Veinera Disclosure

Veinera Products & Services Privacy Supplement

This Products & Services Privacy Supplement (the “Supplement”) explains how personal information is processed when you use Veinera’s products, platform, and related services (together, the “Services”). It is intended to be read alongside the Veinera Privacy Statement, which mainly describes data practices for our websites, landing pages, and marketing communications.

This Supplement is written to reflect the way modern B2B SaaS platforms handle data: customer-controlled data is used narrowly to provide the Services, with contractual and technical safeguards. If you are a business customer, a Data Processing Addendum (DPA) may also apply and, where there is any difference, the DPA will govern processing performed by Veinera as a processor on your behalf.

Who is responsible for the data

The Services are typically used by organizations (brands, agencies, and teams). In most cases, the organization that creates the workspace and determines what data is uploaded and how it is used is the controller of that data. In that context, Veinera acts as a processor for personal data contained within “Customer Data,” meaning Veinera processes it on the customer’s documented instructions to deliver the Services.

Veinera may act as a controller for a more limited set of information that is necessary to run the business relationship directly with the customer, such as account administration, billing, authentication, and customer support interactions that are not part of Customer Data. When Veinera acts as a controller, the Veinera Privacy Statement applies, supplemented by this document.

What information is processed in the Services

The Services may process different categories of information depending on how your workspace is configured and which features you enable.

Account and workspace administration information can include user account details (name, email, role), authentication information, workspace settings, subscription plan information, billing contacts, and usage entitlements.

Customer Data is information that customers or their authorized users upload to or generate within the Services. Depending on your use, Customer Data may include campaign briefs, collaboration workflows, creator lists, messages, submissions, files, deliverables, approvals, reporting outputs, and any other information you choose to input or store in the platform.

Creator and partner information may be processed when customers manage creator relationships through Veinera. This can include creator names, public handles/usernames, portfolio links, communication records, campaign participation information, and performance insights generated within the customer’s workspace. Certain information may be sourced from public-facing or customer-provided inputs.

Technical and usage data may be collected as part of operating and securing the Services, such as log data, device information, timestamps, IP addresses, and events tied to system integrity, audit trails, and performance.

Payment-related information may be processed if you use paid features, escrow functionality, or payment workflows. Where payments are enabled, most payment card or bank processing is typically handled by third-party payment providers. In that scenario, Veinera receives limited payment status and transactional metadata needed to provide the Service, while the provider processes payment details under its own privacy and security obligations.

Veinera does not require customers to upload sensitive categories of personal data (such as health data, biometric identifiers, or government-issued IDs) to use the Services. Customers should avoid uploading sensitive data unless explicitly agreed in writing and supported with appropriate safeguards.

How information is used inside the Services

Veinera processes information in the Services primarily to provide and improve the Services in line with customer instructions and configurations.

This includes hosting and maintaining the Services, enabling campaign and collaboration workflows, supporting user actions within the workspace, generating reporting and analytics outputs inside the customer environment, processing customer support requests, and carrying out troubleshooting and error diagnosis.

Veinera also uses certain technical and usage information to protect the security and integrity of the Services, such as monitoring for suspicious activity, preventing abuse, maintaining audit logs, and ensuring reliability, availability, and performance.

Unless otherwise agreed with the customer in writing, Veinera does not use Customer Data to build advertising profiles or to target third-party advertising. Access to Customer Data is restricted and managed to support service delivery, support requests, and security, and is subject to confidentiality obligations.

Customer instructions and customer responsibilities

Customers control what data is uploaded and how it is used in their workspace, including which team members have access and what integrations are enabled.

Customers are responsible for ensuring they have a lawful basis to collect and share personal data with Veinera for processing, and for providing any required notices to individuals whose data is included in Customer Data. Customers are also responsible for ensuring their use of the Services complies with applicable laws, including marketing and communication rules that may require consent in some jurisdictions.

Sharing and disclosure within the Services

Veinera may disclose or make information available in the following limited circumstances.

Service providers and subprocessors may process personal data to support the operation of the Services, such as infrastructure hosting, monitoring, customer support tooling, communications delivery, analytics required for service reliability, and security services. Veinera maintains contractual controls designed to ensure subprocessors only process data to provide services to Veinera and maintain appropriate safeguards.

