Privacy Policy
Last updated: 17 July 2026
This Privacy Policy explains how Vellum AI Group Ltd handles personal data in connection with Vellum Search at search.vellumintel.com, including its website, searchable database, accounts, subscriptions, application programming interface (“API”), Model Context Protocol interface (“MCP”), notifications and related services (together, the “Service”).
We do not use personal data for third-party advertising, cross-site tracking or marketing profiles.
1. Who we are
Vellum Search is operated by Vellum AI Group Ltd, a company registered in England and Wales under company number 17129362.
For data-protection purposes, Vellum AI Group Ltd is generally the controller of personal data processed in connection with the Service.
You can contact us about privacy matters at [email protected].
2. Scope and data-protection roles
This Policy covers:
- visitors to the Service;
- account holders and authorised users;
- prospective and current customers;
- people who contact us;
- people identified in official public records included in the corpus; and
- other individuals whose personal data is processed in connection with operating and securing the Service.
Where a business customer submits personal data through a search query, API request or other Customer Content and determines why that data is processed, the customer may be the controller and Vellum may act as its processor. In those circumstances, the customer’s privacy policy applies to its processing, and we assist the customer in accordance with our contractual data-processing obligations.
Vellum remains a controller for account administration, billing, security, service operation and the selection and presentation of the public regulatory corpus.
3. Personal data we collect
The personal data we process depends on how you interact with the Service.
3.1 Account and organisation information
This may include:
- your email address;
- your name, where provided;
- your organisation and professional role;
- your Vellum and authentication-provider identifiers;
- your plan, account status and entitlements; and
- account preferences.
We use email verification codes for authentication. We do not ask you to create a Vellum password.
3.2 Authentication, device and security information
This may include:
- sign-in and verification events;
- session identifiers;
- IP address;
- browser and device information;
- operating system;
- approximate location derived from IP address;
- timestamps;
- security events; and
- information used to detect fraud, abuse or unauthorised access.
3.3 Subscription and billing information
This may include:
- subscription plan and status;
- billing name and address;
- customer and invoice identifiers;
- payment dates and amounts;
- invoice and transaction history;
- VAT or tax information;
- limited payment-method details; and
- payment-failure, fraud-prevention and risk information.
Payments are processed by Stripe. We do not ordinarily receive or store full payment-card details.
3.4 Service-use information
This may include:
- search and API request counts;
- request timestamps;
- API-key identifiers and status;
- rate-limit and entitlement events;
- saved searches;
- notification preferences;
- webhook and integration configurations;
- records opened or downloaded;
- search queries and API request content where needed to provide, secure, support or troubleshoot the Service;
- diagnostic information;
- error reports; and
- operational and security logs.
We may create aggregated or anonymised statistics that no longer identify an individual.
3.5 Communications
This may include:
- support requests;
- billing correspondence;
- feedback;
- account and service communications;
- privacy enquiries;
- rights requests; and
- data-protection complaints.
3.6 Personal data in official public records
The corpus is not designed as a directory of individuals. However, official regulatory records may contain personal data, including:
- names;
- professional or public roles;
- professional contact information;
- statements, decisions or findings relating to identifiable people;
- information contained in legislation, judgments, registers, notices and official publications;
- enforcement or sanctions information; and
- information concerning proceedings, allegations or offences where published by an official source.
Some official records may contain special-category or criminal-offence information. Where an additional legal condition is required to process such information, we process it only where an applicable condition under the UK GDPR and Data Protection Act 2018 is available.
4. Where personal data comes from
We obtain personal data:
- directly from you;
- from the organisation that provides or administers your access;
- automatically from your browser, device and interaction with the Service;
- from authentication, payment, hosting, security and infrastructure providers;
- from correspondence with you;
- from official public authorities, courts, legislatures, regulators, registers and other official sources; and
- from publicly available official websites, feeds, repositories and documents.
Each corpus record is intended to retain provenance information or a link to its official source.
5. How and why we use personal data
We process personal data for the following purposes and lawful bases.
5.1 Providing the Service
We use personal data to:
- create and administer accounts;
- authenticate users;
- provide search, API, MCP and notification functions;
- manage subscriptions and plan entitlements;
- respond to support requests; and
- communicate about the Service.
Where the user is personally party to the subscription, the lawful basis is performance of a contract.
Where the customer is an organisation and the user is its employee, contractor or representative, the lawful basis is generally our legitimate interests in providing and administering a business service for that organisation.
5.2 Billing and financial administration
We use billing and transaction information to:
- process subscriptions;
- manage invoices and failed payments;
- maintain financial records; and
- meet accounting and tax requirements.
The lawful bases are performance of a contract, compliance with legal obligations and our legitimate interests in administering payments and protecting our financial position.
5.3 Security, fraud prevention and acceptable use
We use account, device, network and usage information to:
- secure accounts and API credentials;
- detect unauthorised access;
- prevent fraud and abuse;
- enforce usage limits and acceptable-use rules;
- investigate incidents; and
- protect the availability and integrity of the Service.
