Privacy Policy

This is the privacy policy for Provara LLC (“Provara”, “we”, “us”), a Washington single-member limited liability company based in Kirkland, WA. We run the website at vellum-bikes.cc and the bike configurator and customer portal hosted under that domain. Plain-English summary up top; the full detail follows.

What we collect

You give us, directly

• Account info — name, email, sign-in method (Google / Apple / Microsoft via OAuth, or a passwordless email).
• Shipping & billing address — collected at checkout for delivery, sales tax calculation, and warranty registration with component brands.
• Build configuration — every component choice you make in the configurator, free-text notes, and the chat transcript with the configurator assistant.
• Payment info — handled directly by Stripe; we receive the result (paid / pending / refunded), not the card number.
• Communications — emails you send to support@provara.cc land in our CRM and we keep the thread for the life of the build and as long as we have any warranty obligation to broker on your behalf.

Collected automatically

• Server logs — IP address, user-agent, requested path, response code. Retained 90 days for security and debugging.
• Cookies — only what's needed to keep you signed in and remember your theme preference. No third-party advertising cookies, no cross-site tracking pixels.
• Vercel platform analytics — Vercel records aggregate request counts and Web Vitals; this data is not joined to your account.

How we use it

• Quote, build, and deliver the bike you ordered.
• Process deposits, balance payments, and refunds via Stripe.
• Email you about your build (status changes, photos, the final invoice).
• Broker warranty and RMA conversations with component manufacturers on your behalf.
• File the sales tax we owe to your state.
• Keep transaction records for the period required by US tax law (currently 7 years).
• Operate, secure, and improve the site (debugging, fraud prevention, capacity planning).

We do not use your information to target advertising, to train a third-party model on your content, or to enrich profiles for resale. Build content you provide to the configurator assistant is sent to Anthropic for model inference under their commercial terms, which forbid them from training on it.

Subprocessors we share data with

We use the following service providers to operate Provara. Each one acts on our instructions under a written contract. We don't sell data to any of them or anyone else.

• Stripe, Inc. (US) — payment processing. Stripe receives the customer's name, email, billing/shipping address, order amount, and the payment card details entered into Stripe's hosted checkout. Provara never sees the card number — only the result (paid / pending / refunded). stripe.com/privacy
• Plaid Inc. (US) — bank account reconciliation for Provara's own business banking. When you (the operator) link a bank, Plaid receives the bank credentials during OAuth and then ongoing account / balance / transaction data on our behalf. Customers do not link their banks to Provara. plaid.com/legal
• Microsoft Corporation (US) — Microsoft 365 hosts the support / sourcing / shipping mailboxes; outbound transactional mail (build updates, invoices, sign-in links) is sent through Microsoft Graph from the support@provara.cc shared mailbox, and inbound replies arrive in the same mailbox and reach our CRM via a Microsoft Power Automate flow that posts the message body to our application. Subject + body of each message are processed and retained by Microsoft per the Microsoft 365 enterprise terms. privacy.microsoft.com/privacystatement
• Vercel Inc. (US) — application hosting, file storage (Vercel Blob), and platform analytics. vercel.com/legal/privacy-policy
• Neon, Inc. (US) — managed Postgres database where build records, accounts, and configurator state live. neon.tech/privacy-policy
• Anthropic, PBC (US) — large-language-model inference for the configurator assistant. We send the message you typed plus the public configurator state; we don't send your address, payment info, or account credentials. anthropic.com/legal/privacy
• OAuth sign-in providers — Google (policies.google.com/privacy), Apple (apple.com/legal/privacy), Microsoft (privacy.microsoft.com). We receive a verified email and (if you let them share it) your display name. They each have their own privacy policy.

How long we keep your data

• Active build records, invoices, payment receipts — for the life of the build plus the period required by US tax and state sales-tax law (currently up to 7 years depending on the record type).
• Account & sign-in records — until you ask us to delete the account, subject to legal-hold exceptions for an active or recent order.
• Support emails — for the life of the relevant build plus any open warranty obligation.
• Server access logs — 90 days.
• Build photos & videos — kept in our build archive unless you ask us to remove them.

Your rights

Email support@provara.cc from the address on file and we'll act on any of the following within 30 days:

• Access — a copy of what we have about you.
• Correction — fix anything that's wrong.
• Deletion — remove your account and data, subject to records we're legally required to keep (e.g. tax records on a completed sale).
• Export — a portable copy of your build configuration and order history.
• Withdraw consent — stop non-essential email at any time; transactional email tied to an active build can't be turned off without cancelling the build.

California residents have these rights under the CCPA/CPRA. Washington residents currently have rights under specific sector laws (e.g. the Washington My Health My Data Act for health data); Washington does not yet have a generic state consumer-privacy statute equivalent to the CCPA. We do not “sell” or “share” personal information as those terms are defined in California law.

Security

Data in transit is protected with TLS. Data at rest in our managed Postgres database is encrypted by Neon. Secrets (API keys, OAuth tokens, Plaid access tokens) are stored encrypted via Vercel Environment Variables and never written to logs. We use principle of least privilege for staff access; today, only the LLC's sole member has production system access (Vercel, Neon, Plaid admin). We'll notify you about a personal-data breach affecting your account as required by applicable law and without unreasonable delay.

Professional advisors. Provara's financial records (invoices, payment ledger, sales tax filings, bank reconciliations) are shared with the LLC's authorized advisors — currently a CPA / tax preparer, and any attorney we engage for a specific matter — under a written engagement on a need-to-know basis, for tax filing, financial review, and legal advice. Advisors don't have production system access; they receive exported records. They're bound by their professional ethics rules (e.g. IRC § 7216 for tax preparers, attorney-client privilege) on top of their engagement's confidentiality clause.

Children's privacy

Provara is sold to adults. We don't knowingly collect data from anyone under 13. If you believe we have, email us and we'll delete it.

International transfers

Our servers and every subprocessor we use are located in the United States. If you visit or order from outside the US, your data will be transferred to the US for processing.

Provara is a US-only operation today. We don't actively solicit EU/UK customers and we don't maintain a DPF / SCC program. If you're outside the US and want to use Provara, contact support@provara.cc first so we can confirm we can serve you compliantly.

Changes to this policy

We'll update the date at the top whenever we change anything material, and if the change affects how we use existing data we'll email account holders before the change takes effect.

Contact

Provara LLC
Kirkland, WA
support@provara.cc