Security & Compliance

This page explains how we secure the VeloxHub by ZEOUR LTD platform and how we meet our privacy obligations. It covers all three application layers we operate: the public website (Next.js static site), our Node.js proxy API, and our Laravel backend. We aim to be clear, compliant, and keep customers informed.

Data We Process & Purpose

• Account & registration: name, email, phone, company; used to create subscriptions and provide services.
• Billing: email, plan, totals, Stripe session/reference; we do not store card PAN/CVV. Card data is handled by Stripe.
• Contact requests: message content and reply details to respond to enquiries.
• Operational logs: minimal request metadata for reliability and abuse prevention, retained for a short period.
• Optional AI chat: user prompts and context are relayed to OpenAI strictly to fulfil the request; API data is not used to train OpenAI models by default (per OpenAI API policy).

GDPR Legal Bases (Art. 6)

• Contract: to create accounts, deliver subscriptions, and process payments.
• Legitimate interests: securing the service, preventing fraud, service quality, usage analytics that do not identify you.
• Consent: marketing communications where applicable, and optional AI chat where required by local law.

Your Rights (EU/UK GDPR)

You can exercise the following rights, subject to applicable law:

• Access, rectification, erasure, and restriction of processing.
• Objection to processing and the right to data portability.
• Withdrawal of consent where processing is based on consent.
• Right to lodge a complaint with your supervisory authority.

To make a request, contact info@zeour.co.uk. We may ask to verify your identity.

Cookies & Local Storage

• proxy_digest (httpOnly, first‑party): lightweight session token issued by the proxy to protect selected endpoints.
• selectedLanguage (first‑party): remembers your language preference; also mirrored to localStorage.
• Stripe may set cookies during hosted checkout to ensure payment security and fraud prevention; see Stripe’s policy.

We present a cookie banner so you can accept all or reject non‑essential cookies (e.g., localization and exchange‑rate lookups). Strictly necessary cookies remain active.

Sub‑processors

We carefully select vendors and ensure appropriate data protection commitments.

• Stripe (payments): processes payment information and receipts. Card data never touches our servers.
• OpenAI (optional AI relay): processes chat prompts for responses. API data is not used to train models by default.
• Email/SMTP provider: used to send transactional messages (order confirmations, support replies).
• Hosting & CDN: hosts our application infrastructure.
• ipapi.co (GeoIP; optional): determines approximate country to localize language/currency.
• open.er‑api.com (exchange rates; optional): converts displayed prices to local currency.

International Transfers

Where data is transferred outside the UK/EU, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs), and implement encryption in transit and at rest where applicable. Vendors are assessed for security and privacy posture.

Security Controls

• TLS for data in transit; encryption at rest for databases, backups, and secrets where supported.
• Input validation server‑side; request signing and token checks on sensitive endpoints.
• Regular patching, dependency monitoring, and vulnerability management.
• Backups with periodic restore tests and integrity checks.
• Logging and alerting for anomalous activity; rate limiting on critical flows.

Data Minimization

We collect only what we need for account creation, billing, and support. For efficient lookup and fraud prevention we store contact identifiers alongside hashed values. Operational logs are retained for a limited period.

Retention

• Contact enquiries: typically up to 24 months to support follow‑ups.
• Operational logs: typically 30–90 days unless needed for security or legal reasons.
• Order and billing records: retained as required by tax and accounting laws.

Data Processing Agreement (DPA)

We offer a DPA for customers who require one. Please reach out at info@zeour.co.uk.

Incident Response & Notifications

We maintain runbooks to detect, triage, and remediate incidents. If a breach occurs that is likely to result in a risk to your rights and freedoms, we will notify affected customers and regulators as required by law.

Your Controls

• Request export or deletion of your personal data (subject to legal obligations).
• Configure role‑based access and follow least‑privilege for your users.
• Contact us to execute a DPA and discuss data residency options.

Responsible Disclosure

Found a security issue? Please report it responsibly to info@zeour.co.uk with details to reproduce. We investigate all reports and appreciate the community’s help in keeping our users safe.

See also our Privacy Policy and Terms of Service for more information.