VerifyWise Privacy Policy

1. Introduction

This Privacy Policy explains how VerifyWise collects, uses, and protects your personal information across our different service offerings. VerifyWise provides AI governance and evaluation services through two distinct deployment models: our SaaS platform and Enterprise Self-hosted editions. The data handling practices differ significantly between these offerings, as detailed below.

VerifyWise is a B2B-only platform serving enterprise organizations. We are committed to ensuring your privacy is protected and that you understand how your data is handled based on your chosen deployment model.

2. Service Offerings and Data Handling

2.1 SaaS Platform

Our SaaS platform is hosted on Digital Ocean infrastructure in the San Francisco region. For SaaS customers, we collect and process:

  • Account and organization information (company name, user details, contact information)
  • Platform usage data and evaluation metadata
  • Technical data (IP addresses, browser information, timestamps)
  • Communication data from support interactions

Important: We do not process, store, or have access to your AI model data or evaluation content. All customer evaluation data is encrypted and isolated. VerifyWise employees cannot access your evaluation data or AI model information.

2.2 Enterprise Self-hosted Edition

Our Enterprise Self-hosted edition operates in a completely air-gapped environment within your infrastructure. For self-hosted deployments:

  • Zero data leaves your infrastructure - all data remains within your environment
  • No telemetry or usage analytics are sent to VerifyWise
  • No license validation or automatic updates occur
  • VerifyWise has no access to any data processed by the self-hosted platform

For self-hosted customers, this privacy policy primarily applies to our website interactions and any direct communications with VerifyWise.

3. Information We Collect

3.1 Website and General Business Information

  • Contact form submissions and inquiry details
  • Marketing communication preferences
  • Website usage data through analytics (Google Analytics, PostHog)
  • Technical website data (IP address, browser type, device information)

3.2 SaaS Platform Specific Data

  • Account registration and authentication information
  • Billing and payment processing data (processed by third-party payment processors)
  • Platform configuration and usage patterns
  • Support tickets and customer service interactions

4. How We Use Your Information

We use your information to:

  • Provide and maintain our AI governance services
  • Process payments and manage billing (SaaS customers only)
  • Provide customer support and technical assistance
  • Send product updates, newsletters, and marketing communications
  • Improve our platform and develop new features
  • Monitor platform performance and usage analytics (SaaS only)
  • Respond to customer inquiries and support requests

5. Data Security and Encryption

We implement industry-standard security measures to protect your information:

  • All customer data is encrypted both in transit and at rest
  • Multi-tenant data isolation ensures customer data separation
  • Access controls and authentication mechanisms protect platform access
  • Regular security monitoring and incident response procedures
  • Secure infrastructure hosting on Digital Ocean (SaaS) or your controlled environment (Self-hosted)

6. Cookies and Tracking Technologies

Our website uses the following types of cookies:

  • Functional Cookies: Essential for website operation and user authentication
  • Analytics Cookies: Google Analytics and PostHog for website performance analysis
  • Marketing Cookies: To track marketing campaign effectiveness and user preferences

You can manage cookie preferences through your browser settings. Note that disabling certain cookies may affect website functionality.

7. Third-Party Services and Subprocessors

For our SaaS platform, we integrate with the following third-party services:

  • Payment Processing: Stripe, Inc. for billing and subscription management
  • Analytics: Google Analytics (Google LLC) and PostHog for usage analytics and performance monitoring
  • Infrastructure: Digital Ocean (DigitalOcean, LLC) for hosting and infrastructure services
  • Monitoring Tools: Platform performance and uptime monitoring services

All subprocessors are contractually required to maintain appropriate security measures and data protection standards. These services have their own privacy policies and data handling practices. Enterprise Self-hosted deployments do not use any third-party services for data processing.

Subprocessor Changes: We will notify enterprise customers of any new subprocessors at least 30 days before implementation, allowing you to object to such changes.

8. Data Retention

We retain different types of data for varying periods:

  • Account and evaluation data: Retained for 3 years from account creation or last activity
  • Marketing communications: Until you unsubscribe or request removal
  • Website analytics: Retained according to Google Analytics and PostHog retention policies
  • Contact form submissions: Retained for business communication purposes up to 3 years

For Enterprise Self-hosted customers, data retention is entirely under your control as all data remains within your infrastructure.

9. Your Rights and Data Control

As a business customer, you have the right to:

  • Access your organization's account and usage data
  • Correct inaccurate account or contact information
  • Request deletion of your account and associated data
  • Object to marketing communications (unsubscribe options available)
  • Request data export for account migration purposes
  • Receive information about data breaches affecting your account

For Enterprise Self-hosted customers: You maintain complete control over all data as it resides within your infrastructure. VerifyWise cannot access, modify, or delete data in your self-hosted environment.

