Vuel Privacy Policy

Effective date: July 1, 2026

Introduction & scope

Vuel. is a personal AI agent for everyday life. This policy explains what information we collect when you use the Vuel iOS app and our services, how we use it, who we share it with, and the choices you have.

This policy covers the Vuel iOS app and the Vuel backend service (api.vuel.ai). The data controller responsible for your information is Vuel LLC. We rely on infrastructure providers — including Supabase (managed database and authentication) and Fly.io (application hosting) — that store and process data on our behalf as our processors.

By using Vuel, you agree to the practices described here. Where the law gives you rights over your information, this policy explains how to exercise them.

Information we collect

We collect the following information so the agent can do real work on your behalf.

Account and phone

• Your name, email address, phone number, and date of birth.
• For email-and-password accounts, a securely hashed password (we never store your password in plain text).
• OAuth provider IDs and avatar, if you sign in through a connected provider.
• Invite-code and verification records used during signup.

Chat content

• Your full chat history and transcripts with each agent.
• Attachments you add to chat (photos, camera captures, and files).
• Rich content the agent produces in chat (for example briefings, receipts, and media).

Permission-derived data

We only access the following after you grant the matching iOS permission, and you can revoke any of these in iOS Settings at any time:

• Contacts — used to look up recipients when drafting an email or text.
• Calendar — Vuel keeps your reminders and events together in its own calendar and can add Vuel-created events to your iPhone's Calendar app (EventKit). On a connected Google Calendar (via OAuth) it can view and create events (RSVP supported) but cannot yet edit or delete Google events, and it does not read your existing iPhone Calendar events.
• Location — your approximate location (latitude/longitude, time zone, and city), collected only while you are using the app, used for things like your weather forecast.
• Photos and Camera — images you attach or capture for the agent to use.
• Microphone — used for voice dictation input and live note-taking sessions.

Connected mailbox

If you connect a mailbox (Gmail in the current iOS app), we access your messages (sender, subject, and body), your contacts for recipient lookup, and drafts, so the agent can read, classify, summarize, and draft replies — a connected mailbox grants both read and send access once you authorize it. In the app, connected-mailbox replies stay as drafts until you tap Send.

Voice recordings and transcripts

• Voice dictation audio and transcripts.
• AI voice-call records, including the number called, status, a summary, the full transcript, the structured result, and a recording URL.

Notes and files

• Note-taking sessions and foldered notes.
• Files and photos you upload to your agent's workspace.
• Receipts you log via chat (photo OCR or a form).

Push tokens and device info

• Apple push notification (APNS) device tokens, used to send you notifications.
• Request logs (method, path, status, latency) and your client IP address, used for security and rate-limiting.
• If you join our marketing waitlist, your email address along with the user-agent and IP of the request.

Usage and derived data

• Durable remembered facts about you (preferences and context) that the agent learns and confirms.
• Semantic memory chunks with vector embeddings used for recall.
• A credit/usage ledger reflecting your token usage.

How we use information

We use your information to:

• Provide the agent's features — placing calls, drafting emails and texts, triaging your connected inbox, managing reminders, todos, calendar, notes, and files, and generating media.
• Build your morning briefing (weather, calendar conflicts, emails that need you, and reminders worth keeping).
• Remember your context and preferences across days so the agent can act consistently in your chosen tone.
• Authenticate you, verify your identity at signup, and protect against abuse and cross-account access.
• Enforce usage and credit limits.
• Send you notifications and transactional messages.

AI processing and third-party subprocessors

To run the service, your information is processed by the third parties below. Each receives only what is needed for its function.

Note: when the agent drafts an email or text for you to send, it goes through your own Mail or Messages app, or your connected mailbox — not through Resend or Twilio.

How we share information

We do not sell your personal data. We share your information only with the subprocessors listed above, and only to the extent needed to operate the service. We may also disclose information where required by law.

Data retention

We retain your data for as long as your account is active, so we can support your account activities and give you the best experience. Once your account is closed, your own data is deleted immediately, while generated data — such as chat, memory, and profile — is retained as headless (de-identified) data for analytics and model training. In addition, the following automated retention windows apply today:

• Inbox emails from a connected mailbox: kept 30 days.
• Sent replies: 7 days. Unsent or failed replies: 30 days.
• AI voice-call records: 30 days by default (configurable).
• Expired verification and rate-limit records: swept regularly.

Your choices and rights

• Access and revoke permissions. You can revoke Contacts, Calendar, Location, Photos, Camera, and Microphone access at any time in iOS Settings.
• Disconnect Gmail. You can disconnect a connected mailbox to stop the agent from accessing it.
• Partial deletions. Within the app you can delete individual agents (the last remaining agent cannot be deleted), delete individual files, hard-delete a note (transcript and audio), and ask the agent to "forget" a remembered fact. Note that a "forget" request declines to remove verified account data such as your phone number, email, and date of birth.
• Full account deletion. To request full account deletion, email support@vuel.ai. We will delete all of your private data. Data generated through chat is retained in a headless, de-identified form for analytics and model training. There is no self-serve full-account-deletion flow today, so email support and we'll handle it for you.

If you are in a jurisdiction with specific data-protection rights (such as the EU/UK under GDPR, or California under CCPA), you may have additional rights including access, correction, deletion, and portability.

Security

We take steps to protect your information, including:

• Passwords are hashed with bcrypt and never stored or logged in plain text; we do not store raw one-time passcodes.
• Authentication tokens use a pinned algorithm, and a required secret is enforced at startup.
• Database queries are parameterized, and dynamic update paths use server-side allowlists.
• Media and recording URLs are signed, with signature parameters redacted from logs; voice recordings are proxied with a no-store marker.
• Agent-addressed requests enforce agent ownership at the proxy to prevent cross-account access.

No method of storage or transmission is completely secure, and we cannot guarantee absolute security.

Children's privacy

Vuel is not intended for children. You must be at least 13 years old to use Vuel, and we do not knowingly collect personal information from children under 13.

Changes to this policy

We may update this policy from time to time. When we make material changes, we will update the effective date above and notify you by email and through in-app notifications.

Contact

If you have questions about this policy or your information, contact us at support@vuel.ai.

Someone's got you.