Vellum Search The living mapPricingContact

Privacy Policy

Last updated: 17 July 2026

This Privacy Policy explains how Vellum AI Group Ltd handles personal data in connection with Vellum Search at search.vellumintel.com, including its website, searchable database, accounts, subscriptions, application programming interface (“API”), Model Context Protocol interface (“MCP”), notifications and related services (together, the “Service”).

We do not use personal data for third-party advertising, cross-site tracking or marketing profiles.

1. Who we are

Vellum Search is operated by Vellum AI Group Ltd, a company registered in England and Wales under company number 17129362.

For data-protection purposes, Vellum AI Group Ltd is generally the controller of personal data processed in connection with the Service.

You can contact us about privacy matters at contact@vellumintel.com.

2. Scope and data-protection roles

This Policy covers:

Where a business customer submits personal data through a search query, API request or other Customer Content and determines why that data is processed, the customer may be the controller and Vellum may act as its processor. In those circumstances, the customer’s privacy policy applies to its processing, and we assist the customer in accordance with our contractual data-processing obligations.

Vellum remains a controller for account administration, billing, security, service operation and the selection and presentation of the public regulatory corpus.

3. Personal data we collect

The personal data we process depends on how you interact with the Service.

3.1 Account and organisation information

This may include:

We use email verification codes for authentication. We do not ask you to create a Vellum password.

3.2 Authentication, device and security information

This may include:

3.3 Subscription and billing information

This may include:

Payments are processed by Stripe. We do not ordinarily receive or store full payment-card details.

3.4 Service-use information

This may include:

We may create aggregated or anonymised statistics that no longer identify an individual.

3.5 Communications

This may include:

3.6 Personal data in official public records

The corpus is not designed as a directory of individuals. However, official regulatory records may contain personal data, including:

Some official records may contain special-category or criminal-offence information. Where an additional legal condition is required to process such information, we process it only where an applicable condition under the UK GDPR and Data Protection Act 2018 is available.

4. Where personal data comes from

We obtain personal data:

Each corpus record is intended to retain provenance information or a link to its official source.

5. How and why we use personal data

We process personal data for the following purposes and lawful bases.

5.1 Providing the Service

We use personal data to:

Where the user is personally party to the subscription, the lawful basis is performance of a contract.

Where the customer is an organisation and the user is its employee, contractor or representative, the lawful basis is generally our legitimate interests in providing and administering a business service for that organisation.

5.2 Billing and financial administration

We use billing and transaction information to:

The lawful bases are performance of a contract, compliance with legal obligations and our legitimate interests in administering payments and protecting our financial position.

5.3 Security, fraud prevention and acceptable use

We use account, device, network and usage information to:

The lawful basis is our legitimate interests in operating a secure and reliable business service and protecting Vellum, its customers and third parties.

5.4 Operating and improving the Service

We use service-use and diagnostic information to:

The lawful bases are performance of a contract and our legitimate interests in maintaining and improving the Service.

We do not use this information for third-party advertising or cross-site behavioural profiling.

5.5 Communications and legal compliance

We use personal data to:

The lawful bases are performance of a contract, compliance with legal obligations and our legitimate interests in managing communications and protecting our legal rights.

5.6 The public regulatory corpus

We process personal data appearing in official public records to:

The lawful basis is our legitimate interests in operating a reliable regulatory-information service and enabling efficient access to official public material.

We consider this processing proportionate because:

We generally do not contact every person mentioned in an official record individually. Where providing individual notice would be impossible or involve disproportionate effort, and applicable law permits us to rely on that exception, we instead make this Policy publicly available and maintain provenance to the relevant official source.

6. Sharing personal data

We disclose personal data only where reasonably necessary for the purposes described in this Policy.

6.1 Service providers

We use service providers including:

These providers may process account, device, network, transaction or service-use information depending on the function they provide.

Some providers act as processors on our instructions. A provider may also act as an independent controller for certain activities it carries out for its own legal, security, fraud-prevention or service-administration purposes. Its own privacy policy applies to that independent processing.

