Privacy Policy
This explains what Velanto collects, why, who else sees it, and how long it stays. It is more detailed than most policies because the honest answers are more interesting than the usual ones.
Last updated: 2026-07-17
The short version
The detail is below, but if you read only this much:
We collect what you give us and what the site needs to work. Nothing else.
No ads, no analytics, no tracking, no profiling. Nothing is sold to anyone.
We do not store your IP address.
If you are not logged in, your play is still counted, but it is saved with nothing that links it to you.
You can export your data, or delete your account, yourself — buttons in settings, no request needed.
Deleting your account does not erase everything you ever wrote. What survives, and in what form, is listed below.
Who is responsible for your data
Velanto is run by one independent developer based in Ukraine. That person decides what is collected and why, which makes them the data controller. There is no company, no data protection officer, and no team — just an inbox: support@playvelanto.com. The rights described in this policy are given to everyone who uses Velanto, wherever you live. We do not check your country first and we do not give some users fewer rights than others.
What we collect
Almost all of it is something you typed:
Account — your email address, username, and password. The password is hashed with argon2, which means we cannot read it and it is never included in an export.
Profile — your bio and avatar, if you add them.
What you make — packs, comments, votes, reports and feedback.
Plays — which packs were played and what was picked. Tied to your account only when you are logged in; a signed-out play is saved with no player attached to it.
Follows, notifications, and any API tokens you create — for a token we keep its name, the scopes you gave it, when it expires and when it was last used, never the token itself.
The version of the Community Rules you accepted when you registered, and any moderation flags on your account — whether we have marked you trusted, and whether you are banned and why.
Technical — a login session, and a crash report if something breaks.
Why we use it, and our legal basis
Every use has a reason and a legal basis. We are naming them because a policy that does not is hiding something:
Running your account, showing your content, and letting you play — because that is our agreement with you (performance of a contract, GDPR Art. 6(1)(b)). Without this data there is no account.
Sending your verification code and any password-reset code — the same reason. You asked for the account; it cannot work otherwise.
Moderating content, handling reports, keeping the service secure, and logging what staff do — because we, and everyone else using Velanto, have a legitimate interest in a service that is not abused (Art. 6(1)(f)).
Receiving crash reports — a legitimate interest in a service that works (Art. 6(1)(f)).
Keeping something because a law requires it (Art. 6(1)(c)).
We do not ask your consent for any of this, and you should be suspicious of us if we did: consent is not what we rely on. Your account is a contract, and everything else rests on legitimate interests — which you can object to at any time, as described further down.
If you are not logged in, we do not know who you are
You can browse and play packs without an account. Your play does count toward the pack’s public stats, but it is saved with no player attached: no account, no name, nothing that links it back to you. It never appears in anyone’s play history, because there is nothing to attach it to. If you are signed in, your play is saved with your account instead, and you can hide your play history from other people in your settings.
What we do not do
This list is as much a part of the policy as the rest:
No advertising, and no ad networks.
No analytics. Not Google Analytics, not a privacy-friendly alternative, not anything. We do not measure you.
No profiling and no personalized feed. What is popular is popular for everyone, calculated the same way for every viewer.
No special-category data. We never ask your date of birth, gender, location, politics, religion, or health, and there is nowhere to put them.
No IP address stored. Our server does not log requests and there is no IP column in the database. Rate limiting holds an address in memory for sixty seconds and then forgets it. Cloudflare, which passes traffic to the site, does see visitors' addresses — see the list of processors below.
Fonts are served from our own server, so loading a Velanto page tells Google nothing.
Cookies and what is stored in your browser
There is no cookie banner. Everything stored is either needed to make the site work or is a setting you chose, and none of it follows you to other websites — so there is nothing here we would ask you to opt into. One honest note before the list: the login cookie lasts 30 days rather than clearing when you close the browser, and reasonable people think a cookie that persistent should be your choice rather than our default. We think so too, and a "keep me signed in" option is on our list. Here is the complete list:
Your login cookie — this is what keeps you signed in. It lasts 30 days and it survives closing your browser, so on a shared computer, log out rather than just closing the tab. JavaScript cannot read it.
