Legal
Privacy Policy
Effective date: March 31, 2026 · Last updated: March 31, 2026
1. Introduction
Verdact ("we", "our", "us") operates the Verdact API at verdact.app. This Privacy Policy explains how we collect, use, and protect your personal information when you use our service. We process personal data as both a data controller (for account data) and a data processor (for document content you submit).
Zero document retention: Documents submitted to our API are processed entirely in-memory and are never stored to disk or database. This is the foundational privacy guarantee of the service.
2. Data We Collect
Account Data (you provide)
- Email address — used to deliver your API key and transactional notifications
- API key (SHA-256 hash only — we never store your raw key)
- Billing information — collected and stored by Stripe, not by us
Usage Logs (automatically generated)
- Document ID — a SHA-256 hash of submitted content (not reversible)
- Timestamp, page count, entity count, processing duration (milliseconds)
- IP address and API tier — for rate limiting and abuse prevention
We do not store: document content, detected PII text, redacted output, or any personally identifiable information from documents you submit.
3. How We Use Your Data
- Providing and improving the API service
- Billing and subscription management via Stripe
- Sending transactional emails (API key delivery, verification codes, account notices)
- Detecting abuse and enforcing rate limits
- Diagnosing errors via Sentry error monitoring (stack traces only — no document content)
We do not sell your data. We do not use your data for advertising.
4. Legal Bases for Processing (GDPR)
- Contract: Processing your account data and usage logs to provide the service you signed up for
- Legitimate interest: Fraud prevention, rate limiting, security monitoring
- Legal obligation: Retaining billing records as required by law
5. Sub-processors
We share data with the following sub-processors only to the extent necessary to provide the service:
| Sub-processor | Purpose | Data Shared | Location |
|---|---|---|---|
| Railway | API hosting and database | All account and usage data | US (EU-US DPF) |
| Anthropic | Contextual PII detection (Claude API) | Text chunks from submitted documents — no account data | US |
| Stripe | Payment processing | Email address, billing info | US (EU-US DPF) |
| Resend | Transactional email | Email address, email content | US |
| Sentry | Error monitoring | Stack traces, request metadata — no document content | US |
6. Data Retention
- API key metadata: Duration of your account + 30 days after deletion
- Usage logs: 12 months rolling
- Email address: Until account deletion
- Document content: Never stored — zero retention
- Billing records: 7 years (legal requirement)
7. Your Rights
Under GDPR (EU/EEA residents)
- Access: Request a copy of your personal data
- Rectification: Correct inaccurate data
- Erasure: Request deletion ("right to be forgotten")
- Portability: Receive your data in a machine-readable format
- Restriction: Limit how we process your data
- Objection: Object to processing based on legitimate interest
Under CCPA (California residents)
- Know: What personal information we collect and how it's used
- Delete: Request deletion of your personal information
- Opt-out of sale: We do not sell personal information
- Non-discrimination: We will not discriminate for exercising these rights
To exercise any right, email privacy@verdact.app. We respond within 30 days.
8. Security
API keys are stored as SHA-256 hashes only. All data in transit is encrypted with TLS 1.2+. Documents are processed in-memory with no persistence. See our Security page for full details.
9. Changes to This Policy
We will notify you of material changes via email at least 30 days before they take effect. Minor clarifications may be made without notice. The effective date at the top of this page reflects the most recent update.
10. Contact
For privacy questions or to exercise your rights:
Email: privacy@verdact.app
Response time: within 30 days (GDPR statutory maximum)