Skip to content
Legal

Privacy policy

How VEREID collects, processes, retains, and protects personal data.

Effective May 28, 2026Version 2.0Questions? legal@vereid.com

Privacy Policy

Effective date: 28 May 2026 · Version: 2.0

VEREID, Inc. ("VEREID", "we", "our", or "us") provides identity-anchored social, authentication, and verification products. Trust depends on our being explicit about what we collect, why we collect it, who we share it with, and how long we keep it. This Privacy Policy describes those practices in plain English and in the legal precision that regulators in the U.S., E.U., U.K., Australia, and elsewhere expect.

This Policy covers the websites at vereid.com and its sub-domains, the VEREID mobile and desktop applications, our APIs and SDKs, and our business communications (collectively, the "Services"). It does not cover (a) products operated by third parties to which we may link or (b) data we process strictly on behalf of a customer that has signed a Data Processing Addendum ("DPA") with us — in those cases, the customer's own privacy notice governs and we act as a "processor" or "service provider".

If our role is "controller", we determine why and how your personal data is processed. If our role is "processor" (under the GDPR) or "service provider" (under the CCPA), we act on a customer's instructions. The roles are flagged below where the distinction matters.


1. Personal data we collect

We collect personal data in three ways: (a) you give it to us, (b) it is generated when you use the Services, and (c) we receive it from a third party you have authorized.

1.1 Information you give us

CategoryExamples
AccountName, email, password (hashed), handle, profile photo, bio, language, pronouns
Identity verificationGovernment ID images, selfie, liveness video, address, date of birth, declared occupation; for business customers, registration number, beneficial owners, ID of authorized signers
BillingTax ID, billing address, payment-method last 4, expiration; full card numbers are stored only by our PCI-DSS-certified payment processor
CommunicationsMessages you send us through support, sales, or in-product chat
ContentPosts, replies, reshares, direct messages, uploads, reactions, follows

1.2 Information generated when you use the Services

CategoryExamples
Device & connectionIP address, browser type, OS, device model, language, time zone, screen size
UsagePages viewed, features used, sessions, API calls, error reports
Cookies & local storageAuthentication, preference, and consented analytics identifiers (see Cookie & Consent Policy)
Security signalsLogin attempts, MFA challenges, suspected fraud indicators, rate-limit triggers

1.3 Information we receive from third parties

CategorySource
OAuth profile (name, email, avatar)Google or other identity providers you choose
Document & liveness checksIdentity-verification sub-processors (see Sub-processors)
Sanctions, PEP, adverse-media screeningSpecialized compliance providers (Tier-3+ only)
Card network responsesPayment processor (Stripe)
Abuse signalsIndustry threat-intelligence feeds

We do not purchase consumer data from data brokers for marketing.

1.4 Sensitive categories

The Services may incidentally process the following sensitive data when you have asked us to verify your identity:

  • Biometric data (face geometry derived from selfies and liveness videos) — only with your explicit consent, only for verification, retained per the Biometric Retention Policy.
  • Government-issued identifiers (passport numbers, national IDs) — minimized, encrypted, and access-logged.
  • Health, religion, sexual orientation, etc. — we do not ask for these and discourage you from posting them. If they appear in user-generated content you control, we process them only to host that content as you instructed.

2. Why we process personal data

We process personal data only where we have a lawful basis to do so. Under the GDPR / UK GDPR the bases are: contract performance, legal obligation, legitimate interests, and consent.

