
Vellum, LLC
500 N Commercial Street, Suite 502, Manchester, NH 03101
Email: legal@vellumdraw.com
Questions about this document? Contact us at legal@vellumdraw.com.