Help Sign in Get started
Velo for advertisers
Protect
Cookie banner Consent Mode v2 Audit log
Recover
Lost conversions Region rules Modelled conversions
Manage
Admin dashboard Vendor list Migration
Read the docs How Velo works
Velo for agencies
Roll out
One dashboard Client domains White label
Earn
Partner programme Revenue share Referrals
Support
Onboarding Playbooks Priority support
Become a partner Talk to us
Legal

GDPR & data processing

Last updated 25 June 2026 · Velo, a product of AmplioData OÜ

This page explains how Velo supports your obligations under the GDPR and similar laws. When Velo runs on your site, you are the controller and AmplioData OÜ is your processor for the consent records Velo keeps. It is not legal advice.

1. Roles

You decide why and how your visitors' data is used, so you are the controller. Velo processes consent records only on your instructions and only to provide the service, so we are the processor. You remain responsible for your own privacy notices and for the lawful basis on which your tags run.

2. What we process

For each visitor choice, Velo records a pseudonymised consent log: the choice made, a coarse region read from the request country at the edge, and a timestamp. Velo does not collect names, email addresses or other directly identifying data to do its job, and it performs no third party geolocation lookup.

3. Where it is processed

Velo runs on Cloudflare Workers and storage at the edge. Where you configure it, processing stays within the EU. Records are pseudonymised, held at the edge, and kept for the retention window you choose.

4. Security

We hold ISO/IEC 27001 certification for our information security management system (certificate AMPLIO-ISO-CONFIRM, issued by CONFIRM-BODY). On top of that we protect consent data with pseudonymisation, encryption in transit, and access controls, and only the people who need access to run the service have it.

5. Subprocessors

We keep the list of subprocessors short and meaningful:

SubprocessorRoleRegion
Cloudflare, Inc.Edge compute and storage that run the Velo consent layer and host this website.Global edge, EU where configured

Cloudflare is our only subprocessor today. Before we onboard paying customers we will add our billing and email providers here. If we add or change a subprocessor, we will update this list and give you reasonable notice so you can object.

6. Helping you with data subject requests

If one of your visitors asks to see, change or delete their data, we will help you respond. Because consent records are pseudonymised, they usually cannot be tied back to a single person, which limits what can be retrieved.

7. Your obligations

  • Publish your own privacy and cookie notices and keep them accurate.
  • Obtain consent where the law requires it, and configure Velo's regions and categories to match.
  • Only connect tags and vendors you have a lawful basis to use.

8. International transfers

Where data moves outside the EU through a subprocessor, it is covered by the European Commission's standard contractual clauses, and by the EU–US Data Privacy Framework where the provider is certified under it. Cloudflare, our edge provider, processes data under these mechanisms.

9. Data processing agreement

We provide a data processing agreement that puts these commitments into a binding contract under Article 28 of the GDPR. We put it in place with you before we process personal data on your behalf. Request one at hello@veloconsent.com.

Need a DPA or a security review?

Email hello@veloconsent.com and we will send what you need.

This page is written in plain language and is not legal advice.
Consent saved