Within a customer workspace, information may be visible to authorized users based on the permissions and roles assigned by the customer. The customer’s administrators control access rights and can manage and revoke access.

Legal disclosures may occur if required by law, regulation, or valid legal process. Where legally permitted, Veinera will attempt to provide notice to the customer before responding to such requests.

Business transfers may involve disclosure of information as part of a corporate transaction (such as a merger, acquisition, financing, or sale of assets), subject to appropriate confidentiality and lawful notice where required.

Subprocessors and transparency

Veinera uses vetted subprocessors to deliver the Services efficiently and securely. Material changes to subprocessors will be communicated via legal@veinera.com in accordance with the DPA where applicable. Customers may object to new subprocessors on reasonable and substantiated data protection grounds within the objection period described in the DPA.

International transfers

The Services may be provided using infrastructure and support operations that involve cross-border processing. Where Applicable Data Protection Law restricts international transfers, Veinera uses appropriate safeguards. For EEA/UK transfers, this may include reliance on Standard Contractual Clauses and related mechanisms as described in the DPA.

Security and confidentiality

Veinera maintains technical and organizational measures designed to protect personal data processed in the Services against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include access controls, logging, monitoring, and secure transmission practices. Security measures are adapted over time to reflect evolving risks and operational needs, and are not materially reduced without maintaining overall protective intent.

Because no system is perfectly secure, Veinera cannot guarantee absolute security. Customers also play an important role by using strong authentication methods, controlling user access, and maintaining appropriate internal security policies.

Data retention, return, and deletion

Customer Data is retained for the duration of the customer’s subscription and in accordance with the customer’s configuration and contractual terms. When the customer terminates the Services, Veinera will delete or return Customer Data according to the customer’s agreement and DPA, subject to limited backup retention and legal obligations.

Some information may be retained for longer periods when necessary for compliance, dispute resolution, fraud prevention, or enforcing agreements, and such retention will be limited to what is reasonably necessary.

Incident response and breach notification

Veinera maintains incident management procedures designed to detect, respond to, and mitigate security events. If Veinera becomes aware of a personal data breach affecting Customer Data, Veinera will notify the customer without undue delay and provide information reasonably necessary for the customer to meet applicable breach notification obligations, consistent with the DPA.

Your choices and rights in the Services context

If you are an end user accessing the Services through a customer workspace, requests relating to access, correction, deletion, or other rights for Customer Data should typically be directed to the organization that invited you to use the Services, because that organization controls the data and determines how it is processed. Veinera will support customers in responding to such requests where required and feasible under the DPA.

If Veinera processes your personal information as a controller (for example, account administration or billing contact information), you may contact us using the details below.

Veinera Data Processing Addendum (DPA) 

Veinera is designed for brands, agencies, and teams that collaborate with creators and partners at scale. In many cases, the information processed through the Veinera platform may include personal data—such as creator contact details, collaboration messages, submissions, campaign deliverables, and campaign reporting tied to individuals. When Veinera processes that information on behalf of a business customer, it does so under a Data Processing Addendum (“DPA”)that sets out contractual privacy and security obligations aligned with global standards, including the GDPR where applicable.

This page provides a plain-language overview of the DPA and explains when and how it applies. The DPA itself is a contractual document; if you are a customer, the signed DPA (together with any applicable service terms or order form) governs.

When the DPA applies

The DPA applies when a customer uses Veinera’s Services and Veinera processes personal data contained in Customer Data on that customer’s behalf. This commonly includes scenarios where customers upload, store, organize, or generate information about creators, internal stakeholders, or other individuals in the course of running campaigns and collaboration workflows inside the Veinera platform.

The DPA is intended to cover the processing that Veinera performs as a service provider on customer instructions. It is separate from the Veinera Privacy Statement, which primarily addresses personal information collected through the Veinera website and marketing communications.

How roles are allocated (controller and processor)

For Customer Data, the customer generally acts as the data controller, meaning the customer determines the purposes and means of processing, decides what data is uploaded, and configures how the Services are used. Veinera acts as a data processor for that Customer Data, processing it only to provide the Services and in accordance with the customer’s documented instructions.