6.2 Other recipients

We may also disclose personal data:

We do not sell personal data or disclose it to third parties for their own advertising.

7. Cookies and similar technologies

The Service uses cookies and similar storage or access technologies that are necessary to:

We do not currently use non-essential advertising cookies or cross-site behavioural trackers on the Service.

Stripe-hosted checkout or billing pages and Clerk authentication functions may use necessary cookies and similar technologies under their respective privacy and cookie policies.

Where a technology is strictly necessary to provide a function you request, consent is not required, but we still provide information about its use. If we introduce a technology for which consent is legally required, we will request consent before using it.

8. International transfers

Vellum is established in the United Kingdom. Our providers and their subprocessors may process personal data in the United Kingdom, European Economic Area, United States and other countries in which they operate.

Where personal data is transferred outside the United Kingdom to a country that is not covered by applicable UK adequacy regulations, we use an appropriate transfer mechanism where required, which may include:

We may also apply contractual, organisational and technical safeguards appropriate to the transfer.

You may contact us for further information about the safeguards relevant to a particular transfer.

9. Retention

We keep personal data only for as long as reasonably necessary for the purposes for which it was collected, including legal, accounting, security and dispute-resolution requirements.

Our general retention approach is:

We may retain limited information for longer where required by law, necessary for fraud or security prevention, or relevant to an actual or reasonably anticipated dispute.

10. Account deletion

You may delete your account through the account page or request deletion by emailing contact@vellumintel.com.

Deleting an account:

Deletion does not necessarily remove all information immediately. We may retain limited information where required for:

Stripe and other independent controllers may retain information under their own legal obligations and privacy policies.

Deleting an account does not remove an official public record from the corpus merely because the account holder previously accessed it.

11. Security

We use reasonable technical and organisational measures designed to protect personal data against unauthorised access, alteration, disclosure, loss or destruction.

These measures may include access controls, authentication, encryption in transit, restricted administrative access, logging, monitoring and provider security controls.

No online service can guarantee absolute security. You are responsible for maintaining control of your email account, devices and API credentials and for notifying us promptly if you suspect compromise.

12. Your rights

Depending on the circumstances and the lawful basis we rely on, you may have the right to:

These rights are not absolute. For example, we may retain information where required by law or where necessary to establish, exercise or defend legal claims. We may also preserve an accurate official or historical public record where applicable law permits.

To exercise a right, email contact@vellumintel.com. We may need to verify your identity and clarify your request.

We normally respond within one month, subject to any lawful extension for a complex request or multiple requests.

If personal data was submitted by an organisation that controls it, we may refer your request to that organisation or assist it in responding.

13. Corrections and objections concerning official records

If you believe that:

you may contact contact@vellumintel.com and identify the relevant record and official source.

We will assess the request in context. Depending on the circumstances, we may:

We cannot alter the content held by the original public authority. Requests to amend the authoritative record may need to be made directly to that authority.

14. Privacy complaints

You may make a complaint about our handling of personal data by emailing contact@vellumintel.com with “Privacy complaint” in the subject line.

We will:

You may also complain to the Information Commissioner’s Office, the United Kingdom’s data-protection supervisory authority.

We would appreciate the opportunity to address your concerns directly before you approach the ICO, but you are not required to contact us first.

15. Automated decisions

We do not use personal data to make solely automated decisions about Service users that produce legal effects or similarly significant effects.

Search ranking, metering, fraud signals and security controls may involve automated processing, but material account enforcement decisions are subject to appropriate review where required.

16. Children

The Service is intended for users aged 18 or over. It is not directed at children, and we do not knowingly create accounts for children.

If you believe that a child has provided personal data through the Service, contact us at contact@vellumintel.com.

17. Changes to this Policy

We may update this Policy to reflect changes to:

If a change materially affects how we use personal data, we will provide reasonable notice by email or through the Service where appropriate.

The date at the top shows when this Policy was last updated.

18. Contact

For privacy questions, rights requests, corrections or complaints:

Vellum AI Group Ltd
Email: contact@vellumintel.com
Company number: 17129362
Registered in: England and Wales