Privacy Policy
How Veltara Works handles your information on vectismail.com and when you buy or use Vectis Mail™.
At a glance
The short version, then the detail:
- We don't run analytics, behavioural ad pixels, or third-party trackers on this site. No Google Analytics, no Facebook Pixel, no session-replay.
- We collect only what's needed to reply to enquiries, ship the product, and keep the lights on.
- Payments are processed by Stripe. Subscriptions are managed through ValidonX, our own licensing platform. We never see your card details.
- Once Vectis Mail runs on your server, the personal data your install processes (mailboxes, message content, recipient addresses) is controlled by you, not by us.
- For any privacy question or data-subject request, use the Contact page and select Privacy / Data Request.
1. Who we are
Vectis Mail is a product of Veltara Works™, the trading entity that publishes this website. Veltara Works is a wholly Australian owned company. Veltara Works owns and operates two software platforms relevant to this policy:
- Vectis Mail — the self-hosted email platform described on this site.
- ValidonX — the licensing and subscription platform that Veltara Works operates for its own products (including Vectis Mail) and offers to other software developers as a licensing service.
For privacy matters specifically, please use the Contact page and select Privacy / Data Request. We will respond within 30 days (usually within 2–3 business days). If you need postal correspondence, request the current registered address through the same channel and we will provide it.
2. Two distinct privacy contexts
Vectis Mail is a self-hosted product. This means there are two very different layers of data handling to keep straight:
- vectismail.com itself — the marketing site, the contact form, the purchase journey. Veltara Works is the controller of any personal information collected here. The rest of this policy mostly describes this layer.
- Your Vectis Mail server — once you install Vectis Mail on your own infrastructure and start operating mailboxes for your users, you are the controller of the personal data flowing through your install. Veltara Works is the software vendor — we wrote the code, but we don't see your users' mail. The licence verification call your install makes to ValidonX every 5 minutes transmits only an opaque tenant identifier; it carries no mailbox lists, no message content, no recipient addresses, and no IP addresses of your users.
3. What we collect on vectismail.com
3a. Visiting the site
When you browse vectismail.com, our hosting provider (Cloudflare Pages) records the technical information any web server records to deliver pages and defend against abuse: your IP address, the time of the request, the URL you visited, the page that referred you, and the user-agent string your browser sends. This information lives in Cloudflare's logs — we don't aggregate it, profile you with it, or sell it. Cloudflare may set short-lived cookies (notably __cf_bm) to distinguish humans from automated traffic; these are strictly functional and expire within 30 minutes of your last visit.
We do not load Google Analytics, Facebook Pixel, LinkedIn Insight, X (Twitter) tracking, Hotjar, FullStory, or any comparable behavioural-tracking script. The only third-party scripts on the page are Cloudflare's bot-management challenge runtime, loaded only if a request triggers it.
3b. Using the contact form
If you submit the form at /contact, we collect:
- Your name and email address
- The department you've selected (General Enquiries, Enterprise Sales, Technical Support, or Privacy / Data Request)
- Your message text
That form posts to a small Cloudflare Pages Function, which forwards your message into the Vectis Mail server that runs mail.vectismail.com. From there it lands in the appropriate internal inbox depending on the department you chose. The data path is: your browser → Cloudflare edge → mail.vectismail.com → mailbox. We use this information to reply to your enquiry and keep an internal record of the conversation so we can pick up where we left off if you write again. We don't add you to a marketing list off the back of a support enquiry.
3c. Buying a Vectis Mail Pro subscription
Vectis Mail Pro is sold by Veltara Works through ValidonX, our own licensing and subscription platform. Card payments are processed by Stripe, and Veltara Works is the merchant of record — the entity on your statement and on the receipt. We do not see, store, or process your payment card details; they go directly from your browser to Stripe.
After payment, ValidonX issues you a tenant identifier, a licence key, and a service key, and emails them to you so you can paste them into the admin UI of your Vectis Mail install. Because ValidonX is operated by Veltara Works (not a separate company), no third-party transfer of personal data is involved between Vectis Mail and ValidonX — both are run by the same controller. Stripe is a separate processor; see section 6 for the details we share with them.
3d. Email correspondence
If you contact us through the form at /contact (which we recommend over direct email), we retain the resulting conversation thread to maintain a continuous record. The retention rules for this material are set out in the Retention section below.
4. What we don't collect
To be explicit about scope:
- We do not run analytics or fingerprinting scripts on vectismail.com.
- We do not buy advertising audience lists, retargeting cohorts, or third-party data enrichment.
- We do not load social-media share buttons that report your visit back to the social network ("Like" buttons, Twitter-share widgets, etc).
- We do not use session-replay tools (mouse-movement / scroll recording).
- We do not embed marketing automation pixels in our outbound emails.
5. How we use your information
We use the information described in section 3 strictly to:
- Reply to enquiries you've sent us through the contact form.
- Provide and improve Vectis Mail in response to feedback (we may quote a problem you've reported back to ourselves anonymously when writing release notes; we won't name you publicly without permission).
- Operate the technical infrastructure (defend against abuse, debug errors, ship security updates).
- Comply with legal obligations — for example, retaining records relating to a paid subscription long enough to satisfy tax, contract, and consumer-law requirements.
We do not, and have never, sold personal information.
6. Who we share information with
ValidonX is operated by Veltara Works and is not a third party for the purposes of this policy. The genuinely third-party processors we use are listed below. Each is contracted to use information only on our instructions and only for the purposes described above:
Stripe, Inc.
Role: Payment processor.
Location: United States, with global infrastructure.
