Privacy Policy
Effective date: 28 May 2026 · Version: 2.0
VEREID, Inc. ("VEREID", "we", "our", or "us") provides identity-anchored social, authentication, and verification products. Trust depends on our being explicit about what we collect, why we collect it, who we share it with, and how long we keep it. This Privacy Policy describes those practices in plain English and in the legal precision that regulators in the U.S., E.U., U.K., Australia, and elsewhere expect.
This Policy covers the websites at vereid.com and its sub-domains, the VEREID mobile and desktop applications, our APIs and SDKs, and our business communications (collectively, the "Services"). It does not cover (a) products operated by third parties to which we may link or (b) data we process strictly on behalf of a customer that has signed a Data Processing Addendum ("DPA") with us — in those cases, the customer's own privacy notice governs and we act as a "processor" or "service provider".
If our role is "controller", we determine why and how your personal data is processed. If our role is "processor" (under the GDPR) or "service provider" (under the CCPA), we act on a customer's instructions. The roles are flagged below where the distinction matters.
1. Personal data we collect
We collect personal data in three ways: (a) you give it to us, (b) it is generated when you use the Services, and (c) we receive it from a third party you have authorized.
1.1 Information you give us
| Category | Examples |
|---|---|
| Account | Name, email, password (hashed), handle, profile photo, bio, language, pronouns |
| Identity verification | Government ID images, selfie, liveness video, address, date of birth, declared occupation; for business customers, registration number, beneficial owners, ID of authorized signers |
| Billing | Tax ID, billing address, payment-method last 4, expiration; full card numbers are stored only by our PCI-DSS-certified payment processor |
| Communications | Messages you send us through support, sales, or in-product chat |
| Content | Posts, replies, reshares, direct messages, uploads, reactions, follows |
1.2 Information generated when you use the Services
| Category | Examples |
|---|---|
| Device & connection | IP address, browser type, OS, device model, language, time zone, screen size |
| Usage | Pages viewed, features used, sessions, API calls, error reports |
| Cookies & local storage | Authentication, preference, and consented analytics identifiers (see Cookie & Consent Policy) |
| Security signals | Login attempts, MFA challenges, suspected fraud indicators, rate-limit triggers |
1.3 Information we receive from third parties
| Category | Source |
|---|---|
| OAuth profile (name, email, avatar) | Google or other identity providers you choose |
| Document & liveness checks | Identity-verification sub-processors (see Sub-processors) |
| Sanctions, PEP, adverse-media screening | Specialized compliance providers (Tier-3+ only) |
| Card network responses | Payment processor (Stripe) |
| Abuse signals | Industry threat-intelligence feeds |
We do not purchase consumer data from data brokers for marketing.
1.4 Sensitive categories
The Services may incidentally process the following sensitive data when you have asked us to verify your identity:
- Biometric data (face geometry derived from selfies and liveness videos) — only with your explicit consent, only for verification, retained per the Biometric Retention Policy.
- Government-issued identifiers (passport numbers, national IDs) — minimized, encrypted, and access-logged.
- Health, religion, sexual orientation, etc. — we do not ask for these and discourage you from posting them. If they appear in user-generated content you control, we process them only to host that content as you instructed.
2. Why we process personal data
We process personal data only where we have a lawful basis to do so. Under the GDPR / UK GDPR the bases are: contract performance, legal obligation, legitimate interests, and consent.
| Purpose | Categories used | Lawful basis (EEA/UK) |
|---|---|---|
| Create and maintain your account | Account, device | Contract |
| Sign you in (passkey / magic link / OAuth) | Account, security signals | Contract |
| Identity verification & tier issuance | Identity, biometric | Consent (biometric) + contract |
| Operate the social feed and DMs | Content, account | Contract |
| Bill you and prevent payment fraud | Billing, device | Contract + legitimate interests |
| Detect, prevent, and investigate abuse, spam, fraud | Usage, security, content | Legitimate interests + legal obligation |
| Comply with AML/KYC, sanctions, tax, accounting | Identity, billing | Legal obligation |
| Send service notices (security alerts, policy changes) | Account | Contract / legal obligation |
| Send marketing emails | Account | Consent (EEA/UK) / opt-out (U.S.) |
| Improve and develop the Services | Usage, content (aggregated) | Legitimate interests |
| Respond to legal process | Whatever is responsive | Legal obligation |
You can withdraw consent or object to legitimate-interest processing at any time using the controls described in Section 8.
