Terms of Service
Effective 23 May 2026 · Version 2.0
These Terms form a binding agreement between you ("Customer") and Vela, governing your use of the vela.watch website, mobile and TV applications, APIs, and proxy/VPN infrastructure. By creating an account or sending traffic through the gateway you accept these Terms in full.
1.The service
Vela offers two product families: Consumer Streaming VPN (Vela B2C) — a residential-IP routing service that lets your device appear to originate from a chosen country; and Vela for Business (Vela B2B) — wholesale residential SOCKS5 / HTTP CONNECT proxy infrastructure billed per byte.
2.Eligibility & account
You must be at least 18 (or the age of majority in your jurisdiction). Keep your password and API keys confidential; you're responsible for all activity under your account until you notify us at security@vela.watch.
3.Free trial & subscriptions
New consumer accounts receive a 7-day free trial, then auto-renew monthly at the then-current price (€2.99/mo) unless cancelled. Cancel any time from your account; cancellation takes effect at the end of the current billing period.
4.Pay-as-you-go (business)
Business accounts are a pre-paid wallet model: top up an EUR balance via Stripe; the gateway atomically debits per byte of traffic. When the balance reaches zero, traffic is refused until topped up.
5.Refunds
EU/UK consumers benefit from a 14-day right of withdrawal. Business wallet balances are non-refundable once consumed; unused balances may be refunded on written request if the account is in good standing.
6.Acceptable use
Your use is governed by the Acceptable Use Policy, incorporated by reference. Violations may result in immediate suspension without refund.
7.Streaming & third-party subscriptions
Vela does not host or sub-licence any copyrighted media. The Service is a transport layer only. You are responsible for holding a valid subscription with any streaming provider and for complying with their terms.
8–15.IP, suspension, warranties, liability, indemnity, changes, governing law, contact
The Service is provided "as is". Liability is limited per applicable law. Governed by the laws of England and Wales. Contact: legal@vela.watch.
Privacy Policy
Effective 23 May 2026 · Version 2.0
This Privacy Policy explains how Vela collects, uses, discloses, and protects personal data. We act as a data controller for customer account data and as a data processor for traffic B2B customers route through the gateway.
1.Data we collect
| Category | Examples |
|---|
| Account identifiers | Email, hashed password (Argon2id), customer ID |
| Billing data | Stripe customer ID, last 4 of card, invoices |
| Service metadata | Byte counts, session country, anonymised flow events. We do not log destination URLs, hostnames, headers or payloads. |
2.What we explicitly do not collect
- The websites, URLs or page contents you visit through the tunnel
- DNS query logs
- Card numbers (handled by Stripe)
- Cross-site cookies — the marketing site uses no cookies at all
3.Retention, sharing & your rights
Per-flow records aggregate into daily ledgers within 30 days. We never sell personal data. UK/EU GDPR rights — access, rectification, erasure, portability, objection — exercised via privacy@vela.watch.
Acceptable Use Policy
Effective 23 May 2026 · Version 2.0
This AUP governs all use of the Vela Service and is incorporated into the Terms. Breach may result in immediate suspension or termination without refund, and reporting to law-enforcement where required.
1.What Vela is for
- Consumer: routing your own device through a residential IP to access streaming you hold a valid subscription to.
- Business: wholesale residential proxying for legitimate, lawful uses — streaming integration, OTT QA, ad-verification, lawful market research. Business access is streaming-scoped: the gateway routes only allow-listed streaming services and refuses non-streaming destinations by design.
2.Prohibited — absolute
- CSAM or any material exploiting minors — zero tolerance, mandatory referral
- Distributing infringing copyrighted material
- Network attacks (DDoS, port scanning, malware C2)
- Spam, fraud, credential stuffing, carding
- Scraping personal data in violation of privacy law
- Re-selling or exposing the raw gateway without a signed agreement
- Attempting to tunnel non-streaming or arbitrary traffic through the business gateway, or to circumvent the streaming allow-list
- Any use subject to UK/EU/UN/US sanctions
3.Reporting abuse
Report abuse from a Vela exit IP to abuse@vela.watch with timestamp, source IP, destination and evidence. We acknowledge within 24 hours.
Plain-English summary. Use Vela for what it's built for: watching streaming you pay for, or legitimate proxy work. Don't break the law, attack infrastructure, host CSAM or piracy, spam, or abuse the residential pool. We catch it, suspend the account, and refer to law-enforcement when required.
Data Processing Addendum
Effective 23 May 2026 · Version 2.0 · UK GDPR & EU GDPR
This DPA forms part of the Terms between Vela ("Processor") and the Business Customer ("Controller") and governs personal data the Processor processes on the Controller's behalf when routing traffic through the Vela B2B residential proxy.
1.Subject matter, nature & purpose
Transit-only processing — establishing a SOCKS5 / HTTP CONNECT session from the Controller's client through a residential exit node, plus per-byte metering, billing and security operations.
2.Roles & obligations
The Controller is data controller for traffic it sends; Vela processes it solely on documented instructions. Personnel are bound by confidentiality; technical and organisational measures are documented in the Security page.
3.Sub-processors
| Sub-processor | Purpose | Location |
|---|
| Ultimate VPS | Privacy-focused server hosting and control-plane infrastructure | Non-EU hosting region (jurisdictional separation; GDPR/DPA commitments retained) |
| Stripe Payments Europe | Payment processing | IE / global |
| Cloudflare | DNS, edge TLS (marketing only) | Global |
| Residential exit-node operators | Last-mile egress under consent | UK + EU |
4.Personal data breach
The Processor will notify the Controller without undue delay and within 72 hours of becoming aware of a breach affecting Controller Personal Data.
Security
Effective 23 May 2026 · Version 2.0
This page documents Vela's security architecture, the controls we operate, how we handle incidents, and how to disclose a vulnerability safely. Referenced from the Terms, Privacy Policy and DPA as our Article 32 technical and organisational measures.
1.Architecture overview
- Control plane — Go service handling auth, billing, account state. Stateless beyond Postgres + Redis, behind Caddy with HSTS.
- Gateway — Go SOCKS5 / HTTP CONNECT terminator with per-flow auth, allow-list enforcement, sticky routing, per-byte metering.
- Database — PostgreSQL, network-isolated, no public ingress.
2.Authentication & secrets
- Argon2id password hashing tuned to ~250 ms
- JWT HS256 session tokens with short TTLs
- API keys bcrypt-hashed; plaintext shown once
- Admin: X-Admin-Token verified with constant-time compare, rate-limited per IP
3.Transport & abuse hardening
TLS 1.2+ everywhere; HSTS with preload. SOCKS5 ATYP=3 (socks5h://) only — DNS always traverses the gateway. Background TCP health-check of upstream nodes every 5 minutes.
4.Coordinated vulnerability disclosure
Send findings to security@vela.watch. Safe-harbour for good-faith research; we acknowledge within 24 hours, triage within 72.
| Stage | Target |
|---|
| Acknowledge receipt | ≤ 24 hours |
| Initial triage | ≤ 72 hours |
| Critical/High remediation | ≤ 14 days |