Privacy
Policy

Veehax is headquartered at World Trade Center, Colombo, Sri Lanka. We build AI-powered products designed to democratize access to knowledge, enhance learning outcomes, and accelerate skill development globally. This policy applies to all users of our platform, including visitors, registered users, enterprise clients, and API partners.

Account & Identity Data

• Full name, email address, and password (hashed) when you register an account.
• Profile information you optionally provide: photo, organisation, role, and preferences.
• OAuth identity tokens if you sign in via Google, GitHub, or other providers.

Platform Usage Data

• Interactions with AI features: prompts submitted, responses generated, sessions initiated.
• Learning progress, completion rates, scores, and activity timestamps.
• Feature usage metrics and navigation patterns within the platform.

Technical & Device Data

• IP address, browser type, operating system, and device identifiers.
• Referring URLs, session duration, and page-level analytics.
• Error logs, crash reports, and performance diagnostics.

Payment Data

• Billing name, address, and subscription tier. We do not store raw card numbers payment processing is handled by PCI-DSS compliant third-party processors.

Communications Data

• Support tickets, feedback submissions, and survey responses.
• Email and in-app notification engagement signals.

We process your data only for clearly defined, legitimate purposes. The following table summarises our processing activities and their lawful basis.

The Veehax platform is built on AI systems that process your inputs to generate personalised content, recommendations, and educational outcomes. Understanding how your data interacts with these systems is important.

• Personalisation engine: Your learning activity and engagement signals are used to tailor content difficulty, pacing, and topic recommendations specific to you.
• Model fine-tuning: We may use aggregated, de-identified usage patterns to refine Veehax-proprietary AI models. Raw personal data is never used directly in training pipelines.
• Safety monitoring: All AI interactions are subject to automated safety filters to detect and prevent harmful, abusive, or policy-violating content.
• No automated decisions with legal effect: We do not use AI to make automated decisions about you that produce legal or similarly significant consequences without human review.

We do not sell, rent, or trade your personal data. We share data only in the following limited circumstances:

• Service providers: Trusted vendors who process data strictly on our behalf including cloud infrastructure providers, payment processors, email delivery services, and analytics platforms operating under data processing agreements.
• AI model providers: Where Veehax integrates third-party AI APIs (e.g. for language model inference), data is transmitted under strict data processing agreements. We configure these integrations to minimise data retention by the provider.
• Enterprise administrators: If your account is managed by an organisation (enterprise plan), your employer may have access to usage reports and platform activity relevant to their contract with Veehax.
• Legal obligations: We may disclose data when required by Sri Lankan law, court order, or to protect the rights, safety, and property of Veehax, our users, or the public.
• Business transfers: In the event of a merger, acquisition, or asset sale, user data may be transferred. We will notify affected users and honour existing privacy commitments.

Veehax operates cloud infrastructure distributed across data centres, including facilities in Sri Lanka and internationally (AWS / GCP regions). All data in transit is encrypted via TLS 1.2+. Data at rest is encrypted using AES-256.

When you delete your account, we initiate a 30-day grace period during which recovery is possible. After this period, personal data is permanently purged from production systems. Certain data may persist in encrypted backups for up to 90 days before being overwritten.

You have the following rights with respect to your personal data. To exercise any of these rights, contact us at hello@veehax.com. We will respond within 30 days.

• Access: Request a copy of the personal data we hold about you.
• Correction: Request that inaccurate or incomplete data be corrected.
• Deletion: Request erasure of your personal data, subject to legal retention obligations.
• Portability: Receive your data in a structured, machine-readable format.
• Restriction: Request that we limit processing of your data in certain circumstances.
• Objection: Object to processing based on legitimate interest, including for direct marketing.
• Withdraw consent: Where processing is based on consent, withdraw it at any time without affecting prior lawful processing.

Veehax uses cookies and similar technologies to operate the platform, remember your preferences, and analyse usage patterns.

You can manage cookie preferences through your browser settings or the Veehax Privacy Centre within your account. Disabling non-essential cookies will not impair core platform functionality.

Veehax services are intended for users aged 16 and older. We do not knowingly collect personal data from children under 16. If we become aware that a user under 16 has registered without verifiable parental consent, we will promptly delete the account and associated data.

Educational institutions deploying Veehax for students under 16 must enter into a separate Data Processing Agreement that includes appropriate safeguards and parental consent mechanisms. Contact enterprise@veehax.com for details.

We implement industry-standard technical and organisational security measures to protect your data against unauthorised access, loss, alteration, and disclosure.

• All data in transit encrypted via TLS 1.2 or higher.
• Data at rest encrypted using AES-256.
• Passwords stored using bcrypt with salted hashing never in plaintext.
• Role-based access controls limiting internal data access to authorised personnel only.
• Regular penetration testing, vulnerability assessments, and security audits.
• Incident response procedures with mandatory breach notification within 72 hours where applicable by law.

No system is perfectly impervious to attack. If you suspect your account has been compromised, contact hello@veehax.com immediately.

We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Post the revised policy at veehax.com/privacy with an updated effective date.
• Send a notification email to registered users at least 14 days before material changes take effect.
• Display an in-platform banner prompting acknowledgement of significant changes.

Continued use of the platform after the effective date constitutes acceptance of the revised policy. If you disagree with any changes, you may close your account before the effective date and request deletion of your data.

For any questions, concerns, or requests relating to this Privacy Policy or the handling of your personal data, contact our Privacy team:

• Email: hello@veehax.com
• Security disclosures: hello@veehax.com
• Postal address: Veehax (Pvt) Ltd, World Trade Center, Colombo 01, Sri Lanka.

We aim to respond to all privacy inquiries within 30 days. Complex requests may require up to 60 days we will notify you of any extension within the initial 30-day window.