GDPR & Data Protection

Unlike standard "wrappers" that rely on US tech giants, Velyx builds on high-performance open-source LLMs (Large Language Models).

Independence: We are not bound by the changing terms of service or opaque data policies of Silicon Valley companies.

Transparency: Since our core models are based on open-weights technology, we have full transparency over how the AI processes information – a requirement for the highest tiers of the EU AI Act.

Ownership: You retain 100% ownership of your lead data. We do not use your dealership's interactions to train global models.

We have carefully selected infrastructure that guarantees data residency:

Hosted in Nuremberg (Hetzner): Our primary "brain" resides in the Hetzner data centre park in Nuremberg. It is one of the most secure and energy-efficient facilities in the world, ISO 27001 certified and operating strictly under German and European law.

European Edge Routing (OpenRouter EU): When we use certain model variants, we use OpenRouter's EU-specific endpoints. This ensures that every request and completion is processed by servers within the European Union, preventing "data leakage" to third countries.

Zero Data Retention (ZDR) Paths: We use zero-data-retention protocols during inference. This means the AI "thinks" about the customer's question, provides the answer, and then immediately forgets the specific input. No sensitive logs remain in the ether.

No US Cloud Act Risk: Since we avoid direct integration of US-hosted cloud providers for our core processing, we mitigate the risks associated with the US Cloud Act and provide your dealership with a "legally safe harbour".

Velyx is future-proofed by design. We meet the transparency requirements of the EU AI Act through:

Human-in-the-loop: We ensure your sales team always has the final say.

Clear labelling: Automatic identification of AI-powered interactions.

Local governance: "Intelligence" and "data" remain in the same jurisdiction.

When you integrate Velyx AI into your dealership, Velyx GmbH acts as a data processor on your instruction. You (the dealership) remain the data controller. This means you retain 100% ownership of your customer data and we only process it according to your documented instructions to provide our services.

German Data Residency: All customer data is exclusively stored and processed within the European Union. Our primary infrastructure is hosted in the Hetzner Datacenter Park in Nuremberg, ensuring your data never leaves German jurisdiction.

Sovereign AI Routing: Unlike "AI wrappers" that send data to US servers, we prioritise open-source LLMs and OpenRouter's EU endpoints to keep data processing local.

Data Processing Agreement (DPA): We provide all customers with a comprehensive DPA clearly outlining our legal obligations under Art. 28 GDPR and the BDSG.

Transparent Subcontractors: We maintain a strictly vetted list of European subcontractors and immediately inform of changes to our infrastructure stack.

Data Minimisation: Velyx is designed to process only the information required for the task at hand – whether booking a test drive or identifying a specific VIN – in line with the principle of purpose limitation.

BDSG Compliance: We conduct regular internal audits to ensure our operations meet the specific requirements of the German Federal Data Protection Act (BDSG).

Encryption at Every Level: Data is protected with AES-256 encryption at rest and TLS 1.3 in transit. Even within our Nuremberg servers, your data is isolated and protected.

Incident Response: We maintain documented processes for rapid response and notification in the unlikely event of a data security incident.

Encryption: End-to-end encryption (TLS 1.3) and AES-256 at rest.

Isolated Environments: Each dealership's data is stored in a logically separated environment to prevent overlap.

Audit Trails: Detailed data access logging ensures you can always trace the handling of a lead.

Access & Portability: Export complete chat logs and lead data in a machine-readable format.

Rectification: Update or correct customer preferences and contact details in real time.

Erasure (Right to be Forgotten): Securely delete or anonymise personal data on request.

Restriction of Processing: Easily pause AI interactions for specific users as needed.