Privacy Policy

Effective date: May 9, 2026  ·  Last updated: May 13, 2026

Velance Inc., a Nevada corporation ("Velance," "we," "us," or "our") provides a customer relationship management platform for automotive dealerships, including our website at velancecrm.com, our web application, and our mobile application (collectively, the "Service"). This Privacy Policy explains how we collect, use, share, and protect information in connection with the Service.

1. Who This Policy Covers

This Policy applies to:

• Dealership Personnel — owners, managers, sales, finance, and service staff who use the Service in the course of their work for a dealership.
• Dealership Customers and Leads — consumers whose information is entered into or generated within the Service by dealership personnel (for example, through a web lead, ADF feed, DMS sync, manual entry, SMS conversation, or showroom check-in).
• Website Visitors — visitors to velancecrm.com and our public marketing pages.

2. Our Role: Data Controller and Data Processor

For information about Dealership Personnel and Website Visitors, Velance acts as a data controller. We determine the purposes and means of processing for account, billing, support, and security purposes.

For information about Dealership Customers and Leads, Velance acts as a data processor (or "service provider" under California law). The dealership is the controller. We process this information only on the dealership's instructions and to provide and improve the Service. If you are a consumer and want to exercise privacy rights with respect to data the dealership holds about you, please contact the dealership directly. Where required, we will assist them in responding to your request.

3. Information We Collect

Information you provide

• Account information. Name, work email, phone number, role, dealership affiliation, and authentication credentials.
• Lead and customer information. Names, phone numbers, email addresses, vehicle interests, trade-in details, financial pre-qualification data, notes, activity history, appointments, and conversations.
• Communications content. SMS messages and email exchanges sent or received through the Service, including AI-assisted drafts and customer replies.
• Billing information. For dealership subscriptions managed outside the mobile app, we may process billing contact and payment-method details through our payment processor. The Velance CRM mobile app does not sell digital goods, does not use in-app purchases, and does not collect payment card information from mobile app users.

Information collected automatically

• Device and log data. IP address, browser/OS, device identifiers, timestamps, error logs, and usage events necessary to operate, secure, and improve the Service.
• Cookies and similar technologies. Authentication cookies, preference cookies, and analytics events. See the "Cookies" section below.
• Mobile-app information. Push notification tokens, app version, and crash diagnostics. The mobile app requests permission to send notifications. You may revoke notification permission in your device settings at any time. Additional permissions (such as camera, microphone, or photo library) will only be requested if and when corresponding features are added to the application, and any such addition will be reflected in an updated version of this Policy.

Information from third parties

• Lead providers. ADF/XML feeds, web-form vendors, OEM lead programs, and third-party listing sites that route leads to the dealership.
• Dealer Management Systems (DMS). When the dealership connects a DMS, we receive customer, deal, repair-order, and inventory data on a scheduled or webhook basis.
• Communications providers. Twilio (SMS) and SendGrid (email) deliver inbound messages and webhook events to the Service.

4. How We Use Information

• Provide, maintain, and secure the Service for the dealership.
• Authenticate users and prevent fraud, abuse, and unauthorized access.
• Route leads, send messages, schedule appointments, and otherwise execute the dealership's workflow.
• Generate AI-assisted drafts, suggestions, and summaries within the dealership's tenant.
• Provide customer support and respond to inquiries.
• Bill the dealership and process payments.
• Comply with legal obligations and enforce our agreements.
• Improve the Service through aggregated, de-identified analytics (see Section 5).

5. Artificial Intelligence and Machine Learning

The Service uses third-party AI models (currently Anthropic Claude, OpenAI GPT, and Google Gemini) to draft messages, summarize conversations, recommend follow-ups, and answer dealership-staff questions. We design our use of AI to protect dealership and consumer information.

• No training on identifiable customer content. We do not use customer-identifiable conversation content (SMS, email, notes) to train base AI models. Our AI providers are contractually prohibited from using API content to train their models.
• Aggregated learning. We extract aggregated, de-identified performance signals — for example, which response patterns lead to appointments — to improve features such as cadence recommendations and lead scoring. These signals do not identify any individual consumer.
• Tenant isolation. AI prompts are scoped to a single dealership's tenant. AI-generated context and retrieval are limited to that dealership's own records.
• Optional model personalization. Dealerships may opt in to advanced personalization features that use their own data to fine-tune a model that exclusively serves their tenant. These features are off by default, require an administrator to enable, and the resulting personalized model is deleted upon offboarding or opt-out.
• Human review. AI output may contain errors. The dealership is responsible for reviewing AI-assisted communications before they are sent.

6. SMS and Text Messaging

The Service enables dealerships to send and receive SMS messages with their leads and customers. The dealership is responsible for obtaining all required consents under the Telephone Consumer Protection Act (TCPA), state law, and applicable carrier requirements before initiating SMS communications, and for honoring opt-out requests promptly. Velance assists by processing keywords such as STOP, STOPALL, UNSUBSCRIBE, CANCEL, END, and QUIT, and by maintaining suppression records.

We do not share, sell, rent, or disclose mobile opt-in consent or SMS consent data to third parties or affiliates for their marketing or promotional purposes. SMS consent is used solely for communications between the dealership and its leads and customers through the Service.

Message and data rates may apply for recipients. Reply HELP for help, STOP to unsubscribe.

