Privacy

How we handle your data.

This policy explains what Veylor Reserve collects, how we use it, and what control you have. Discretion is a product requirement for us, not a compliance afterthought.

Effective: 2026-05-26

1. Who we are

Veylor Reserve ("Veylor," "we," "us") is a coordination platform for families and offices that share aircraft, watercraft, residences, and other private assets. We are billed and operated from Panama through Tilopay (our payment processor) and host customer data on managed Postgres infrastructure provided by Supabase.

For data your organization stores in the product — bookings, members, assets, documents — your organization is the data controller and Veylor acts as its processor. For account and billing data of organization owners and administrators, Veylor is the controller.

2. What we collect

Account data: name, email address, language preference, organization name, and the role you hold within your organization (owner, admin, or member). We do not store passwords — authentication uses short-lived email codes and Google OAuth.

Billing data: billing email, card brand, last four digits, a card token issued by Tilopay, and invoice history (subtotal, ITBMS, total, status). The full card number, expiry, and CVV are handled exclusively by Tilopay and never touch our servers.

Content data: anything you create inside the product — reservations, asset details, crew assignments, documents you upload, member invitations, and the audit trail of who changed what.

Technical data: IP address, browser user-agent, request timestamps, and minimal server logs needed for diagnostics, security, and abuse prevention.

3. How we use your information

To operate the service: store and serve your reservations, calendars, members, assets, and documents; enforce permissions; deliver transactional emails (invitations, booking notifications, billing receipts).

To bill the service: create invoices, charge cards through Tilopay, track trial periods, calculate ITBMS where applicable, and provide receipts.

To secure the service: detect abuse, investigate incidents, maintain backups, and respond to lawful requests.

To communicate about the service: send necessary product notices and respond to your inquiries. We do not send marketing emails to organization members; only owners receive billing and product correspondence.

4. Who we share data with

Tilopay (Panama) — payment processing. Receives billing email, amount, currency, and card data entered at checkout.

Supabase (database and authentication hosting) — receives the same data you place into the product because it operates the underlying infrastructure.

Email delivery providers — receive the recipient address and email contents required to send transactional messages (invitations, notifications, receipts).

We do not sell your data. We do not share it with advertisers. We do not allow third parties to track you across other websites from our product or marketing site.

We may disclose data when required by a legally valid order from a Panamanian authority of competent jurisdiction. We will notify you before doing so unless the law forbids it.

5. International transfers

Your account billing is processed in Panama. The infrastructure that hosts your content data may reside in the United States or the European Union depending on the region your organization was provisioned in. Family Office and Bespoke engagements may select a specific data residency at onboarding.

Where data crosses borders, we rely on standard contractual safeguards and the security posture documented at /security.

6. Data retention

We retain your data for as long as your organization is active and for a reasonable period after to allow recovery from accidental deletion, complete outstanding billing, and meet our legal obligations.

Audit log entries are retained for the lifetime of the organization so that historical questions ("who booked the boat that weekend?") remain answerable.

On request, we will delete your organization and all associated data within seven days, irreversibly, except where retention is required by law (for example, invoice records required by Panamanian tax law).

7. Your rights

You may request: access to the data we hold about you; correction of inaccurate data; export of your data in a machine-readable format; deletion of your data subject to the retention notes above; and restriction of certain processing.

Owners can export an organization's data at any time directly from the portal. For requests that require our action — deletion in particular — write to the email at the bottom of this page.

You also have the right to lodge a complaint with the data-protection authority in your country of residence.

8. Cookies and similar technologies

We use only the cookies necessary to operate the service: an authentication cookie that keeps you logged in, and a small set of preference cookies (language, theme). We do not use advertising cookies, fingerprinting, or third-party analytics on signed-in product surfaces.

On the marketing site (the pages outside /portal) we may use minimal first-party analytics in the future to understand traffic patterns. If we ever do, the policy will be updated here and you will be given a clear opt-out.

9. Security

TLS in transit. Encryption at rest is provided by the underlying Supabase Postgres cluster. Authentication is passwordless (email codes and Google OAuth). Row-level security policies enforce tenant isolation at the database layer. Support-staff access requires explicit, time-bounded, logged permission.

Despite reasonable safeguards, no service can guarantee absolute security. We commit to notifying affected customers of any incident that meaningfully exposes their data within 72 hours of confirming it.

10. Children

Veylor Reserve is intended for adults coordinating shared assets. The service is not directed to minors under 18, and we do not knowingly collect data from them.

11. Changes to this policy

We may update this policy as the product evolves. Material changes will be announced by email to organization owners and reflected by an updated effective date at the top of this page. Continued use of the service after a material change constitutes acceptance.

Questions, requests, or concerns.

Write to us for any privacy-related question — including access, correction, export, or deletion of your data. We respond within five business days.

Email: hello@veylorreserve.com