Privacy policy
What personal data Veillo collects, why we hold it, and the control you keep over it. We sell compliance tooling, so we hold ourselves to the standard we ask of customers.
Last updated 28 May 2026. This is the current version. It reflects how Veillo operates today and is confirmed by counsel before public launch. It is not legal advice.
1. Who we are
The data controller for Veillo is Arbos Folk, a sole proprietorship registered in Denmark, which builds Veillo under the Arbos Techne name. You can reach us at hello@veillo.eu.
Across this policy, “we”, “us” and “Veillo” mean Arbos Folk. “You” means the person or organisation using the service.
2. The data we collect
We collect only what the service needs:
- Account data. Your name, work email, hashed password, organisation name, and role.
- Organisation profile. Country, sector, employee band, and the DPO or AI compliance lead you choose to record.
- Compliance data. The AI systems, use cases, classifications, documents, and audit-log entries you create. You decide what goes in here; it may include personal data if you put it there.
- Billing data. Your plan, subscription status, and invoices. Card details are handled by our payment processor; we never see or store full card numbers.
- Usage and technical data. Log data, approximate location from your IP address, device and browser type, and the actions you take in the app, used to keep it working and secure.
- Support messages. What you send us by email.
- Free inventory tool. If you use the no-signup tool, we store the inventory you build and the email address you give us so we can send your PDF register.
3. How we use it, and our legal basis
- To provide the service you signed up for, including inventory, classification, documents, and exports. Basis: performance of our contract with you.
- To keep Veillo secure and reliable, prevent abuse, and debug problems. Basis: our legitimate interest in a safe, working product.
- To take payment and meet tax duties. Basis: our contract and our legal obligations.
- To understand product use through privacy-respecting analytics, where enabled. Basis: your consent, or our legitimate interest where the law allows.
- To send service messages (contract) and, if you opt in, a regulator-update digest you can leave at any time (consent).
4. AI-assisted features
If you type a free-text description of a custom AI system and ask us to classify it, that text is sent to a language-model provider to suggest a risk tier. The suggestion is always marked AI-assisted and needs your confirmation. We do not make automated decisions that have legal or similarly significant effects on anyone, and a high-risk classification never confirms itself. The substance of our compliance content is authored and reviewed by qualified counsel, not generated by a model.
5. Who else processes your data
A small set of processors helps us run Veillo, each under a written data processing agreement:
- Hosting (application), in an EU region.
- Database (your workspace data), in an EU region.
- File storage (generated documents and exports), in an EU jurisdiction.
- Stripe for payments and EU VAT.
- Resend for transactional email.
- A language-model provider, which receives only the free text you submit for classification.
- Privacy-respecting analytics, EU-hosted, where enabled.
We do not sell personal data and we do not share it for advertising. The current sub-processor list is available on request and is published in full with the launch version of this policy.
6. International transfers
We keep data in the EU wherever we can. Where a processor operates outside the EEA, the transfer relies on a European Commission adequacy decision or on Standard Contractual Clauses, so your data keeps an equivalent level of protection.
7. How long we keep it
We hold account and compliance data for as long as your account is active, and for a limited period afterwards where a live dispute or the law requires it. Free inventory-tool data is kept for a short window and then removed. Billing and tax records are kept for the period Danish law requires. When you close an account, we delete or anonymise personal data on a defined schedule.
8. How we protect it
Data is encrypted in transit, stored in the EU, and reachable only through role-based access within your isolated workspace. Every change to your compliance posture is written to an append-only audit log. See our security and data residency page.
9. Your rights
Under the GDPR you can ask us to give you a copy of your data, correct it, delete it, restrict or object to how we use it, and receive it in a portable form. Where we rely on consent, you can withdraw it at any time. Email hello@veillo.eu and we respond within one month. You can also complain to the Danish Data Protection Agency (Datatilsynet), or to the authority where you live or work.
10. Cookies
We keep cookies to a minimum. See our cookie policy for the detail and your controls.
11. Children
Veillo is a tool for businesses, not a consumer service, and is not directed at children. We do not knowingly collect data about anyone under 16.
12. Changes
If we change this policy in a way that affects you, we tell you before it takes effect, by email or in the app.
13. Contact
Questions about your data, or a request to exercise a right: hello@veillo.eu.