Privacy Policy

Account data: Email address, encrypted password, registration date, plan/subscription status.

Profile data: Usage counters (analyses used, documents generated), preferred language and country, subscription history.

Document content: Text you submit for analysis, answers you provide when generating documents. This content is processed by our AI models and may be temporarily cached for performance. We do not use your document content to train AI models.

Usage data: Pages visited, features used, AI task types, response times, error logs. Collected anonymously for service improvement.

Payment data: Subscription status, billing history. Payment card details are processed exclusively by Stripe — we never see or store your card number.

Technical data: IP address, browser type, device type, operating system, cookies. See our Cookie Policy.

• Providing, maintaining and improving the Service
• Processing your document analysis and generation requests via AI
• Managing your account, subscription and billing
• Sending service notifications (account alerts, payment receipts)
• Detecting and preventing fraud, abuse and security threats
• Complying with legal obligations
• Sending marketing communications if you opt in

We never sell your personal data to third parties.

Some processors (Anthropic, Stripe, Vercel) are based in the USA. We ensure adequate protection through:

• Standard Contractual Clauses (SCCs) as approved by the EU Commission
• Adequacy decisions where applicable
• Data Processing Agreements (DPAs) with all processors

Account data: Retained for the duration of your account plus 12 months after deletion, except where legal obligations require longer retention.

Document content: Retained for the duration of your account. You may delete individual documents at any time from History.

Billing records: Retained for 10 years as required by Portuguese tax law (IRS/IVA).

AI processing logs: Anonymised and retained for 90 days for debugging.

When you delete your account, your personal data is erased within 30 days from our systems, subject to legal retention obligations.

As a data subject under EU GDPR, you have the right to:

To exercise your rights, email support@veriflyai.com. We respond within 30 days. You may also exercise most rights directly in your account settings.

California residents have additional rights under the California Consumer Privacy Act (CCPA) / CPRA:

• Right to know: What personal information we collect, use, disclose or sell
• Right to delete: Request deletion of your personal information
• Right to opt-out: We do not sell personal information. No opt-out needed.
• Right to non-discrimination: We will not discriminate against you for exercising your rights
• Right to correct: Request correction of inaccurate personal information

To exercise CCPA rights, contact support@veriflyai.com with subject "CCPA Request".

We implement appropriate technical and organisational measures to protect your data:

• All data in transit encrypted via TLS 1.3
• Database encrypted at rest (AES-256)
• Row-Level Security on all database tables
• Passwords hashed with bcrypt (never stored in plaintext)
• Access controls and least-privilege principle
• Regular security assessments

In the event of a data breach affecting your rights, we will notify you and the relevant supervisory authority within 72 hours as required by GDPR Article 33.

We use essential cookies for authentication and session management. See our Cookie Policy for full details.

VeriflyAI is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at support@veriflyai.com and we will delete it promptly.

We may update this Privacy Policy from time to time. We will notify you of material changes by email and/or in-app notice at least 30 days in advance. Continued use after changes take effect constitutes acceptance.