Veil is operated by:
Askus GmbH
c/o Vigor Trustees
Pflugstrasse 20
9490 Vaduz
Liechtenstein
For privacy inquiries: relations@veil.li
Askus GmbH is the data controller responsible for processing your personal data. As a Liechtenstein company, the Company is subject to Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR") as incorporated into the EEA Agreement and transposed into Liechtenstein law, as well as Liechtenstein's Data Protection Act (Datenschutzgesetz, "DSG").
Veil is a private membership network. We collect and process a minimal amount of personal data, limited to what is necessary to:
Veil does not operate public profiles, public feeds, member lists, or social features. All member data is strictly confidential.
| Data Category | Purpose | Lawful Basis |
|---|---|---|
| Email address | Account creation, authentication, membership communications | Contract (Art. 6(1)(b)) |
| Password (hashed) | Authentication | Contract (Art. 6(1)(b)) |
| Motivation statement | Application review | Contract (Art. 6(1)(b)) |
| Referral code (if provided) | Referral tracking | Legitimate Interest (Art. 6(1)(f)) |
| Commitment tier selection | Recording deposit level | Contract (Art. 6(1)(b)) |
| IP address (SHA-256 hashed) | Rate limiting, fraud prevention | Legitimate Interest (Art. 6(1)(f)) |
| Firebase Auth UID | Account identification | Contract (Art. 6(1)(b)) |
| Application timestamps | Recording application lifecycle | Contract (Art. 6(1)(b)) |
| Terms acceptance timestamp | Evidence of consent | Legal Obligation (Art. 6(1)(c)) |
If you register or sign in using Google, Firebase Authentication provides the following additional data from your Google account:
| Data Category | Purpose | Lawful Basis |
|---|---|---|
| Full name (display name) | Identity verification, member identification | Contract (Art. 6(1)(b)) |
| Profile photo URL | Account personalization within the Service | Legitimate Interest (Art. 6(1)(f)) |
This data is transmitted to us by Firebase Authentication as part of the Google OAuth flow. You may update or remove your display name and photo through the Service or by contacting us.
Payment card data (card numbers, expiration dates, CVV) is never stored on Veil servers or in our databases. Payment processing is handled entirely by Stripe, our PCI DSS Level 1 certified payment processor. Stripe transmits only transaction confirmations to Veil (transaction ID, amount, timestamp, success/failure status).
We process your personal data under the following legal bases (Article 6 GDPR):
Role: Data processor
Services: Application hosting, authentication infrastructure, Firestore database
Data shared: Email, display name, profile photo URL (Google sign-in only), Firebase UID, application data, IP hash
Data location: europe-west6 (Zurich, Switzerland)
Role: Data processor for payment data; independent controller for payment fraud analytics
Services: Payment processing, fraud detection
Data shared: Email, transaction amount, commitment tier, IP address
Certification: PCI DSS Level 1
Firebase infrastructure is hosted in the europe-west6 region (Zurich, Switzerland). Switzerland is not a member of the European Economic Area (EEA). However, the European Commission has issued an adequacy decision recognizing that Switzerland provides an adequate level of data protection (Commission Decision 2000/518/EC, as updated). On this basis, personal data may be transferred to Switzerland without additional safeguards. Data processed in Zurich remains subject to Swiss federal data protection law (FADP/nDSG), which the European Commission has recognized as providing equivalent protection to GDPR.
Stripe processes payment data in the United States. The transfer of personal data to Stripe in the United States is governed by Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Implementing Decision (EU) 2021/914), supplemented by Stripe's technical and organizational measures, including encryption of personal data in transit and at rest.
While Firebase data is hosted in Zurich, Google LLC as processor may access data from the United States for support and maintenance purposes. Google's data processing agreement incorporates Standard Contractual Clauses and supplementary measures in compliance with GDPR Chapter V requirements.
| Status | Retention Period | Details |
|---|---|---|
| Pending applications | 7 days | Applications awaiting payment confirmation are deleted after 7 days of inactivity |
| Active memberships | Duration of membership | Data retained while membership is active and necessary for service delivery |
| Terminated memberships | 7 years after termination | Retained as required for accounting, tax, and legal compliance under Liechtenstein law; then anonymized or deleted |
| Failed applications | 30 days | Applications with payment failures retained for 30 days, then deleted |
| Refunded applications | 90 days | Retained for 90 days for dispute resolution, then anonymized |
| IP address hashes | 90 days | Hashed IP data retained 90 days, then deleted |
| Financial records | 10 years | Transaction records retained as required by Liechtenstein commercial law (Art. 1045 PGR) |
Following membership termination (whether by you or by the Company), we retain your personal data only as follows:
After the applicable retention period, personal data is either permanently deleted from all systems (including backups within a reasonable timeframe) or irreversibly anonymized such that it can no longer be attributed to an individual.
Under GDPR, you have the following rights. To exercise any right, contact relations@veil.li. We will respond within 30 days (extendable by 60 days for complex requests, with notice).
You may request a copy of the personal data we hold about you. Send a request to relations@veil.li with the subject line "Data Access Request".
You may request correction of inaccurate or incomplete personal data.
You may request deletion of your personal data where:
We may decline erasure requests where retention is necessary for compliance with a legal obligation, establishment or defense of legal claims, or performance of a contract to which you are a party. Where deletion is declined, we will explain the specific grounds.
You may request that we limit processing of your data while you contest its accuracy, challenge the lawfulness of processing, or have objected to processing pending verification.
You may request your personal data in a structured, commonly used, machine-readable format. Send a request to relations@veil.li with the subject line "Data Portability Request".
You may object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
Where processing is based on consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing performed before withdrawal.
You have the right to lodge a complaint with the relevant data protection authority:
Liechtenstein:
Datenschutzstelle (Data Protection Authority)
Aulestrasse 51
9490 Vaduz, Liechtenstein
www.datenschutzstelle.li
You may also lodge a complaint with the supervisory authority of the EU/EEA member state in which you reside or work.
Veil does not set first-party tracking cookies. No analytics pixels, advertising trackers, or behavioral profiling technologies are deployed by Veil directly.
| Service | Cookie Type | Purpose | Your Control |
|---|---|---|---|
| Firebase | Session / Functional | Authentication, session management | Browser cookie settings |
| Stripe | Functional / Security | Payment processing, fraud detection | Browser cookie settings |
These are strictly functional cookies. No advertising or behavioral tracking cookies are used.
Veil does not use automated decision-making or profiling that produces legal or similarly significant effects on individuals (Article 22 GDPR). Rate limiting and fraud detection may use automated thresholds, but these are protective measures and do not result in application denial without human review.
We implement appropriate technical and organizational measures to protect your personal data (Article 32 GDPR):
No security system is completely impenetrable. In the event of a personal data breach, we will notify the Liechtenstein Data Protection Authority within 72 hours as required by Article 33 GDPR, and affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms (Article 34 GDPR).
Veil is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that a child has provided personal data, we will delete it without undue delay. If you believe we have collected data from a child, please contact us at relations@veil.li.
We may update this Privacy Policy to reflect changes in our data processing practices or legal requirements. Material changes will be communicated to members via email at least 30 days before taking effect. The "Last Updated" date and version number at the top of this document will be revised. Your continued use of Veil following notification constitutes acceptance of the updated policy. If you do not agree to the changes, you may terminate your membership.
For questions about this Privacy Policy, requests to exercise your data rights, or privacy concerns:
Email: relations@veil.li
Mailing Address:
Askus GmbH
c/o Vigor Trustees
Pflugstrasse 20
9490 Vaduz
Liechtenstein
We aim to respond to privacy requests within 30 calendar days.