Last updated: May 2026  ·  Vellum Intelligence Corp.

1. Who we are

Vellum Intelligence Corp. ("Vellum Intelligence", "we", "us", or "our") operates the website at vellumintel.com and provides AI-native intelligence services covering regulatory, policy, and compliance matters across digital and financial regulation. We are the data controller for any personal data you provide to us.

For all data protection enquiries, contact us at: privacy@vellumintel.com

2. What data we collect

We collect personal data only when you voluntarily provide it to us, or when it is generated as a necessary part of delivering our services. This includes:

• Contact form submissions — name, organisation, email address, and the content of your message when you use our "Get in touch" form.
• Client onboarding data — information you provide through our secure onboarding form, including organisational details, strategic priorities, and contact information.
• Communications — the contents of emails or messages you send to us directly.
• Technical data — if you consent to analytics cookies, we may collect anonymised information about how you interact with our website (pages visited, time on site, device type). This data does not identify you personally.
• Claude MCP add-on data — for subscribers who have activated the Claude MCP add-on on their subscription: the API key issued to the subscriber, a record of which Vellum tools were called, timestamps, and a minimal log of which monitors and briefs were queried. We do not log the content of the questions you ask Claude, nor the conversations in which Vellum tools are called. Further detail is set out in Section 6 below.

We do not collect sensitive personal data (such as health information, political opinions, or financial data) through this website.

3. How we use your data

We use your personal data for the following purposes:

• To respond to your enquiries and assess whether our services are a suitable fit for your needs.
• To deliver intelligence services to clients who have engaged us.
• To communicate with you about your account, our work, or relevant developments.
• To improve our website and service offering, where you have consented to analytics.
• To comply with applicable legal obligations.

4. Legal basis for processing

We rely on the following legal bases under UK GDPR and EU GDPR:

• Legitimate interests — to respond to enquiries, deliver services to clients, and improve our operations, where these interests are not overridden by your rights.
• Contract performance — to fulfil our obligations under any agreement with you or your organisation.
• Consent — for optional analytics cookies, where you have given explicit consent through our cookie preference banner.
• Legal obligation — where we are required to process your data to comply with applicable law.

5. Third-party processors

We use a small number of trusted third-party services to operate this website and our services. Each processes data only as necessary for the specified purpose:

• Formspree (formspree.io) — processes contact form submissions and securely routes them to our team. Formspree is subject to its own privacy policy at formspree.io/legal/privacy-policy.
• Cloudflare — provides security, performance, and bot-protection services for this website. Cloudflare may process limited technical data (such as IP addresses) to deliver these functions. See cloudflare.com/privacypolicy.
• Anthropic PBC — for subscribers who have activated the Claude MCP add-on: Anthropic operates the Claude environments (Claude Desktop, Claude Code, Claude for Microsoft 365, and the Claude API) through which subscribers query Vellum monitors. When a subscriber's Claude instance calls a Vellum MCP tool, the request transits Anthropic's infrastructure. Anthropic's processing of that traffic is governed by Anthropic's own privacy policy at anthropic.com/legal/privacy, which the subscriber accepts when they configure their Claude account. Further detail on the Vellum ↔ Anthropic data flow is set out in Section 6.

We do not sell, rent, or share your personal data with any other third parties for marketing or commercial purposes.

6. Claude MCP add-on

Vellum offers a Claude MCP (Model Context Protocol) add-on as part of selected monitor subscriptions. The add-on allows subscribers to query their Vellum monitor content directly from within Claude environments — including Claude Desktop, Claude Code, Claude for Microsoft 365, and other environments that support the Model Context Protocol. This section sets out the specific data-handling practices that apply when the add-on is activated.

6.1 What is processed

When a subscriber configures their Claude environment with the Vellum MCP connector and then queries Vellum monitors, the following data is processed:

• Authentication credential — the API key issued to the subscriber, transmitted with each tool call to authenticate the request and verify the subscriber's entitlements (which monitors they subscribe to, whether MCP access is on their plan).
• Tool-call metadata — the name of the Vellum tool being called (for example, vellum_search, vellum_get_brief), the parameters supplied to that tool (such as a monitor identifier or a brief ID), and a timestamp.
• Response content — the Vellum monitor or brief content returned to the subscriber's Claude environment in response to the call, drawn from Vellum's published editorial library for that subscriber's subscribed monitors.

We do not log, store, or have access to:

• The content of the questions a subscriber asks Claude.
• The conversations a subscriber has in Claude, including the broader context in which a Vellum tool is called.
• Any other data from a subscriber's Claude environment, including documents, emails, calendar items, or files the subscriber may have connected to Claude from other sources.

The Vellum MCP connector exposes read-only tools — it can return monitor content to a subscriber's Claude environment, but it cannot read from, write to, or otherwise act on any other data in that environment.