10. Marketing Communications

We may send you marketing communications including:

  • Product updates and new feature announcements
  • Industry insights and AI governance best practices
  • Webinars and educational content
  • Company newsletters

You can unsubscribe from marketing communications at any time by clicking the unsubscribe link in emails or contacting us directly. Operational communications (billing, support, security) will continue as necessary for service delivery.

11. Contact Form and Customer Support

When you submit contact forms or reach out for support:

  • Your inquiries are sent to a dedicated VerifyWise mailbox
  • Human team members read and respond to your messages
  • We may retain communication history to provide better support
  • Support conversations may be used to improve our services

12. Legal Basis for Processing and Compliance

12.1 Legal Basis (GDPR Article 6)

We process personal data based on the following legal grounds:

  • Contract Performance (Article 6.1.b): Processing necessary to deliver our AI governance services
  • Legitimate Interest (Article 6.1.f): Platform improvement, security monitoring, and business communications
  • Consent (Article 6.1.a): Marketing communications and non-essential cookies

12.2 Data Controller and Processor Roles

VerifyWise acts as:

  • Data Controller: For account management, billing, support, and platform operations
  • Data Processor: When processing evaluation data according to customer instructions in our SaaS platform
  • Independent Controller: For website analytics, marketing, and business development activities

12.3 International Compliance

GDPR Compliance (EU Customers): We comply with the General Data Protection Regulation for European customers, including data subject rights, lawful basis requirements, and data protection principles.

CCPA Compliance (California Customers): We comply with the California Consumer Privacy Act, providing transparency about data collection and honoring consumer rights requests.

Data Transfers: All data processing occurs within North American infrastructure (Digital Ocean, San Francisco). No international data transfers to countries without adequate data protection occur.

12.4 Data Processing Agreements

Enterprise customers can request Data Processing Agreements (DPAs) that govern how we process personal data on your behalf. DPAs include:

  • Processing instructions and limitations
  • Security measures and incident response
  • Subprocessor management
  • Data subject rights assistance
  • Data return and deletion procedures

To request a DPA, contact our legal team at hello@verifywise.ai with "DPA Request" in the subject line.

13. Data Breach Notification

In the event of a data security incident that may affect your personal data:

  • Assessment: We will assess the incident within 24 hours of discovery
  • Customer Notification: Affected customers will be notified within 72 hours for high-risk breaches
  • Regulatory Notification: We will notify relevant authorities as required by applicable law
  • Remediation: We will provide information about steps taken to address the incident and prevent recurrence

For Enterprise Self-hosted deployments, data security is entirely within your control and infrastructure.

14. Enhanced Rights for EU and California Residents

14.1 GDPR Rights (EU Residents)

  • Right of Access: Request copies of your personal data
  • Right to Rectification: Correct inaccurate personal data
  • Right to Erasure: Request deletion of your personal data
  • Right to Restrict Processing: Limit how we process your data
  • Right to Data Portability: Receive your data in machine-readable format
  • Right to Object: Object to processing based on legitimate interests
  • Rights Related to Automated Decision Making: We do not engage in automated decision-making that significantly affects individuals

14.2 CCPA Rights (California Residents)

  • Right to Know: Information about data collection and use
  • Right to Delete: Request deletion of personal information
  • Right to Opt-Out: We do not sell personal information
  • Right to Non-Discrimination: Equal service regardless of privacy choices

To exercise these rights, contact us at hello@verifywise.ai with "Privacy Rights Request" in the subject line.

13. Changes to This Policy

We may update this privacy policy to reflect changes in our services, legal requirements, or business practices. When we make material changes, we will:

  • Update the "Last updated" date at the bottom of this policy
  • Notify active customers via email of significant changes
  • Post the updated policy on our website

We encourage you to review this policy periodically to stay informed about how we protect your information.

16. Contact Information

If you have any questions about this Privacy Policy, data handling practices, or wish to exercise your rights, please contact us:

Data Protection Contact

  • Email: hello@verifywise.ai
  • Subject Line Guidance:
    • "Privacy Rights Request" - for GDPR/CCPA rights
    • "DPA Request" - for data processing agreements
    • "Data Breach Report" - for security incidents
  • Enterprise customers: Include your organization name in your inquiry

Business Address

VerifyWise
373 Hampton Heath Rd.
Burlington, Ontario, Canada L7L 4R1

Response Times

  • General inquiries: 2-3 business days
  • Privacy rights requests: 30 days (as required by law)
  • Security incidents: Within 24 hours

Last updated: January 2025

Privacy Policy | VerifyWise - Enterprise Data Protection