Privacy Policy

1. Data Controller

The data controller responsible for your personal data is:

Where Verace processes personal data contained in your organisation's documents on your behalf, we act as a data processor and you are the data controller. A Data Processing Agreement (DPA) is available upon request.

2. What Personal Data We Collect

2.1 Data you provide directly

Data	When collected	Purpose
Name, email address, company name	Free scan request form; account registration	To fulfil the scan request; to communicate results; account management
Platform preferences and configuration	During onboarding	To configure which knowledge bases to scan
Correspondence (emails, support messages)	When you contact us	To respond to enquiries and provide support

2.2 Data collected through your connected platforms

When you authorise Verace to connect to a knowledge platform (Confluence, Google Drive, SharePoint, Zendesk, Notion, etc.) via OAuth 2.0, we receive:

• Document content — text of documents within the configured scope, read-only, solely for contradiction detection;
• Document metadata — file names, last-modified dates, author identifiers, and platform-assigned IDs, used to attribute conflicts and surface them to the correct owners;
• OAuth access tokens — stored securely, used exclusively to maintain the authorised connection.

We do not access documents outside the scope you configure, and we do not request write permissions.

2.3 Technical and usage data

Data	Purpose
IP address, browser type, operating system	Security, abuse prevention, service reliability
Pages visited, features used, timestamps	Product improvement, analytics
Error logs and crash reports	Debugging and service quality

3. Legal Basis for Processing (GDPR)

Processing activity	Legal basis
Fulfilling a free scan or paid subscription	Contract performance (Art. 6(1)(b) GDPR)
Sending scan results and account communications	Contract performance (Art. 6(1)(b) GDPR)
Processing document content for conflict detection	Contract performance (Art. 6(1)(b) GDPR)
Product improvement and analytics	Legitimate interests (Art. 6(1)(f) GDPR)
Marketing communications (where applicable)	Consent (Art. 6(1)(a) GDPR) — you may withdraw at any time
Compliance with legal obligations	Legal obligation (Art. 6(1)(c) GDPR)

4. How We Use Your Data

We use the data we collect to:

• Deliver scan results and conflict reports;
• Operate and maintain the Verace platform;
• Route detected conflicts to document owners within your organisation;
• Communicate with you about your account, scans, and service updates;
• Improve the accuracy and performance of our detection pipeline (using aggregated, anonymised signals only — never your raw document content);
• Comply with applicable laws and respond to lawful requests from authorities.

5. What We Do Not Do

• We do not sell, rent, or trade your personal data or document content to any third party;
• We do not use your document content to train machine learning models;
• We do not retain document content after processing is complete (see retention section below);
• We do not write to, modify, or delete anything in your connected knowledge bases;
• We do not share your data with advertisers.

6. Data Retention

Data type	Retention period
Document content (raw text from your knowledge bases)	Processed in-memory; not persistently stored beyond the active scan session
Conflict detection results and reports	Retained for the duration of your active subscription, or 90 days for free scan results
Account and contact data	For the duration of the account, plus 3 years after termination (legal record-keeping)
OAuth access tokens	Until revoked by you, or upon account termination
Technical logs	90 days rolling

7. Third-Party Service Providers

We use trusted sub-processors to operate the Service. All sub-processors are bound by GDPR-compliant data processing agreements. Current sub-processors include:

• Cloud infrastructure providers (hosting and compute) — EU or EEA region by default;
• OAuth platform providers (Google, Microsoft, Atlassian, etc.) — accessed only to retrieve content you have authorised;
• Transactional email providers — for delivering scan results and account notifications;
• Analytics tools — using anonymised, aggregated usage data only.

We do not use third-party advertising networks or sell data to data brokers.

8. International Data Transfers

HANLON SOLUTIONS OÜ is established in Estonia (EU). Where we transfer personal data outside the European Economic Area (EEA), we ensure that appropriate safeguards are in place — such as Standard Contractual Clauses (SCCs) approved by the European Commission — in accordance with Chapter V of the GDPR.

9. Your Rights Under GDPR

As a data subject, you have the following rights:

• Right of access (Art. 15) — request a copy of the personal data we hold about you;
• Right to rectification (Art. 16) — request correction of inaccurate data;
• Right to erasure (Art. 17) — request deletion of your data ("right to be forgotten");
• Right to restriction (Art. 18) — request that we limit how we process your data;
• Right to data portability (Art. 20) — receive your data in a structured, machine-readable format;
• Right to object (Art. 21) — object to processing based on legitimate interests;
• Right to withdraw consent (Art. 7(3)) — where processing is based on consent, withdraw it at any time without affecting prior processing.

To exercise any of these rights, contact us at contact@verace.ai. We will respond within 30 days. We may ask you to verify your identity before fulfilling a request.

You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, aki.ee), or with the supervisory authority in your country of residence within the EU.

10. Security

We implement technical and organisational measures appropriate to the risk, including:

• Encrypted data transmission (TLS 1.2+) for all connections;
• Encrypted storage for OAuth tokens and account credentials;
• Read-only OAuth scopes — we cannot modify your knowledge bases;
• Access controls ensuring only authorised personnel can access production systems;
• Regular security reviews covering P0, P1, and P2 severity classifications.

In the event of a personal data breach that is likely to result in risk to your rights and freedoms, we will notify you and the competent supervisory authority in accordance with GDPR Articles 33 and 34.

11. Cookies

The verace.ai website uses a minimal set of cookies:

• Strictly necessary cookies — required for the website and application to function (session management, security). No consent required.
• Analytics cookies — used in aggregated, anonymised form to understand how visitors use the site. You may opt out via your browser settings.

We do not use advertising, tracking, or third-party retargeting cookies.

12. Children

The Service is intended for enterprise and professional use only. We do not knowingly collect personal data from individuals under the age of 18. If you believe a minor has submitted data to us, please contact us and we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or applicable law. We will notify registered users of material changes via email at least 14 days before they take effect. The current version will always be available at verace.ai/privacy.html.

14. Contact and Data Requests

For privacy enquiries, data subject requests, or to request a Data Processing Agreement: