Privacy policy.

• Account. Name, email, password hash, workspace/tenant id, role, optional MFA factor.
• Billing. The minimum needed to process a payment (handled by the payment processor — see sub-processors below). Vlozi stores invoice metadata and credit-balance state; full card numbers never touch Vlozi infrastructure.
• Content. Anything you create in the product — blog posts, newsletters, contacts, chatbot transcripts, uploaded media. All of it is scoped to your tenant.
• Usage. Coarse-grained server logs (timestamp, IP, route, status, latency) for ~30 days for debugging and abuse prevention.
• Support correspondence. If you email or use the in-product feedback form, Vlozi keeps that thread to follow up.
• Cookies. Essential cookies only (session, CSRF). No advertising cookies. Cookieless privacy-respecting analytics may be added in future — opt-out will be honoured via Do-Not-Track / Sec-GPC / prefers-reduced-data.

• Run the product you signed up for (auth, dashboard, sending mail, serving the blog, replying via the chatbot).
• Bill correctly (compute credit usage, send receipts, prevent abuse of the free tier).
• Support (answer questions, debug, send transactional mail).
• Security (detect compromise, rate-limit, investigate abuse).
• Improve the product in aggregate (counts, latency, error rates — never the contents of your posts).

Vlozi does not sell your data, does not share it with advertisers, and does not provide it to third-party AI vendors for model training. The only third parties Vlozi shares data with are sub-processors required to run the service:

• Cloudflare — edge compute, DNS, and object storage.
• Neon — Postgres database (region-isolated, encrypted at rest).
• Resend — transactional + newsletter email delivery.
• OpenAI / Anthropic (as applicable) — LLM inference for the Content Engine chatbot, on a strict no-training data-processing agreement. Vlozi's requests carry only the content relevant to the user query, never the full tenant dataset.
• Payment processor — Razorpay / Stripe (whichever your billing region routes to). Card data is held by the processor, not by Vlozi.

The list above is the current set. If Vlozi adds a sub-processor that handles personal data, this page will be updated and existing customers notified by email at least 14 days before the change takes effect.

The primary Postgres lives in Neon's ap-south-1 region (Mumbai). Edge compute and CDN delivery run globally on Cloudflare. Object storage (uploaded media) sits on Cloudflare R2, tenant-prefixed. Transactional and newsletter mail goes through Resend (US/EU regions, per their posture). See the security page for the operational details.

• While your account is active: as long as you keep the account open.
• After cancellation: data stays exportable for 30 days, archived for 60 days, then permanently deleted unless legally retained.
• Server logs: ~30 days, then aggregated or deleted.
• Billing records: retained for the period required by Indian tax law (currently 8 years).

Under GDPR (EU/UK), India's Digital Personal Data Protection Act, and equivalents, you can:

• Access the personal data Vlozi holds about you.
• Export your content (CSV / markdown / media bundle) from the dashboard, anytime, without asking.
• Correct anything that's wrong.
• Delete your account — and with it, your personal data, on the retention schedule above.
• Restrict or object to certain processing, and withdraw consent where consent was the basis.
• Lodge a complaint with a supervisory authority if Vlozi gets it wrong.

Email hello@vlozi.app with the request. Vlozi responds within 30 days (typically faster).

If you're outside India and your data crosses borders to reach Vlozi's infrastructure, the transfer relies on standard contractual clauses (or equivalent) with every sub-processor named above. You can ask for a copy of the relevant SCCs by emailing hello@vlozi.app.

Vlozi isn't built for children. The product is targeted at adults running businesses; accounts shouldn't be opened by anyone under 18. If Vlozi learns that a minor has created an account without verifiable parental consent, the account will be closed.

Material changes are notified to existing customers by email at least 14 days before they take effect. Minor clarifying edits land on this page with the “Last updated” date bumped above.

General privacy questions: hello@vlozi.app. Security issues: security@vlozi.app.