The lawful basis is our legitimate interests in operating a secure and reliable business service and protecting Vellum, its customers and third parties.
5.4 Operating and improving the Service
We use service-use and diagnostic information to:
- provide requested functions;
- measure usage against plan entitlements;
- identify faults;
- maintain performance;
- improve search relevance and usability; and
- plan capacity and technical changes.
The lawful bases are performance of a contract and our legitimate interests in maintaining and improving the Service.
We do not use this information for third-party advertising or cross-site behavioural profiling.
5.5 Communications and legal compliance
We use personal data to:
- send essential account, security, billing and service notices;
- respond to enquiries, rights requests and complaints;
- comply with legal and regulatory requirements;
- respond to lawful requests from authorities;
- establish, exercise or defend legal claims; and
- maintain records demonstrating compliance.
The lawful bases are performance of a contract, compliance with legal obligations and our legitimate interests in managing communications and protecting our legal rights.
5.6 The public regulatory corpus
We process personal data appearing in official public records to:
- collect and organise the regulatory record;
- provide searchable and provenance-linked regulatory information;
- prepare summaries and metadata;
- preserve the legal and historical context of official actions; and
- help business and professional users identify relevant official sources.
The lawful basis is our legitimate interests in operating a reliable regulatory-information service and enabling efficient access to official public material.
We consider this processing proportionate because:
- information is obtained from identified official public sources;
- personal data is retained in its regulatory, legal or professional context;
- records include or link to source provenance;
- the Service is intended for business and professional research;
- the corpus is not used to profile people for advertising; and
- individuals may contact us to raise a correction, objection or other rights request.
We generally do not contact every person mentioned in an official record individually. Where providing individual notice would be impossible or involve disproportionate effort, and applicable law permits us to rely on that exception, we instead make this Policy publicly available and maintain provenance to the relevant official source.
6. Sharing personal data
We disclose personal data only where reasonably necessary for the purposes described in this Policy.
6.1 Service providers
We use service providers including:
- Clerk, for authentication, email verification and session management;
- Stripe, for payment processing, subscription administration, invoicing and fraud prevention;
- Cloudflare, for domain, network, content-delivery and security services;
- Hetzner, for application and infrastructure hosting in Germany and Finland; and
- communications and technical providers used to send service messages, operate infrastructure and provide support.
These providers may process account, device, network, transaction or service-use information depending on the function they provide.
Some providers act as processors on our instructions. A provider may also act as an independent controller for certain activities it carries out for its own legal, security, fraud-prevention or service-administration purposes. Its own privacy policy applies to that independent processing.
6.2 Other recipients
We may also disclose personal data:
- to personnel and contractors who need it to operate or support the Service and are subject to confidentiality obligations;
- to accountants, lawyers, insurers, auditors and other professional advisers;
- to courts, regulators, law-enforcement bodies or public authorities where disclosure is required or permitted by law;
- where reasonably necessary to prevent fraud, abuse, security incidents or harm;
- in connection with a merger, financing, restructuring, acquisition or sale of all or part of our business, subject to appropriate safeguards; or
- where you have authorised the disclosure.
We do not sell personal data or disclose it to third parties for their own advertising.
7. Cookies and similar technologies
The Service uses cookies and similar storage or access technologies that are necessary to:
- authenticate users;
- maintain sessions;
- secure accounts and transactions;
- prevent fraud;
- remember user-requested settings; and
- provide payment and account-management functions.
We do not currently use non-essential advertising cookies or cross-site behavioural trackers on the Service.
Stripe-hosted checkout or billing pages and Clerk authentication functions may use necessary cookies and similar technologies under their respective privacy and cookie policies.
Where a technology is strictly necessary to provide a function you request, consent is not required, but we still provide information about its use. If we introduce a technology for which consent is legally required, we will request consent before using it.
8. International transfers
Vellum is established in the United Kingdom. Our providers and their subprocessors may process personal data in the United Kingdom, European Economic Area, United States and other countries in which they operate.
Where personal data is transferred outside the United Kingdom to a country that is not covered by applicable UK adequacy regulations, we use an appropriate transfer mechanism where required, which may include:
- the UK Extension to the EU–US Data Privacy Framework for eligible participating organisations;
- the UK International Data Transfer Agreement;
- the UK Addendum to the European Commission’s standard contractual clauses; or
- another lawful transfer mechanism.
We may also apply contractual, organisational and technical safeguards appropriate to the transfer.
You may contact us for further information about the safeguards relevant to a particular transfer.
9. Retention
We keep personal data only for as long as reasonably necessary for the purposes for which it was collected, including legal, accounting, security and dispute-resolution requirements.
Our general retention approach is:
- Account information: for the life of the account and then deleted or anonymised within a reasonable period after closure, subject to the exceptions below.
- Authentication information: according to operational and security requirements and the retention cycles of our authentication provider.
- API credentials: until revoked, replaced or the account ends, after which active credentials are disabled.