NEXT_LOCALE — your interface language. One year.
velanto:accent, velanto:streamer-mode, velanto:pack-filters — display settings you chose. They never leave your browser.
velanto:last-play — your picks from the pack you just played, so the result screen can show them. Cleared when you close the tab.
velanto:otp-sent — a sixty-second timer that stops you requesting another code too quickly. It holds a scrambled fingerprint of the address rather than the address itself, and expired entries are dropped the next time the page reads or writes the timer.
Your access token is kept in memory only. It is never written to disk.
YouTube embeds — the one place a third party sees you
Packs can embed YouTube videos, and we keep YouTube at arm's length as far as we can — no player is built when the page loads, only a still image. Three things are still worth knowing. That still image is fetched from YouTube's servers, so YouTube sees a request whenever a pack containing a video is displayed. The player then loads as soon as your pointer passes over the video — you do not have to click, though tapping does the same on a phone — and from that moment YouTube receives your request directly and can set its own cookies. And if you paste a YouTube link while making a pack, your browser asks YouTube for the video's title. What YouTube does with any of that is governed by Google's privacy policy, not ours. This is the only part of Velanto where another company can observe you.
Images you upload
Uploaded images pass through our server to Amazon S3 in Frankfurt, and are delivered through CloudFront. Three things are worth knowing:
We strip metadata. Your camera model and any GPS coordinates in the original file are removed when we re-encode the image — they never reach storage.
The URL is public. Anyone with the link can open the image without logging in, including before a moderator has seen it. The link is unguessable, but it is not secret. Treat anything you upload as public.
We do not scan images automatically for malware or adult content. A person reviews them as part of pack moderation.
Who else touches your data
Four companies, each doing one job. This is the complete list — nobody else receives anything:
Amazon Web Services (S3 and CloudFront) — stores and delivers uploaded images. Frankfurt, in the EU.
Amazon SES — sends the only two emails we send. Each contains a six-digit code and nothing else: no username, no link, no IP address.
Sentry — receives a report when something crashes. Germany, in the EU. A report carries your user id and username, plus a short trail of what you had just done: the pages you visited, what you clicked, and which addresses the app called (some of which name a pack). It does not carry your email address, your cookies, or what you typed, and there is no video-style session recording. One limit on that promise: like any server your browser talks to, Sentry's sees the connection itself, so it can observe the address you connect from even though we never put it in the report.
Cloudflare — DNS, and the traffic to the site passes through it. Like any provider sitting in front of a website, it sees the address every visitor connects from. We do not receive it and we do not store it, but we will not pretend it is invisible to everyone.
Where your data is
Storage and error reporting are in the EU: S3 in Frankfurt, Sentry in Germany. CloudFront and Cloudflare deliver from locations around the world, which is how any website loads quickly, so a copy of a page or an image can sit briefly on a server outside the EU. Those two run on their providers' standard data-protection terms, which is the safeguard we rely on for it. The person who runs Velanto is in Ukraine and can access the data — that is unavoidable when one person runs a service, and you should know it rather than guess it.
How long we keep things
This is the section most policies get wrong, so read it. Most of your data does not disappear when you leave — it is detached from your name instead, so that the site still makes sense to everyone else. Precisely:
Your account, profile and avatar — until you delete the account. Then 30 days. Then gone.
Your packs — deleted with your account. Be aware this also deletes other people's comments, votes and plays on them.
Your comments — kept, with your name removed. The text stays so that conversations still make sense to the people who were in them.
Your feedback posts — the same: kept, detached from you.
Your votes — kept as numbers with no name attached, so that pack scores stay correct.
Your play records — kept, detached from you.
The action log — kept indefinitely, and it survives your account being deleted. It records moderation decisions: bans, pack approvals, and a staff member taking down something that is not theirs. Editing or deleting your own pack or your own comment is not recorded. Keeping the moderation entries is the entire point of it: being the subject of a moderation action does not let you erase the record of it. If you were staff, deleting your account takes your name off the entries you made, but not the entries themselves.
Verification and password-reset codes — deleted the moment they are used, an hour after they expire if you never use them, and with your account if one is still in flight when you leave.