3. How we share personal data
We share personal data only in the ways described below. We do not sell personal data, and we do not "share" personal data for cross-context behavioral advertising as defined by the CCPA/CPRA.
3.1 With other users
Information you choose to make public (your handle, display name, public posts, profile photo, tier badge) is visible to other users and, where applicable, to federated networks. Direct messages are visible only to the participants.
3.2 With our sub-processors
We use carefully selected service providers to operate the Services (hosting, email delivery, identity verification, error monitoring, customer support, payments). Each is bound by a written contract that imposes confidentiality, security, and data-protection obligations at least as strict as those in this Policy. The current list is maintained at /legal/sub-processors and we provide notice before adding a new sub-processor that processes Customer Content.
3.3 With customers (where we are a processor)
If you interact with a third party's product that uses VEREID Auth or VEREID Identity, we share the minimum personal data necessary to fulfill that interaction (e.g., a verified-claim assertion) under the customer's own privacy notice.
3.4 With authorities
We disclose personal data to law-enforcement, regulators, courts, or other government bodies only when (a) we have a good-faith belief that disclosure is required by valid legal process; (b) it is necessary to protect the rights, property, or safety of VEREID, our users, or the public; or (c) you have given us specific consent. We push back on overbroad requests, publish a transparency report annually, and notify affected users where lawful.
3.5 In a corporate transaction
If we are involved in a merger, acquisition, financing, reorganization, or sale of assets, personal data may be transferred as part of the transaction. We will require the successor entity to honor this Policy or notify you of any material change and your choices before the transfer.
4. International transfers
We are headquartered in the United States and use sub-processors in the United States, the European Economic Area, the United Kingdom, Canada, Australia, and elsewhere. When personal data leaves a jurisdiction, we rely on appropriate safeguards, which may include:
- The European Commission's Standard Contractual Clauses (2021/914) and the U.K. International Data Transfer Addendum;
- Adequacy decisions of the European Commission;
- The EU–U.S. Data Privacy Framework, the U.K. Extension, and the Swiss–U.S. DPF where the recipient is self-certified;
- Your explicit consent where no other safeguard is available.
A copy of the SCCs in force for a specific data flow is available on request to privacy@vereid.com.
5. How long we keep personal data
We retain personal data only as long as necessary for the purposes set out in this Policy or as required by law. Specific retention windows are documented in our Records of Processing Activities; the headline figures are:
| Data | Retention |
|---|---|
| Account and profile | Lifetime of account; deleted on closure |
| Public posts, public replies | Lifetime of account; deleted on closure (caches in federated networks may persist) |
| Direct messages | Until you or the other participant deletes; deleted on account closure |
| Identity verification records (T1–T6) | 7 years after the linked account is closed, where required for AML/KYC defense |
| Biometric templates (selfie geometry) | 12 months after collection, then irreversibly deleted; raw selfie/video destroyed within 30 days of successful verification (see Biometric Retention Policy) |
| Billing records | 7 years (tax/accounting) |
| Security logs | 13 months |
| Application logs (no PII) | 30 days |
| Backups | 35 days rolling |
Deletion means logical deletion plus expiry from rolling backups within 35 days. Cryptographic shredding (deletion of the per-user encryption key) is applied where supported.
6. How we protect personal data
We maintain an information-security program aligned to ISO/IEC 27001 and SOC 2 (audit reports available on request under NDA). Key controls include:
- Encryption in transit with TLS 1.2 or higher; at rest with AES-256; per-user key derivation for biometric templates.
- Least privilege access; production data access requires SSO + hardware MFA and is logged.
- Network segmentation with private VPCs, no public DB endpoints, and managed secrets.
