Privacy Policy

VeloxScript ("we", "us", "our") operates the website veloxscript.comand provides a Software-as-a-Service platform for managing JavaScript and CSS deployments to GoHighLevel sub-accounts (the "Service"). This Privacy Policy describes what information we collect, how we use it, and the choices you have about that information.

Account information. When you create an account, we collect your name, email address, and a hashed representation of your password (we never store plaintext passwords). You may optionally provide a workspace name.

Payment information. Payments are processed by Stripe, Inc. We do not store credit card numbers, CVV codes, or bank account details ourselves. Stripe provides us with a non-sensitive customer identifier, subscription status, and billing period metadata so we can determine your plan entitlements.

GoHighLevel integration data. When you connect a GHL agency, you provide us with a Private Integration Token. We encrypt this token at rest using AES-256-GCM before storing it. We use the token exclusively to (a) fetch the list of sub-account locations under your agency and (b) display them in our dashboard. We do not read, modify, or delete any content inside your GHL sub-accounts.

Content you create. When you create a script, we store the title, description, JavaScript body, CSS body, assignment rules, version history, and associated metadata. Scripts are workspace-scoped; members of one workspace cannot see scripts in another.

Loader request metadata.When your installed loader fetches scripts for a GHL page, we receive the install token, the GHL location identifier, and a timestamp. We use this solely for rate limiting, debugging, and service operation. We do not log or retain end-user data from your customers' sites.

Audit logs. We keep an internal record of significant actions taken in your workspace (script created, script published, location added, etc.) for security and troubleshooting purposes.

Automatically collected technical data. When you visit the Service, our servers log your IP address, browser type, pages visited, and timestamps. We use this for rate limiting, security monitoring, and product analytics.

• To provide, maintain, and operate the Service
• To process payments and manage subscriptions
• To authenticate you and secure your account
• To send transactional emails (welcome, password reset, billing notifications)
• To detect, prevent, and address abuse, fraud, or security incidents
• To improve the Service through aggregate, anonymized analytics
• To comply with legal obligations

We do not sell your personal information to third parties. We do not use your information for targeted advertising.

We share information only with service providers who help us operate VeloxScript, and only to the extent necessary for them to provide their services. Our current providers include:

• Vercel — application hosting and content delivery
• Supabase — managed PostgreSQL database hosting
• Stripe — payment processing
• Resend — transactional email delivery
• Sentry — application error monitoring (we do not forward sensitive user data to Sentry)

Each of these providers is contractually required to protect your data and use it only for the purposes we direct. We may also disclose information when required by law, when necessary to investigate fraud or security issues, or in connection with a corporate transaction (merger, acquisition, sale of assets).

We keep your account and workspace data for as long as your account is active. If you delete your account, we delete your personal information within 30 days, except where we are required by law to retain it (for example, billing records for tax purposes).

Audit logs are retained for the lifetime of your workspace plus 90 days. Loader request logs are retained for up to 30 days.

If you are located in the European Economic Area, the United Kingdom, or California, you have specific rights regarding your personal data under GDPR, UK GDPR, or CCPA. These include:

• The right to access the data we hold about you
• The right to correct inaccurate data
• The right to delete your data ("right to be forgotten")
• The right to data portability
• The right to object to processing
• The right to withdraw consent

To exercise any of these rights, email privacy@veloxscript.com. We will respond within 30 days.

We use industry-standard security practices including encryption in transit (TLS 1.2+) and encryption at rest (AES-256 for sensitive tokens). Passwords are hashed with bcrypt (cost factor 12). No system is perfectly secure; if you have reason to believe your account has been compromised, contact us immediately at security@veloxscript.com.

VeloxScript is not intended for children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we will delete it.

We may update this Privacy Policy from time to time. When we do, we will update the "last updated" date at the top of the page and, for material changes, notify you via email or an in-app notice.

Questions about this policy? Email privacy@veloxscript.com.