In limited circumstances, Veinera may act as a controller for operational data related to running the customer relationship itself—such as account administration, billing, authentication, and certain customer support interactions that are not part of Customer Data. Those controller activities are addressed through the Veinera Privacy Statement and relevant supplements.

What the DPA covers

The DPA is structured to address the core contractual requirements that customers and regulators expect for processor relationships. It typically covers, among other topics:

Veinera’s commitment to process personal data only on customer instructions, including to provide, secure, and support the Services. Confidentiality requirements ensuring that individuals authorized to process Customer Data are bound by appropriate confidentiality obligations.

Security commitments requiring Veinera to maintain technical and organizational measures designed to protect Customer Data against unauthorized access, disclosure, loss, or alteration, and to maintain an appropriate level of protection based on risk.

Rules governing the use of subprocessors (vendors that help Veinera deliver the Services), including contractual flow-down obligations, transparency via a subprocessor list, and notice of material changes.

Incident response and personal data breach notification commitments, including notifying the customer without undue delay after becoming aware of a breach affecting Customer Data and providing information reasonably necessary to support the customer’s legal obligations.

Assistance obligations to help customers respond to data subject requests and, where applicable, support with data protection impact assessments and supervisory authority consultations, taking into account the nature of the processing and information available to Veinera.

Terms describing return and deletion of Customer Data when the customer terminates the Services, subject to limited backup retention and legal obligations.

Audit and compliance provisions that allow customers to obtain information necessary to demonstrate compliance, subject to reasonable limits and safeguards.

Subprocessors and transparency

Veinera uses vetted service providers to operate and secure the Services, such as infrastructure hosting, monitoring, communications delivery, customer support tooling, and payment providers (where applicable). These vendors may process Customer Data only to the extent necessary to provide their services to Veinera, and they are subject to contractual obligations designed to protect the data.

Veinera maintains an up-to-date Subprocessor List.. If there are material changes to the subprocessors used for the Services, Veinera will provide notice via [email and/or in-product notice]. Where the DPA provides an objection mechanism, customers may object to a new subprocessor on reasonable, substantiated data protection grounds within the timeframe described in the DPA.

International data transfers

Veinera may process Customer Data in multiple regions depending on customer configuration, hosting choices, and operational needs. Where applicable data protection law restricts cross-border transfers, Veinera implements appropriate safeguards.

For transfers of personal data from the EEA, the DPA is designed to support the use of Standard Contractual Clauses (SCCs) and, where relevant, the UK International Data Transfer Addendum/Agreement. Customers that require a formal SCC package typically execute the DPA and attach the SCC text and completed annexes as part of the contracting set, consistent with modern enterprise procurement expectations.

Security overview

Veinera’s security measures are designed to be proportionate to the nature of the Services and the risks presented by processing. These measures may include access controls and least-privilege permissions, secure transmission practices, logging and monitoring, vulnerability management, and vendor due diligence. Customers also play a role in protecting data by managing user access, enabling appropriate authentication controls, and ensuring that sensitive data is not uploaded unless explicitly supported and agreed.

A high-level description of technical and organizational measures is typically included in an annex to the DPA and may be updated over time to reflect evolving risks, provided that updates do not materially reduce the overall protective intent.

Retention, return, and deletion

Customer Data is retained for the duration of the customer’s subscription and in accordance with the customer’s configuration and contractual terms. Upon termination, Veinera will delete or return Customer Data as set out in the DPA and underlying agreement, subject to limited retention in backups for operational continuity and to comply with legal obligations.

How to request, review, or sign the DPA

Customers may request Veinera’s standard DPA for review and signature. In enterprise contexts, customers may also request a signed SCC package or additional regional commitments depending on their location and industry.

To request the DPA or related documentation, contact:
legal@veinera.com
Suggested subject line: “DPA Request — [Company Name]”

To help Veinera process your request efficiently, include your contracting entity name, primary service region (EU/UK/US/APAC), and any specific procurement requirements (for example, SCCs, audit approach, subprocessor notice method, or hosting region preferences).

