Privacy Policy
This Privacy Policy explains how Verdatir AB collects, uses, and shares personal data when you use our website and services.
Effective: October 24, 2025 · Last updated: October 24, 2025
1. Who we are
Verdatir AB is the operator of the Verdatir service. Registered address: Stockholm, Sweden [Assumption]. For privacy inquiries, contact support@verdatir.com.
2. Roles and scope
This policy covers personal data processed in connection with our public website and the Verdatir SaaS platform.
Roles: Verdatir AB acts as (i) Controller for our website, accounts, billing, and support; and (ii) Processor for customer-uploaded content under our Data Processing Addendum (DPA).
See our DPA at /legal/dpa [Assumption link] and our subprocessor list at /legal/subprocessors [Assumption link].
3. Personal data we collect
We collect the following personal data:
Account data: name, email, organization, role.
Authentication data: password hashes, tokens.
Content you or your organization upload (files, documents).
Usage and diagnostics: IP address, device/browser, logs, performance and error reports.
Payment metadata from processors (limited): payer ID, subscription status; no full card data is stored by us.
Cookie and consent preferences.
Sensitive data: we do not require it; if you upload it you are responsible for lawfulness and minimization.
4. Sources of data
You provide data directly when you sign up, upload content, or contact support.
Automatically via the service (cookies, logs, device signals).
Third parties such as payment processors or identity providers.
5. Why we process your data
Provide and operate the service, including authentication and account management.
Billing and subscription management.
Support and troubleshooting.
Security, fraud prevention and legal compliance.
Product improvement and analytics (only with opt-in consent in EU/UK).
Service and transactional communications.
6. Legal bases (EU/UK)
We rely on: (a) contract performance, (b) legal obligations, (c) legitimate interests (product improvement, security), and (d) consent for non-essential cookies and analytics in EU/UK.
7. Third parties and subprocessors
We use trusted providers to operate the service. Key subprocessors:
| Vendor | Purpose | Region | Safeguard |
|---|---|---|---|
| Supabase | Database, auth, storage | EU | EU SCCs as needed |
| Vercel | Hosting | EU+US | EU SCCs / UK IDTA where applicable |
| Stripe | Payments | US/EU | EU SCCs / DPF participation as applicable |
| OpenAI | Optional AI features (opt-in) | US/EU | EU SCCs |
We will provide at least 30 days’ notice of subprocessor changes at /legal/subprocessors [Assumption]. We disclose data to regulators or others where required by law.
8. Data transfers outside the EEA/UK
Where transfers occur to countries without an adequacy decision, we rely on EU Standard Contractual Clauses (SCCs) and the UK IDTA/Addendum for transfers from the UK. Where vendors participate in the EU–US Data Privacy Framework we note participation as supplemental assurance.
9. Cookies and analytics
We use necessary cookies for authentication and security. Analytics are OFF by default. If enabled, we use Plausible (EU-hosted) with opt-in consent in the EU/UK. Manage or withdraw consent via the “Privacy Preferences” link in the footer.
See our Cookie details for categories and retention [Assumption: link to cookie policy].
10. Data retention
Account and profile data: retained while account is active or as needed to provide the service.
Billing records: 7 years or as required by law.
Logs and diagnostics: up to 1 year (aggregated thereafter).
Uploaded documents: until account deletion or as instructed by the customer.
Deletion SLA: we aim to delete personal data within 30 days of a confirmed request; backups are purged within 90 days.
11. Security
We use TLS in transit, encryption at rest (including backups), role-based access controls, and periodic security reviews. No SOC 2/ISO certification at this time.
If a security incident is likely to pose a risk to your rights and freedoms, we will notify you without undue delay and notify regulators where required by law.
12. Your rights and choices
Depending on your jurisdiction you can request access, correction, deletion, restriction, portability, or objection. Email support@verdatir.com. We respond within legal timelines (typically 30–45 days, extendable).
Verification: We may request additional information to verify identity and authority for CCPA/CPRA requests.
Appeals: If you disagree with our decision, email support@verdatir.com with “Appeal” in the subject; we will review and respond.
13. Automated decision-making
We do not use automated decision-making that produces legal or similarly significant effects without human involvement.
14. Marketing communications
We may send product or transactional messages (for example, service updates). Where consent is required we will request it. You can opt out at any time via in-message links or by emailing support@verdatir.com.
15. Minors
Our services are not intended for minors. You must be at least 16 years old to use the service. We do not knowingly collect personal data from children.
16. CPRA Do-Not-Sell/Share and GPC
We do not “sell” or “share” personal information as defined by the CPRA and do not engage in targeted advertising. We honor Global Privacy Control (GPC) signals as valid opt-out preferences.
17. Data incidents
We will assess incidents promptly and notify affected users and regulators where required. We maintain logs and access controls to support investigations.
18. Changes to this policy
We may update this policy. Material changes will be notified by email or in-product notice before they take effect.
19. Contact
Contact Verdatir AB at support@verdatir.com. Postal address: Stockholm, Sweden [Assumption].