PurposeCategories usedLawful basis (EEA/UK)
Create and maintain your accountAccount, deviceContract
Sign you in (passkey / magic link / OAuth)Account, security signalsContract
Identity verification & tier issuanceIdentity, biometricConsent (biometric) + contract
Operate the social feed and DMsContent, accountContract
Bill you and prevent payment fraudBilling, deviceContract + legitimate interests
Detect, prevent, and investigate abuse, spam, fraudUsage, security, contentLegitimate interests + legal obligation
Comply with AML/KYC, sanctions, tax, accountingIdentity, billingLegal obligation
Send service notices (security alerts, policy changes)AccountContract / legal obligation
Send marketing emailsAccountConsent (EEA/UK) / opt-out (U.S.)
Improve and develop the ServicesUsage, content (aggregated)Legitimate interests
Respond to legal processWhatever is responsiveLegal obligation

You can withdraw consent or object to legitimate-interest processing at any time using the controls described in Section 8.


3. How we share personal data

We share personal data only in the ways described below. We do not sell personal data, and we do not "share" personal data for cross-context behavioral advertising as defined by the CCPA/CPRA.

3.1 With other users

Information you choose to make public (your handle, display name, public posts, profile photo, tier badge) is visible to other users and, where applicable, to federated networks. Direct messages are visible only to the participants.

3.2 With our sub-processors

We use carefully selected service providers to operate the Services (hosting, email delivery, identity verification, error monitoring, customer support, payments). Each is bound by a written contract that imposes confidentiality, security, and data-protection obligations at least as strict as those in this Policy. The current list is maintained at /legal/sub-processors and we provide notice before adding a new sub-processor that processes Customer Content.

3.3 With customers (where we are a processor)

If you interact with a third party's product that uses VEREID Auth or VEREID Identity, we share the minimum personal data necessary to fulfill that interaction (e.g., a verified-claim assertion) under the customer's own privacy notice.

3.4 With authorities

We disclose personal data to law-enforcement, regulators, courts, or other government bodies only when (a) we have a good-faith belief that disclosure is required by valid legal process; (b) it is necessary to protect the rights, property, or safety of VEREID, our users, or the public; or (c) you have given us specific consent. We push back on overbroad requests, publish a transparency report annually, and notify affected users where lawful.

3.5 In a corporate transaction

If we are involved in a merger, acquisition, financing, reorganization, or sale of assets, personal data may be transferred as part of the transaction. We will require the successor entity to honor this Policy or notify you of any material change and your choices before the transfer.


4. International transfers

We are headquartered in the United States and use sub-processors in the United States, the European Economic Area, the United Kingdom, Canada, Australia, and elsewhere. When personal data leaves a jurisdiction, we rely on appropriate safeguards, which may include:

  • The European Commission's Standard Contractual Clauses (2021/914) and the U.K. International Data Transfer Addendum;
  • Adequacy decisions of the European Commission;
  • The EU–U.S. Data Privacy Framework, the U.K. Extension, and the Swiss–U.S. DPF where the recipient is self-certified;
  • Your explicit consent where no other safeguard is available.

A copy of the SCCs in force for a specific data flow is available on request to privacy@vereid.com.


5. How long we keep personal data

We retain personal data only as long as necessary for the purposes set out in this Policy or as required by law. Specific retention windows are documented in our Records of Processing Activities; the headline figures are:

DataRetention
Account and profileLifetime of account; deleted on closure
Public posts, public repliesLifetime of account; deleted on closure (caches in federated networks may persist)
Direct messagesUntil you or the other participant deletes; deleted on account closure
Identity verification records (T1–T6)7 years after the linked account is closed, where required for AML/KYC defense
Biometric templates (selfie geometry)12 months after collection, then irreversibly deleted; raw selfie/video destroyed within 30 days of successful verification (see Biometric Retention Policy)
Billing records7 years (tax/accounting)
Security logs13 months
Application logs (no PII)30 days
Backups35 days rolling

Deletion means logical deletion plus expiry from rolling backups within 35 days. Cryptographic shredding (deletion of the per-user encryption key) is applied where supported.