7. How We Share Information

We do not sell personal information for monetary consideration. We share information only as follows:

• Within the dealership. Information you enter is accessible to authorized personnel of the same dealership, subject to role-based permissions configured by the dealership.
• Subprocessors. We use a limited set of vendors to host, secure, and deliver the Service (e.g., cloud hosting, AI providers, SMS and email delivery, error monitoring, push notifications). A current list is published at velancecrm.com/subprocessors. We require subprocessors to maintain appropriate security and confidentiality protections.
• Integrations the dealership enables. When a dealership connects an integration (DMS, OEM feed, marketing tool), data flows to that system at the dealership's direction.
• Legal and safety. We may disclose information when required by law, valid legal process, or to protect the rights, property, or safety of Velance, our users, or others.
• Corporate transactions. If Velance is involved in a merger, acquisition, financing due diligence, or sale of assets, information may be transferred subject to standard confidentiality obligations and continued protection under this Policy.

8. Data Retention

We retain information for as long as the dealership maintains an active subscription, plus a reasonable post-termination period for billing reconciliation, dispute resolution, and legal-hold purposes. Specific defaults:

9. Security and Breach Notification

We implement administrative, technical, and physical safeguards designed to protect information, including:

• TLS 1.2+ encryption in transit and AES-256 encryption at rest.
• PostgreSQL row-level security policies enforcing tenant isolation between dealerships.
• Restricted database roles for AI-generated queries (no write access, allow-listed tables only).
• Webhook signature verification (HMAC) on inbound messaging and DMS callbacks.
• Multi-factor authentication available for all accounts.
• Routine vulnerability scanning and dependency monitoring.

Breach notification. If we discover a security incident affecting personal information, we will notify affected dealerships without undue delay and, in any event, within 72 hours of confirmation, with the information available at that time. We will assist dealerships in their downstream notification obligations to consumers as required by applicable law.

10. Your Rights

Subject to applicable law, you may have rights to:

• Access and obtain a copy of personal information we hold about you;
• Correct inaccurate personal information;
• Delete personal information;
• Restrict or object to certain processing;
• Receive your information in a portable format;
• Withdraw consent where processing is based on consent;
• Appeal a denied request to the relevant state regulator.

Dealership Personnel and Website Visitors may exercise these rights by contacting privacy@velancecrm.com. We will respond within 45 days, with one 45-day extension where reasonably necessary.

If you are a Dealership Customer or Lead, please contact the dealership that holds your information; we will support the dealership in honoring your request.

11. California Privacy Rights (CCPA / CPRA)

This section provides additional disclosures required for California residents. Velance does not sell or share personal information for cross-context behavioral advertising. The categories of personal information we collect, the sources, and the purposes are summarized below.

Right to Limit Use of Sensitive Personal Information. We do not use sensitive personal information for purposes other than those necessary to provide the Service.

Non-Discrimination. We will not discriminate against you for exercising your rights.

To exercise California rights, email privacy@velancecrm.com or use the form at velancecrm.com/do-not-sell. Authorized agents may submit requests with verifiable authorization.

12. Mobile Application — Apple App Store Disclosures

The Velance mobile application is distributed through the Apple App Store. The data-collection categories disclosed in our App Store privacy nutrition label correspond to the categories described in this Policy. We do not engage in cross-app or cross-website tracking and will not request App Tracking Transparency authorization.

Specific iOS permissions and their purpose:

• Notifications — push alerts for new leads, replies, and reminders.

You may revoke notification permission at any time in iOS Settings. If we add features in future versions that require additional permissions, we will request them at the point of use, update this Policy, and update the App Store privacy disclosure accordingly.

13. Mobile Application — Google Play Disclosures

The Velance CRM mobile app is distributed through Google Play. The data categories disclosed in our Google Play Data Safety section correspond to the categories described in this Policy. The app is free to download, requires an existing dealership-provisioned login, does not sell user data, and does not share data for advertising. Specific Android permissions and their purpose:

• Notifications — push alerts for new leads, replies, and reminders.

You may revoke notification permission at any time in Android Settings. If we add features in future versions that require additional permissions, we will request them at the point of use, update this Policy, and update the Google Play Data Safety disclosure accordingly.

14. Cookies and Similar Technologies

We use a small number of cookies and similar technologies. They fall into three categories:

• Strictly necessary — authentication, session, security, and load balancing. These cannot be disabled without breaking the Service.
• Preference — remembering theme, last-viewed dealership, and dismissed prompts.
• Analytics — error monitoring (Sentry) and aggregated usage analytics. These help us diagnose issues and improve the product.

You may control cookies through your browser settings. Disabling strictly-necessary cookies will prevent authentication.

15. Children

The Service is intended for business use by dealership personnel aged 18 and over. We do not knowingly collect personal information from children. If we become aware that we have collected information from a child, we will delete it.

16. International Users

The Service is operated from and intended for users in the United States. Information is processed and stored in the United States. If you access the Service from outside the United States, you understand that your information will be transferred to and processed in the United States, which may have different data-protection laws than your jurisdiction.

17. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be announced through the Service and by email to dealership administrators at least 30 days before they take effect, except where a shorter period is required by law. The "Effective date" above will be updated each time.

18. Contact

For questions, complaints, or to exercise a right, contact us at:

• Privacy: privacy@velancecrm.com
• Legal: legal@velancecrm.com
• Support: support@velancecrm.com