Login sessions — they stop working when they expire, and we delete the expired ones within the hour.
In one line: deleting your account removes you from Velanto and unlinks your name from what you left behind. It does not erase everything you ever wrote.
Deleting your account
It is a button in your settings, and you need your current password to use it. Then:
Your account stops working straight away.
For 30 days you can undo it — just log in again and it comes back. This is deliberate: it protects you from a bad moment, or from someone else getting into your account and deleting it.
After 30 days a nightly job destroys it for good, following the list above.
One thing worth knowing: for up to fifteen minutes after you delete your account, a sign-in token already issued to your browser still works. That is how the technology works rather than an oversight — the token is a signed note with an expiry, not a key we can reach out and break. Everything else stops immediately.
Moderation, reports, and the audit log
We record moderation decisions — a staff member approving a pack, banning someone, resolving a report, or taking down something that is not theirs — noting who did it and what they did, and we keep it (see how long, above). Editing or deleting your own pack or your own comment is not recorded at all. One part of this deserves to be said out loud rather than buried:
Reports are not anonymous to moderators. If you report a pack or a person, the moderator handling it sees your username. The person you reported does not.
Your rights
You have all of these, wherever you live, and you do not have to email us to use the first four:
See your data — settings has an export button. It produces a file immediately: your account and profile, your packs in full (every pool, item and round, so you can rebuild them elsewhere), your comments, votes, plays, feedback, follows, the reports you filed, your notifications and their settings, your API tokens, your sign-in sessions, and any moderation flags on your account. No request, no waiting, no identity check.
Correct it — edit your profile and your content directly.
Delete it — settings has a delete-account button, described above.
Take it elsewhere — that is the same export, as a JSON file.
Ask us to pause — if you think our data about you is wrong, or you have objected and we are still thinking about it, you can ask us to stop using it in the meantime while leaving it in place. Write to support@playvelanto.com.
Complain — see below.
Two things the export deliberately leaves out, and always will: your password and the secret half of any API token. We cannot include them because we do not have them — both are stored only as hashes we cannot reverse. Everything else we hold about you is in the file.
If you want something the buttons do not do, write to support@playvelanto.com. We answer within 30 days.
Your right to object
You have the right to object, at any time, to any use of your data that rests on our legitimate interests — that means the moderation, the security measures, the audit log and the crash reporting described above. Write to support@playvelanto.com. You do not need to give a reason and it costs nothing. If you object, we stop, unless we can demonstrate compelling legitimate grounds that override your interests, rights and freedoms. This right is separate from everything else in this policy, which is why it has its own section.
Complaining about us
Tell us first — support@playvelanto.com — and we will genuinely try to put it right. You do not have to, though. You can complain directly to a data protection authority: in the EU or EEA, that is the authority where you live, where you work, or where you think the problem happened, and the list is at edpb.europa.eu. In Ukraine, it is the Ukrainian Parliament Commissioner for Human Rights.
If you are under 16
You need to be 16 to have a Velanto account, and you confirm that you are when you register. We take your word for it: we do not ask for proof, we do not collect your date of birth, and we do not try to guess your age from anything. If we find out an account belongs to someone under 16, we close it and delete it. If you are a parent and you think your child has an account here, write to support@playvelanto.com and we will remove it.
Security
Passwords are hashed with argon2 — we cannot read yours, and it is never exported. Login sessions use single-use tokens: each time one is used it is revoked and replaced, so a stolen token has a short life. The site sets standard security headers, and one that switches off the browser's advertising-topics API. No system is perfectly secure and we will not pretend otherwise. Velanto is run by one person, and you should weigh that when deciding what to put here.
Changes to this policy
We will update this as Velanto changes. When a change matters to you, we will tell you before it takes effect and update the date at the top. If you do not like a change, you can delete your account at any time, for free.
Language
This policy was written in English, and the English version is the one that governs. The other translations are machine-made and offered to help you read it. If a translation and the English disagree, the English text is the one that counts.
Contact
Anything in this policy, including every right listed above: support@playvelanto.com. One person reads that inbox, and they wrote this page.