What we share: Stripe receives the payment-card details you enter at checkout and the contact details (name, email) required to issue a receipt. We never see your card number, CVC, or expiry. Stripe self-certifies to the EU–US Data Privacy Framework.
Cloudflare, Inc.
Role: DNS, CDN, edge compute (Pages Functions), bot management.
Location: United States, with worldwide edge infrastructure.
What we share: Cloudflare processes connection metadata for every request to vectismail.com (IP, user-agent, requested URL). Cloudflare's role is covered by Standard Contractual Clauses where required and by their own EU–US Data Privacy Framework self-certification.
GitHub, Inc. (Microsoft)
Role: Source-code hosting for the Vectis Mail repository.
Location: United States.
When this is relevant to you: Only if you choose to interact with us on GitHub (issues, pull requests, discussions). GitHub has its own privacy policy.
We do not share your information with anyone else for marketing, profiling, or any other purpose. If a court of competent jurisdiction served us with a valid legal demand we would comply with our obligations, document it, and (where lawful) notify the affected person.
7. International data transfers
Veltara Works operates from Australia, and ValidonX (our own licensing platform) is operated within the same Australian jurisdiction. Our third-party processors are international, however: by using vectismail.com or by buying a Vectis Mail Pro subscription, your information may be transferred to or stored in jurisdictions outside Australia, including the United States (Stripe, Cloudflare, GitHub) and the global edge networks operated by Cloudflare. For transfers from the EU, UK, or Switzerland, the relevant safeguards are:
- Stripe — EU–US Data Privacy Framework (DPF) plus Standard Contractual Clauses for transfers not covered by DPF.
- Cloudflare — EU–US DPF certification plus Standard Contractual Clauses; transfer-impact-assessment documentation is publicly maintained.
- GitHub (Microsoft) — EU–US DPF certification plus Standard Contractual Clauses.
8. How long we keep information
| Information | Retention |
|---|---|
| Cloudflare access logs (IPs, request lines) | Up to 30 days at the Cloudflare edge, then discarded. |
| Contact-form submissions & resulting email threads | As long as the conversation remains useful for support and product memory; routinely pruned after 24 months of inactivity unless related to a paid subscription, in which case we keep the thread for the life of the subscription plus 7 years for Australian tax and contract-law reasons. |
| Subscription / billing records (managed in ValidonX) | 7 years from the end of the financial year in which the last transaction occurred, in line with Australian tax-record obligations. |
| Operational logs on mail.vectismail.com (the mail server itself) | 30 days, after which they roll out of the log index automatically. |
| Audit-log records of admin actions on our internal mail-admin UI | 90 days, then pruned automatically. |
You can ask us at any time how long we currently hold information about you specifically; we'll tell you and, on request, delete it (subject to the legal-retention obligations called out above).
9. Your rights
Regardless of where you live, we will honour any reasonable request to:
- Access the personal information we hold about you.
- Correct anything that's wrong.
- Delete what we hold — with the exception of records we're legally required to keep (mostly billing and tax records).
- Object to a particular use, or restrict processing while we investigate a complaint.
- Receive a portable copy in a common machine-readable format (CSV or JSON).
- Withdraw consent at any time where consent was the basis for processing.
To exercise any of these rights, use the Contact page and select Privacy / Data Request. We may need to verify your identity (typically by replying from the email address we hold for you) before we act on a request.
If we've not handled a privacy concern of yours adequately, you can complain to:
- Australia: the Office of the Australian Information Commissioner (OAIC) — oaic.gov.au
- EU/EEA: the data-protection authority in your country.
- UK: the Information Commissioner's Office (ICO) — ico.org.uk
- California (USA): the California Privacy Protection Agency (CPPA) — cppa.ca.gov
10. Cookies and similar technologies
We use the absolute minimum:
- Strictly necessary, set by Cloudflare: a short-lived
__cf_bmcookie to distinguish human visitors from automated bot traffic. This is set on every page load and expires within 30 minutes. - Set by us: none. The marketing site is fully static, and the only first-party state we use is what your browser already retains for any HTTPS connection.
- Set if you authenticate to
mail.vectismail.com(our own use of the product as a customer-support inbox): standard session cookies bound to that mailbox. Customers don't authenticate there.
Because we don't run advertising or analytics cookies, there is no cookie banner. If we ever introduce a cookie that requires consent under EU/UK law we will surface a granular consent control before it loads, and we will revise this policy.
11. How we protect your information
The technical baseline we operate to:
- All traffic to and from vectismail.com runs over TLS 1.2 or higher (TLS 1.3 in practice for any modern browser; floor of 1.2 set by our edge CDN), with HSTS preload (max-age 2 years, includeSubDomains, preload).
- The mail server that handles our internal correspondence (
mail.vectismail.com) is itself a Vectis Mail Pro install, kept on the current stable release. - Passwords (for our own admin accounts) are hashed with Argon2id.
- TOTP secrets and backup material are encrypted at rest with AES-256-GCM.
- We use the principle of least privilege internally: the database role used by the mail server's outward-facing components is read-only.
12. Children
Vectis Mail is a product for businesses and technical operators. It's not intended for, or marketed to, anyone under the age of 16. We don't knowingly collect personal information from children. If you believe a child has provided us information, please reach out via the Contact page and we'll delete it.
13. Changes to this policy
We'll bump the "Last updated" date at the top of this page whenever we change it. For changes that affect how we use information about existing customers (rare), we'll also email you. The current text is always the authoritative version.
14. Contact us
For any privacy question or data-subject request, use the Contact page and select Privacy / Data Request. Messages routed through that form reach our internal privacy inbox directly. We answer.