6.2 The Vellum ↔ Anthropic data flow

Tool calls from a subscriber's Claude environment transit Anthropic's infrastructure to reach Vellum's MCP server. Specifically:

• The subscriber configures the Vellum connector in their Claude environment with the URL of the Vellum MCP server and their Vellum API key.
• When the subscriber asks Claude a question that calls a Vellum tool, Anthropic's Claude product sends the tool-call request — including the subscriber's API key in the request header and the tool parameters in the request body — to the Vellum MCP server.
• The Vellum MCP server verifies the API key, checks the subscriber's entitlements, retrieves the relevant content from Vellum's editorial library, and returns it to the subscriber's Claude environment.
• Anthropic's handling of the request as it transits Anthropic's infrastructure is governed by Anthropic's privacy policy at anthropic.com/legal/privacy, including Anthropic's commitments on whether and how customer data is used to train Anthropic's models. Subscribers accept Anthropic's privacy policy when they configure their Claude account.
• Vellum is not a controller of subscriber-side data inside Anthropic's environment (questions asked, conversation context, files connected). That relationship is between the subscriber and Anthropic.

6.3 No use of subscriber data for AI training

Vellum does not use any data processed through the MCP add-on — including tool calls, parameters, response content, or any inference from usage patterns — to train, fine-tune, or otherwise develop AI models, our own or anyone else's. Vellum's editorial product is human-led; we do not train models on subscriber-side usage of our content.

Anthropic's separate commitments regarding the use of customer data to train Anthropic's models are governed by Anthropic's privacy policy and Anthropic's commercial terms. Enterprise and commercial Claude plans typically give the customer control over whether their data is used for Anthropic model training; subscribers should review Anthropic's current policies and their plan settings if this matters for their organisation.

6.4 Retention

Tool-call metadata logs (tool name, parameters, timestamp, subscriber identifier) are retained for up to 90 days for the purposes of operational monitoring, security incident investigation, and subscriber-specific quota and entitlement enforcement. After 90 days, individual tool-call logs are deleted; aggregated and anonymised usage metrics may be retained for longer in order to operate the service and inform product development.

Response content (the monitor and brief content Vellum's MCP server returns) is not separately stored in connection with individual tool calls — it is drawn from Vellum's existing editorial library at the time of the call and returned to the requesting Claude environment without persistent per-call duplication on the Vellum side.

6.5 Security

API keys are issued per subscriber and tied to the subscriber's plan entitlements. Subscribers are responsible for protecting their API keys; if a key is exposed, subscribers should contact us at privacy@vellumintel.com to have it revoked and reissued. Vellum applies industry-standard controls to the MCP server, including HTTPS in transit, authentication checks on every call, and rate-limiting to mitigate abuse.

6.6 Subscriber controls

Subscribers may at any time:

• Disable the Vellum connector in their Claude environment, after which Claude can no longer call Vellum tools.
• Request that Vellum revoke the subscriber's API key, after which any tool calls made with that key are rejected.
• Request a copy of the tool-call metadata logs associated with their API key, or request earlier deletion of those logs, by writing to privacy@vellumintel.com, subject to the rights set out in Section 9 below.

Removing the MCP add-on from a subscription does not affect the underlying monitor subscription, which continues to be governed by the subscriber's engagement letter and the rest of this policy.

7. Data retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected:

• Contact form enquiries that do not lead to an engagement are retained for up to 12 months.
• Client data is retained for the duration of the engagement and for a reasonable period thereafter (typically 3 years) for record-keeping and legal compliance purposes.
• Analytics data, where collected, is retained in anonymised or aggregated form only.
• Claude MCP add-on tool-call metadata is retained for up to 90 days, as further set out in Section 6.4.

8. Cookies

This website uses cookies in two categories:

• Essential cookies — strictly necessary for the website to function (e.g. security and session management). These cannot be disabled.
• Analytics cookies — used to understand how visitors interact with the site in order to improve it. These are only set if you choose to "Accept" via our cookie consent banner. You may withdraw consent at any time by clearing your browser cookies.

We do not use advertising, tracking, or social media cookies.

9. Your rights

Under UK GDPR and EU GDPR, you have the following rights regarding your personal data:

• Right of access — to request a copy of the personal data we hold about you.
• Right to rectification — to request correction of inaccurate or incomplete data.
• Right to erasure — to request deletion of your personal data, subject to our legal obligations.
• Right to restriction — to request that we limit how we use your data in certain circumstances.
• Right to data portability — to receive your data in a structured, machine-readable format.
• Right to object — to object to processing based on legitimate interests.
• Right to withdraw consent — where processing is based on consent, to withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@vellumintel.com. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) in the UK at ico.org.uk, or with your local supervisory authority within the EU.

10. International transfers

Vellum Intelligence operates primarily from the United Kingdom. If any personal data is transferred outside the UK or EEA, we ensure appropriate safeguards are in place, including reliance on adequacy decisions or standard contractual clauses.

For subscribers using the Claude MCP add-on: Anthropic PBC is incorporated in the United States, and tool calls between a subscriber's Claude environment and the Vellum MCP server may transit US-based infrastructure as a function of how Anthropic operates Claude. Anthropic's handling of personal data in this context is governed by Anthropic's privacy policy and the terms applicable to the subscriber's Claude account. Vellum maintains appropriate contractual safeguards with its own infrastructure providers.

11. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we do, we will update the "Last updated" date at the top of this page. We encourage you to review this policy periodically. Material changes affecting active subscribers will be communicated directly.

12. Contact

If you have any questions about this Privacy Policy or how we handle your personal data, please contact us at:

Vellum Intelligence Corp.
Email: privacy@vellumintel.com