6. How we protect personal data

We maintain an information-security program aligned to ISO/IEC 27001 and SOC 2 (audit reports available on request under NDA). Key controls include:

  • Encryption in transit with TLS 1.2 or higher; at rest with AES-256; per-user key derivation for biometric templates.
  • Least privilege access; production data access requires SSO + hardware MFA and is logged.
  • Network segmentation with private VPCs, no public DB endpoints, and managed secrets.
  • Application security: code review, static analysis, dependency scanning, secrets scanning, and a published vulnerability-disclosure program (security@vereid.com).
  • Operational rigor: 24/7 on-call, change-management approvals, immutable audit logs, annual penetration tests by an independent firm.
  • Resilience: multi-AZ deployments, daily backups, documented disaster-recovery runbooks tested quarterly (RPO ≤ 1 hour, RTO ≤ 4 hours).
  • Personnel: background checks where lawful, mandatory annual security and privacy training, written confidentiality agreements.

No system is perfect. If we become aware of a personal-data breach that affects you, we will notify you and the relevant supervisory authority within the timelines required by applicable law (no later than 72 hours under the GDPR).


7. Your rights

Depending on where you live, you have some or all of the following rights with respect to your personal data:

  • Access — request a copy of the personal data we hold about you.
  • Rectification / correction — ask us to correct inaccurate or incomplete data.
  • Erasure / deletion — ask us to delete data we no longer need, subject to our legal-retention duties.
  • Restriction — ask us to limit the processing of certain data while a dispute is resolved.
  • Portability — receive your data in a structured, machine-readable format.
  • Objection — object to processing based on our legitimate interests or direct marketing.
  • Withdraw consent — where we rely on consent, withdraw it at any time without affecting prior lawful processing.
  • Non-discrimination — exercise these rights without being denied service or charged a different price.
  • Lodge a complaint — with your local supervisory authority (e.g., the Irish DPC in the E.U., the ICO in the U.K., the OAIC in Australia, the California Privacy Protection Agency in California).

To exercise a right, use the in-product Privacy controls in Settings → Privacy, send a request to privacy@vereid.com, or submit through the channels listed at /legal/dsr. We verify your identity before acting, respond within 30 days (extendable by 60 days for complex requests as permitted by law), and never charge a fee for the first request in any 12-month period.

If you are a California resident, you also have the right to know the categories of personal information collected, the categories of sources, the business or commercial purpose, and the categories of third parties to which it is disclosed — all of which are listed in Section 1 and Section 3. You may also designate an authorized agent to act on your behalf.


8. Choices and controls

  • Account & profile — edit or delete in Settings → Profile.
  • Privacy posture — change visibility, DM-from-verified-only, and tier-display rules in Settings → Privacy.
  • Cookies & analytics — adjust in the cookie banner or Settings → Cookies; we honor the Global Privacy Control signal.
  • Marketing email — unsubscribe link in every marketing email; instant in product.
  • Push notifications — control via your operating system or Settings → Notifications.
  • Close accountSettings → Account → Close account. Final deletion completes within 30 days, subject to backup-expiry and legal-retention obligations described above.

9. Children

The Services are not directed to children under 13, and we do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided us with personal data, contact privacy@vereid.com and we will delete it. Where local law sets a higher digital-consent age (for example, 16 in many E.U. member states), we apply that age.


10. Automated decision-making

Some of our identity-verification, fraud-prevention, and tier-issuance workflows include automated decision-making, including profiling, where a decision could produce a legal or similarly significant effect on you (e.g., refusing to issue a tier). You have the right to obtain human review of such a decision, to express your point of view, and to contest it. To exercise these rights, email privacy@vereid.com with the subject line "Automated decision review".


11. Changes to this Policy

We may update this Policy from time to time. The "Effective date" at the top reflects the most recent change. If we make a material change, we will notify you by email or an in-product banner at least 30 days before the change takes effect, except where a shorter period is required by law or security need. Archived versions are available on request to legal@vereid.com.


12. How to contact us

For privacy questions, requests, or complaints:

If you are not satisfied with our response, you may complain to your local supervisory authority. We will not retaliate against you for exercising any privacy right.