Veinera GDPR Notice

Veinera is committed to privacy protections that are aligned with the EU General Data Protection Regulation (“GDPR”) and, where relevant, the UK GDPR and Swiss data protection requirements. This notice explains how GDPR concepts apply to Veinera depending on the context in which you interact with us, including when we act as a data controller and when we act as a data processor. It also describes the lawful bases we rely on where GDPR applies, the rights available to individuals in relevant circumstances, and the safeguards used for international transfers.

This GDPR Notice is intended to be read together with the Veinera Privacy Statement and, for customers of the Veinera platform, the Products & Services Privacy Supplement and any Data Processing Addendum (DPA) entered into with your organization.

How GDPR applies to Veinera in different contexts

When Veinera interacts with you directly—such as when you visit our website, submit a form, request a demo, subscribe to updates, register for events, or communicate with us about our Services—Veinera generally acts as a data controllerfor the personal data processed in that context. Acting as a controller means we determine the purposes and means of processing for those specific activities, such as responding to your request, managing our relationship with you, operating and securing our website, and conducting marketing in a manner permitted by applicable law.

When Veinera provides the Services to business customers and processes personal data contained in Customer Data inside a customer workspace, Veinera typically acts as a data processor on behalf of that customer. In these situations, the customer generally determines what personal data is uploaded, how it is used, who can access it, and which integrations are enabled. Veinera processes Customer Data only to provide, secure, and support the Services and in accordance with the customer’s documented instructions, as set out in the applicable DPA.

If you use Veinera through an organization (for example, your employer, an agency, or a brand workspace that invited you), privacy responsibilities for the Customer Data in that workspace are primarily managed by that organization as the controller. Veinera supports customers in fulfilling GDPR obligations for Customer Data where required under the DPA.

Lawful bases for processing where Veinera is the controller

Where GDPR applies and Veinera acts as a controller, we process personal data only when we have a lawful basis under Article 6 GDPR. The lawful basis will depend on the context and may include:

• Consent, where required (for example, for certain cookies or marketing activities in some regions)

• Performance of a contract or taking steps at your request prior to entering into a contract (for example, providing access to requested materials or responding to a demo request)

• Compliance with legal obligations (for example, recordkeeping or responding to lawful requests)

• Protection of vital interests, in rare circumstances where necessary to protect someone’s life

• Performance of a task carried out in the public interest, where applicable (generally not the primary basis for Veinera’s commercial Services)

• Legitimate interests, such as operating and improving our website, maintaining security, preventing fraud and abuse, and conducting proportionate B2B marketing where permitted, provided those interests are not overridden by your rights and freedoms

The lawful basis used in a given situation can affect which rights apply and how they apply. For example, you may withdraw consent where processing is based on consent, and you may have the right to object where processing is based on legitimate interests.

Your rights under GDPR

Where Veinera acts as a controller and GDPR applies, you may have rights to request access to your personal data, request correction, request deletion in certain circumstances, request restriction of processing, request portability, and object to certain processing, including certain marketing-related processing. Where we rely on consent, you may withdraw your consent at any time. You may also have the right to lodge a complaint with a competent supervisory authority in the EU/EEA.

We will respond to verified requests in accordance with applicable law and aim to respond without undue delay. GDPR generally requires responses within one month, although this period may be extended in limited circumstances permitted by law.

If your request relates to Customer Data in a workspace managed by an organization (for example, a brand or agency account that invited you), your request should generally be directed to that organization as the controller. Where appropriate, Veinera will support the customer in responding to such requests under the DPA.

International transfers and transfer safeguards

Veinera may process personal data in countries outside the EU/EEA depending on where infrastructure is located, where support functions operate, or where vetted service providers (subprocessors) are based. Where GDPR restricts transfers to countries that are not subject to an adequacy decision, Veinera uses appropriate safeguards.

These safeguards may include the European Commission’s Standard Contractual Clauses (SCCs) and, where relevant, the UK International Data Transfer Addendum/Agreement, together with supplementary measures where appropriate. Details of transfer safeguards may also be addressed in the DPA for business customers.

How to contact us

For GDPR-related questions, or to submit a rights request where Veinera is acting as a controller, you can contact:

Veinova CV (Veinera)
Treasury Tower, 31st Floor, Jl. Jend. Sudirman Kav. 52–53, District 8, SCBD, Jakarta 12190
Email: legal@veinera.com