Law Enforcement Policy
1. Overview
Foundry26 is the operator of the Vael mobile application and myvael.app. We take privacy seriously and are committed to protecting user anonymity. However, we recognise our obligations under applicable law and will cooperate with lawful requests from competent authorities.
Vael is designed to collect minimal user data. This page describes exactly what data exists and how law enforcement agencies may request it.
2. What Data We Hold
| Data Type | Availability | Notes |
|---|---|---|
| Anonymous Firebase UID | Yes | System-assigned identifier; not linked to real identity by Vael |
| User pseudonym | Yes | User-chosen display name — not a real name |
| Thought content (text + background image) | Yes — if not deleted | Auto-deleted per content curation schedule or on user request |
| Coarse GeoPoint of thought (±1–2km) | Yes — if thought exists | Approximate only. Precise coordinates are never stored. |
| Precise GPS coordinates | No — never stored | Used in-session only and discarded immediately |
| Chat messages (text, voice, images) | Yes — if not deleted or expired | View-once images auto-delete after 7 days |
| Email address | Yes — admin system only | Collected via OAuth sign-in (Google / Apple / Facebook) for compliance and safety |
| Phone number | No — never collected | |
| OAuth provider (Google/Apple/Facebook) | Token reference only | Email is stored from OAuth sign-in; available subject to valid legal process |
| Device Machine ID | Yes — admin system only | Used for ban enforcement; retained up to 12 months post-ban |
| IP address | Limited — Firebase logs | Firebase (Google LLC) may retain IP logs; may require a separate process served to Google |
| Moderation reports and audit logs | Yes | Retained 24 months under legal obligation |
3. How to Submit a Request
All law enforcement requests must be submitted via email to [email protected] with the subject line "Law Enforcement Request — [Country] — [Case Reference]".
Requests must include:
- Official letterhead from the requesting authority
- Name, badge/warrant number, and verified contact details of the requesting officer
- The legal instrument authorising the request (e.g. court order, search warrant, production order, mutual legal assistance treaty (MLAT) request)
- Specific data fields requested (we will only produce what is specified)
- The User UID or other identifying information (e.g. pseudonym, content URL)
- The scope and time period of the request
4. Legal Standards We Apply
- We require a valid legal process for every request — we do not respond to informal or voluntary requests except in genuine emergencies involving imminent risk to life.
- UK authorities: We require a court order, search warrant, or production notice under applicable UK law (Investigatory Powers Act 2016, or equivalent).
- International authorities (non-UK): Requests must be accompanied by an MLAT or equivalent bilateral agreement. We may require a UK court order for non-emergency international requests.
- Emergency requests: Where there is an imminent risk to life, we may provide limited data without formal legal process. We will document and report any such disclosure in our Transparency Report.
5. User Notification
Where permitted by law, we will notify the affected user of a law enforcement request before complying. We will not notify users if legally prohibited from doing so (e.g. under a non-disclosure order).
6. Response Times
Standard requests: 14 calendar days from receipt of a valid, complete request.
Emergency requests (imminent risk to life): as quickly as practically possible — typically within a few hours of confirming the emergency.
7. Data Preservation Requests
We will honour emergency data preservation requests for up to 90 days pending formal legal process. Preservation requests must be sent to [email protected] with the subject "Preservation Request" and must include a case reference.
8. Transparency
Foundry26 publishes an annual Transparency Report summarising the number of law enforcement requests received, the jurisdictions involved, and the data produced. We do not publish specific case details.
9. Child Sexual Abuse Material (CSAM)
Vael proactively reports any known or detected CSAM to the National Center for Missing & Exploited Children (NCMEC) and the Internet Watch Foundation (IWF), as required by US law (18 U.S.C. § 2258A) and UK law (IWF voluntary agreement). Relevant data is preserved and provided to the appropriate authorities.
Foundry26 · [email protected] · myvael.app · Effective: April 19, 2026