Effective: 2026-03-06
Veleiras ("we", "us") is a digital memorial platform. We take the privacy of the people who use our service — and the people they remember — very seriously.
The data controller responsible for processing your personal data is:
Eliana dos Santos Pereira (sole proprietorship)
6020 Innsbruck, AT
Email: privacy@veleiras.com
As a micro-enterprise with fewer than 10 employees, we are not required to appoint a Data Protection Officer under Art. 37 GDPR. For privacy-related enquiries, contact us at: privacy@veleiras.com.
When you create a memorial, we collect:
We do not collect names, emails, or any identifying information from visitors who light candles or view a memorial via a shared link.
Under Art. 6(1) GDPR, we rely on the following legal bases for each processing activity:
| Processing Activity | Legal Basis |
|---|---|
| Account data (email, password) | Contract performance — Art. 6(1)(b) |
| Memorial content (names, dates, photos, stories) | Contract performance — Art. 6(1)(b) |
| Payment data (transaction records) | Contract performance — Art. 6(1)(b) + Legal obligation (tax retention) — Art. 6(1)(c) |
| Cookie consent records | Legitimate interest (compliance documentation) — Art. 6(1)(f) |
| Server-side analytics (aggregate) | Legitimate interest (service improvement) — Art. 6(1)(f) |
| Email notifications | Contract performance — Art. 6(1)(b) |
| Session cookies (PHPSESSID, CSRF) | Strictly necessary — no consent required (Art. 5(3) ePrivacy Directive) |
Encryption at rest: All sensitive personal data — including names, email addresses, epitaphs, life stories, guestbook messages, and appreciation entries (names and personal stories about people you valued) — is encrypted at rest using AES-256-GCM authenticated encryption (via the defuse/php-encryption library) before being stored in our database. This means even in the event of a database breach, the data is unreadable without the encryption keys.
Password hashing: Passwords are hashed using Argon2id with memory-hard parameters, making brute-force attacks computationally infeasible. We never store passwords in plain text.
Encryption in transit: All communication between your browser and our servers is protected by HTTPS/TLS encryption. We enforce HTTPS on all pages and API endpoints.
Memorials are accessed through cryptographically secure share links, not through a public directory. There are three access levels:
Without a valid link, visitors see only a minimal threshold page with the person's first name and candle. No story, photos, or messages are visible without invitation.
We use only strictly necessary cookies. We do not use any tracking cookies, analytics cookies, or third-party advertising cookies.
| Cookie | Purpose | Duration |
|---|---|---|
| PHPSESSID | Session management (login state). Strictly necessary. | Expires when browser closes |
| CSRF token | Cross-site request forgery protection. Strictly necessary for security. | Session |
| __cf_bm and similar | Set by Cloudflare for bot management and DDoS protection. Strictly necessary for security. | Up to 30 minutes |
Because all cookies we use are strictly necessary for the operation and security of the service, they are exempt from consent requirements under Art. 5(3) of the ePrivacy Directive.
We present a cookie consent banner to all visitors. Although our cookies are strictly necessary and do not require consent, the banner provides transparency and lets visitors make an informed choice. Your preference is stored in your browser's localStorage and recorded server-side for our compliance documentation.
The server-side consent record stores: user ID (if logged in) or anonymous visitor ID, consent action (accept/decline), consent version, a one-way hash of your IP address (not the IP address itself), and timestamps.
Cookie consent records are retained for 3 years in accordance with Art. 7(1) GDPR, which requires the data controller to be able to demonstrate that consent was given.
We collect aggregate visit statistics to understand how the service is used and to improve it. This is done entirely server-side with no cookies, no JavaScript tracking, and no individual visitor identification.
We store only:
CF-IPCountry header)No IP addresses, browser fingerprints, or any other personally identifiable information is stored as part of analytics. Individual visitors cannot be identified or tracked. Analytics data is retained for 2 years.
All payments are processed by Stripe. We never see, store, or process your credit card details. Stripe handles all payment data in compliance with PCI DSS Level 1.
We store a record of your transaction (Stripe payment ID, amount, date, status) for contract performance and to fulfil our legal obligation to retain financial records under Austrian tax law (BAO §132). Payment records are retained for 7 years after the transaction.
| Data Category | Retention Period |
|---|---|
| Account data (email, password hash) | Until account deletion + 30 days |
| Memorial data (Forever Plan) | As long as Veleiras operates (see Forever Plan terms) |
| Memorial data (free tier) | Indefinite; may archive after 5 years of inactivity (90 days advance email notice to owner) |
| Payment records | 7 years (Austrian tax law, BAO §132) |
| Cookie consent records | 3 years (Art. 7(1) GDPR) |
| Server-side analytics | 2 years |
| Session data (PHPSESSID) | Until browser close |
| GDPR erasure requests | Data deleted within 30 days; email hash retained to prevent re-registration issues |
If you delete your memorial or request erasure, all associated data (photos, messages, stories, candles) is permanently removed from our servers within 30 days.
We use the following third-party service providers (sub-processors) to operate Veleiras. Each has a Data Processing Agreement (DPA) in place:
| Sub-processor | Purpose | Location & Safeguards |
|---|---|---|
| Stripe, Inc. | Payment processing | United States — EU Standard Contractual Clauses (SCCs) + DPA |
| Cloudflare, Inc. | CDN, DDoS protection, security, media storage (R2), edge database (D1) | US company — EU data locations, EU-US Data Privacy Framework + DPA |
| Hostinger International Ltd. | Web hosting and database | European Union servers — DPA |
Your data is stored on servers in the European Union. Our primary database is hosted by Hostinger (EU), and Cloudflare D1 (database) and R2 (media storage) are configured for EU data locations. Cloudflare's CDN may route requests through global edge servers for performance and security, but stored data remains in the EU. Stripe (payment processing) is based in the United States and certified under the EU-US Data Privacy Framework. All transfers outside the EU are protected by Data Processing Agreements as required by Chapter V GDPR.
If you are in the European Economic Area, you have the right to:
To exercise any of these rights, contact us at privacy@veleiras.com. We will respond within 30 days as required by Art. 12(3) GDPR.
We do not engage in any profiling or automated decision-making as defined by Art. 22 GDPR. No decisions affecting you are made by automated means. We do not build behavioural profiles of users or visitors.
Veleiras is not directed at children under 16. We do not knowingly collect personal data from children. Memorials may be created for children by their parents or guardians.
We may update this policy from time to time. Significant changes will be communicated via email to memorial owners. The effective date at the top of this page will always reflect the latest version.
For any privacy-related questions or requests:
privacy@veleiras.com
We aim to resolve all privacy concerns directly. If you are not satisfied with our response, you have the right to lodge a complaint with the supervisory authority:
Austrian Data Protection Authority
(Österreichische Datenschutzbehörde)
Barichgasse 40-42, 1030 Vienna, Austria
Email: dsb@dsb.gv.at
Website: www.dsb.gv.at