- Application security: code review, static analysis, dependency scanning, secrets scanning, and a published vulnerability-disclosure program (security@vereid.com).
- Operational rigor: 24/7 on-call, change-management approvals, immutable audit logs, annual penetration tests by an independent firm.
- Resilience: multi-AZ deployments, daily backups, documented disaster-recovery runbooks tested quarterly (RPO ≤ 1 hour, RTO ≤ 4 hours).
- Personnel: background checks where lawful, mandatory annual security and privacy training, written confidentiality agreements.
No system is perfect. If we become aware of a personal-data breach that affects you, we will notify you and the relevant supervisory authority within the timelines required by applicable law (no later than 72 hours under the GDPR).
7. Your rights
Depending on where you live, you have some or all of the following rights with respect to your personal data:
- Access — request a copy of the personal data we hold about you.
- Rectification / correction — ask us to correct inaccurate or incomplete data.
- Erasure / deletion — ask us to delete data we no longer need, subject to our legal-retention duties.
- Restriction — ask us to limit the processing of certain data while a dispute is resolved.
- Portability — receive your data in a structured, machine-readable format.
- Objection — object to processing based on our legitimate interests or direct marketing.
- Withdraw consent — where we rely on consent, withdraw it at any time without affecting prior lawful processing.
- Non-discrimination — exercise these rights without being denied service or charged a different price.
- Lodge a complaint — with your local supervisory authority (e.g., the Irish DPC in the E.U., the ICO in the U.K., the OAIC in Australia, the California Privacy Protection Agency in California).
To exercise a right, use the in-product Privacy controls in Settings → Privacy, send a request to privacy@vereid.com, or submit through the channels listed at /legal/dsr. We verify your identity before acting, respond within 30 days (extendable by 60 days for complex requests as permitted by law), and never charge a fee for the first request in any 12-month period.
If you are a California resident, you also have the right to know the categories of personal information collected, the categories of sources, the business or commercial purpose, and the categories of third parties to which it is disclosed — all of which are listed in Section 1 and Section 3. You may also designate an authorized agent to act on your behalf.
8. Choices and controls
- Account & profile — edit or delete in Settings → Profile.
- Privacy posture — change visibility, DM-from-verified-only, and tier-display rules in Settings → Privacy.
- Cookies & analytics — adjust in the cookie banner or Settings → Cookies; we honor the Global Privacy Control signal.
- Marketing email — unsubscribe link in every marketing email; instant in product.
- Push notifications — control via your operating system or Settings → Notifications.
- Close account — Settings → Account → Close account. Final deletion completes within 30 days, subject to backup-expiry and legal-retention obligations described above.
9. Children
The Services are not directed to children under 13, and we do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided us with personal data, contact privacy@vereid.com and we will delete it. Where local law sets a higher digital-consent age (for example, 16 in many E.U. member states), we apply that age.
10. Automated decision-making
Some of our identity-verification, fraud-prevention, and tier-issuance workflows include automated decision-making, including profiling, where a decision could produce a legal or similarly significant effect on you (e.g., refusing to issue a tier). You have the right to obtain human review of such a decision, to express your point of view, and to contest it. To exercise these rights, email privacy@vereid.com with the subject line "Automated decision review".
11. Changes to this Policy
We may update this Policy from time to time. The "Effective date" at the top reflects the most recent change. If we make a material change, we will notify you by email or an in-product banner at least 30 days before the change takes effect, except where a shorter period is required by law or security need. Archived versions are available on request to legal@vereid.com.
12. How to contact us
For privacy questions, requests, or complaints:
- Email: privacy@vereid.com
- Mail: VEREID, Inc., Attn: Privacy, 548 Market St. PMB 71280, San Francisco, CA 94104, U.S.A.
- EU representative (Art. 27 GDPR): to be appointed; until then, contact privacy@vereid.com
- UK representative (UK GDPR): to be appointed; until then, contact privacy@vereid.com
- Data Protection Officer: dpo@vereid.com
If you are not satisfied with our response, you may complain to your local supervisory authority. We will not retaliate against you for exercising any privacy right.
