Privacy Policy
Last updated: 13 May 2026
Introduction
This Privacy Policy describes how Starboard Solutions Pty Ltd (ACN / ABN details on request), trading as Vela(“we”, “us”, “our”), handles personal information collected through the Vela platform and website (getvela.au).
We are bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This policy applies to all individuals whose personal information we hold, including subscribers, authorised users, and contacts of our subscribers (e.g. the clients of a business using Vela).
What we collect
We collect information in the following categories:
Account data
Authentication data
Business data
- Inbox content: Email subjects, bodies, sender/recipient addresses, and attachments synced from Microsoft 365 via the Microsoft Graph API, solely to classify and draft replies on your behalf.
- Xero data: Invoice records, contact names, amounts, and due dates retrieved via the Xero API, solely to operate the invoice-chasing feature.
- Booking/calendar data: Appointment records and waitlist entries provided by or synced to Vela for the booking-fill feature.
Business data belongs to you. We process it only to deliver the service you have requested.
Usage data
Payment data
How we use your data
- Deliver the service: Inbox automation, invoice chasing, and booking fill all require processing your business data.
- Per-tenant AI personalisation: We may fine-tune or adapt AI behaviour using your data to improve accuracy for your account only. We never aggregate data across tenants, and your data is never used to train models that serve other customers.
- Billing: To charge your subscription via Stripe and send invoices and receipts.
- Service communications: Transactional emails (onboarding, alerts, account notices). We do not send marketing emails without your consent.
- Product improvement: Aggregated, de-identified usage analytics to prioritise features. You may opt out of analytics via account settings; this does not affect the service.
Where your data is stored
All customer data is stored on Amazon Web Services (AWS), Sydney region (ap-southeast-2). We do not transfer your personal data outside Australia except as described under “Third parties” below (where those processors operate internationally under appropriate safeguards).
At rest: DynamoDB tables and S3 buckets are encrypted with AWS-managed keys (AES-256).
In transit: All connections use TLS 1.2 or higher.
Third parties we share data with
We share data only with the processors listed below, and only to the extent necessary for the purpose stated. We do not sell personal information.
| Provider | Purpose | Their privacy policy |
|---|---|---|
| Stripe | Payment processing and subscription management | stripe.com/au/privacy |
| Microsoft Graph | M365 inbox sync (OAuth-authorised by you) | privacy.microsoft.com |
| Xero | Invoice and contact data sync (OAuth-authorised by you) | xero.com/au/legal/privacy |
| Anthropic Claude | LLM inference for inbox classification and reply drafting | anthropic.com/privacy |
| PostHog | Product analytics (usage events) | posthog.com/privacy |
| Sentry | Error tracking and performance monitoring | sentry.io/privacy |
How long we keep your data
- Active accounts: Data is retained for as long as your account remains active.
- After cancellation: Your data is held for 90 days to allow account recovery. After that period, all personal and business data is permanently deleted from our systems.
- Audit and billing logs: Financial transaction records are retained for 7 years to comply with Australian tax and regulatory obligations. These logs contain minimal personal data (name, email, billing amounts).
Your rights under the Australian Privacy Act 1988
Under the Australian Privacy Principles, you have the right to:
- Access: Request a copy of the personal information we hold about you.
- Correction: Request correction of inaccurate or out-of-date information.
- Erasure: Request deletion of your personal information (subject to our legal retention obligations).
- Complaint: Lodge a complaint with us in the first instance via our contact form, and if unresolved, with the Office of the Australian Information Commissioner (OAIC).
To exercise any of these rights, submit a request via our contact form. We will respond within 30 days.
Cookies and analytics
Vela uses a first-party session cookie to maintain your authenticated session. This cookie is strictly necessary and cannot be opted out of while using the product.
For product analytics, we use PostHog in cookieless mode where supported, to respect browser privacy settings. PostHog analytics can be disabled entirely in your account settings without affecting core functionality.
AI processing notice
Vela uses Anthropic Claude to classify incoming emails and draft reply suggestions. When processing your inbox content, data is transmitted to Anthropic under their zero-retention API agreement— meaning Anthropic does not store your data beyond the duration of the API call, and your data is never used to train Anthropic’s models.
AI-generated drafts are suggestions only. You review and approve every action before Vela sends anything on your behalf.
Children
Vela is a business productivity tool not directed at individuals under the age of 18. We do not knowingly collect personal information from minors. If you believe a minor has provided personal information through our platform, reach out via our contact form and we will promptly delete it.
Changes to this policy
We will notify you of material changes to this Privacy Policy at least 30 days before they take effect, by email and/or by a prominent notice in the Vela product. For non-material changes (e.g. clarifications), we will update the “Last updated” date and publish the revised policy at getvela.au/privacy.
Contact us
For privacy enquiries, access requests, or complaints:
Online: getvela.au/contact
Post: Starboard Solutions Pty Ltd, Sydney NSW, Australia