- Usage and technical records: for as long as needed for metering, security, troubleshooting, abuse prevention and legal claims.
- Billing, invoice and tax records: generally for six years after the end of the relevant financial period, or longer where required by law.
- Support correspondence: for as long as needed to resolve the matter and maintain an appropriate business record.
- Rights requests and privacy complaints: for as long as reasonably necessary to respond, demonstrate compliance and manage related legal claims.
- Security and incident records: for as long as reasonably necessary to investigate the incident, prevent recurrence and establish or defend legal rights.
- Official public records: for as long as the record remains relevant to the regulatory corpus or its legal or historical context, subject to correction, restriction or removal where required by law.
- Backups: until overwritten through the ordinary protected-backup cycle.
- Anonymised statistics: may be retained indefinitely where they can no longer identify an individual.
We may retain limited information for longer where required by law, necessary for fraud or security prevention, or relevant to an actual or reasonably anticipated dispute.
10. Account deletion
You may delete your account through the account page or request deletion by emailing [email protected].
Deleting an account:
- ends access to the Service;
- revokes or disables active API credentials;
- cancels or removes user-controlled saved functions where applicable; and
- initiates deletion of personal data that we no longer need.
Deletion does not necessarily remove all information immediately. We may retain limited information where required for:
- accounting and tax records;
- payment and fraud-prevention obligations;
- security and incident records;
- legal claims;
- compliance records; or
- protected backups awaiting ordinary deletion.
Stripe and other independent controllers may retain information under their own legal obligations and privacy policies.
Deleting an account does not remove an official public record from the corpus merely because the account holder previously accessed it.
11. Security
We use reasonable technical and organisational measures designed to protect personal data against unauthorised access, alteration, disclosure, loss or destruction.
These measures may include access controls, authentication, encryption in transit, restricted administrative access, logging, monitoring and provider security controls.
No online service can guarantee absolute security. You are responsible for maintaining control of your email account, devices and API credentials and for notifying us promptly if you suspect compromise.
12. Your rights
Depending on the circumstances and the lawful basis we rely on, you may have the right to:
- receive information about how we use your personal data;
- access personal data we hold about you;
- have inaccurate or incomplete information corrected;
- request erasure of your personal data;
- request restriction of processing;
- object to processing based on legitimate interests;
- receive certain data in a portable format;
- withdraw consent where processing is based on consent; and
- complain about how your personal data has been handled.
These rights are not absolute. For example, we may retain information where required by law or where necessary to establish, exercise or defend legal claims. We may also preserve an accurate official or historical public record where applicable law permits.
To exercise a right, email [email protected]. We may need to verify your identity and clarify your request.
We normally respond within one month, subject to any lawful extension for a complex request or multiple requests.
If personal data was submitted by an organisation that controls it, we may refer your request to that organisation or assist it in responding.
13. Corrections and objections concerning official records
If you believe that:
- a Vellum summary or classification is inaccurate;
- an official record has been corrected, withdrawn or superseded;
- personal data has been associated with the wrong person;
- continued presentation of personal data is unlawful or disproportionate; or
- your rights have otherwise been affected,
you may contact [email protected] and identify the relevant record and official source.
We will assess the request in context. Depending on the circumstances, we may:
- correct Vellum-created metadata or summaries;
- add an update or qualification;
- update the official-source link;
- restrict or remove material where legally required; or
- retain the record where necessary to preserve an accurate official, legal or historical record.
We cannot alter the content held by the original public authority. Requests to amend the authoritative record may need to be made directly to that authority.
14. Privacy complaints
You may make a complaint about our handling of personal data by emailing [email protected] with “Privacy complaint” in the subject line.
We will:
- provide a clear means of making the complaint;
- acknowledge it within 30 days of receipt;
- take appropriate steps to investigate it without undue delay;
- keep you informed where appropriate; and
- tell you the outcome without undue delay.
You may also complain to the Information Commissioner’s Office, the United Kingdom’s data-protection supervisory authority.
We would appreciate the opportunity to address your concerns directly before you approach the ICO, but you are not required to contact us first.
15. Automated decisions
We do not use personal data to make solely automated decisions about Service users that produce legal effects or similarly significant effects.
Search ranking, metering, fraud signals and security controls may involve automated processing, but material account enforcement decisions are subject to appropriate review where required.
16. Children
The Service is intended for users aged 18 or over. It is not directed at children, and we do not knowingly create accounts for children.
If you believe that a child has provided personal data through the Service, contact us at [email protected].
17. Changes to this Policy
We may update this Policy to reflect changes to:
- the Service;
- our providers or data practices;
- applicable law;
- regulatory guidance; or
- security and technical requirements.
If a change materially affects how we use personal data, we will provide reasonable notice by email or through the Service where appropriate.
The date at the top shows when this Policy was last updated.
18. Contact
For privacy questions, rights requests, corrections or complaints:
Vellum AI Group Ltd
Email: [email protected]
Company number: 17129362
Registered in: England and Wales