VeriVeri.io — AI Trust & Verification Platform
Version 1.0 Last updated: 8 April 2026 Effective date: 8 April 2026
This Privacy Policy explains how Northloop Group AB, organisation number 559579-7787, Birger Jarlsgatan 99b, 1201, 113 56 Stockholm, Sweden ("VeriVeri", "we", "us") collects, uses, and protects your personal data when you use VeriVeri.io and its API (the "Service").
Contact for privacy inquiries: alex@hejalex.com
Supervisory authority: Integritetsskyddsmyndigheten (IMY) — the Swedish Authority for Privacy Protection — imy.se
| Data | Purpose | Legal Basis |
|---|---|---|
| Email address | Account creation, login, communication | Art. 6(1)(b) — performance of contract |
| Display name | Personalisation (optional) | Art. 6(1)(b) — performance of contract |
| Plan type | Service tier management | Art. 6(1)(b) — performance of contract |
| Account timestamps (created, last login) | Account management, security | Art. 6(1)(b) — performance of contract |
| Data | Purpose | Legal Basis |
|---|---|---|
| Firebase Auth user ID | User identification | Art. 6(1)(b) — performance of contract |
Session cookie (__session) |
Session management, authentication | Art. 6(1)(b) — performance of contract |
| Google OAuth tokens (if using Google sign-in) | Authentication via Google | Art. 6(1)(b) — performance of contract |
| Data | Purpose | Legal Basis |
|---|---|---|
| Claims submitted for verification | Providing the verification service | Art. 6(1)(b) — performance of contract |
| Verification results (verdict, confidence, latency) | Providing the verification service | Art. 6(1)(b) — performance of contract |
| Data | Purpose | Legal Basis |
|---|---|---|
| User ID, API key ID, timestamp | Usage attribution, security | Art. 6(1)(f) — legitimate interest. We have assessed that our interest in maintaining service security and attributing usage does not override your rights, given that this data is limited to technical identifiers necessary for operating a secure API service. |
| Domain, request input/output | Compliance, debugging | Art. 6(1)(f) — legitimate interest. We have assessed that our interest in maintaining service integrity and enabling debugging does not override your rights, given that this processing is essential to delivering a reliable verification service. |
| Latency, request ID | Performance monitoring | Art. 6(1)(f) — legitimate interest. This is purely technical, non-identifying operational data. |
| Data | Purpose | Legal Basis |
|---|---|---|
| Daily credit consumption (by call type: verify, verify-lite) | Plan limit enforcement, observability dashboard | Art. 6(1)(b) — performance of contract |
| Overage credit tracking | Plan billing, overage invoicing | Art. 6(1)(b) — performance of contract |
| Confidence and latency aggregates | Service quality monitoring | Art. 6(1)(f) — legitimate interest. These are aggregated, non-identifying metrics used solely to monitor and improve service quality. |
| Per-API-key usage statistics | Usage attribution | Art. 6(1)(b) — performance of contract |
| Data | Purpose | Legal Basis |
|---|---|---|
| Email address | Responding to your inquiry | Art. 6(1)(b) — steps prior to entering into a contract |
| Company name (optional) | Understanding your context | Art. 6(1)(b) — steps prior to entering into a contract |
| Message (optional) | Understanding your inquiry | Art. 6(1)(b) — steps prior to entering into a contract |
| Source identifier | Understanding how you found us | Art. 6(1)(f) — legitimate interest. We have a limited interest in understanding how inquiries reach us; this involves only a single identifier string and does not override your rights. |
| Data | Purpose | Legal Basis |
|---|---|---|
| User ID, email | Attribution, follow-up | Art. 6(1)(f) — legitimate interest. We have assessed that our interest in improving the Service based on user feedback does not override your rights, as you voluntarily submit feedback and reasonably expect us to use it for improvement. |
| Feedback message | Product improvement | Art. 6(1)(f) — legitimate interest (as above) |
| Page identifier | Context for the feedback | Art. 6(1)(f) — legitimate interest (as above) |
| Data | Purpose | Legal Basis |
|---|---|---|
| Key name, cryptographic key hash, prefix | API authentication | Art. 6(1)(b) — performance of contract |
| Key status, creation/usage timestamps | Key lifecycle management | Art. 6(1)(b) — performance of contract |
| Data | Purpose | Legal Basis |
|---|---|---|
| IP address | Rate limiting, abuse prevention, security | Art. 6(1)(f) — legitimate interest. We have assessed that our interest in protecting the Service from abuse and enforcing rate limits does not override your rights, given that IP processing is limited to security purposes and is not used for tracking or profiling. |
We use your personal data exclusively for:
We do not use your data for:
| Data Category | Retention Period |
|---|---|
| Account data | Until account deletion + 30-day grace period, then permanently deleted |
| Authentication data | Duration of active session (session cookies: 5 days max) |
| API verification data & audit logs | 7 days (Free), 30 days (Hobby), 1 year (Standard) |
| Usage metrics | Lifetime of account, deleted with account |
| Contact form submissions | 2 years after last interaction, or until inquiry is resolved |
| Feedback | 2 years or until no longer needed for product improvement |
| API keys | Until revoked; permanently deleted with account |
| IP addresses | Not stored persistently; processed in-memory for rate limiting only |
Financial and billing records (invoices, payment transactions) are retained for seven (7) years as required by Swedish accounting law (Bokföringslagen 1999:1078), regardless of account deletion or plan-level audit log retention periods.
After the applicable retention period, all other data is permanently deleted from our systems.
VeriVeri.io uses the following cookies:
| Cookie | Purpose | Type | Duration | Party |
|---|---|---|---|---|
__session |
Maintains your authenticated session after login | Strictly necessary | 5 days | First-party |
vv_consent |
Remembers your cookie preference | Strictly necessary | 1 year | First-party |
_ga, _ga_* |
Google Analytics — visitor analytics and usage patterns | Analytics (requires consent) | Up to 2 years | Third-party (Google) |
Under the ePrivacy Directive (as implemented in Swedish law via Lagen om elektronisk kommunikation, LEK), strictly necessary cookies (__session, vv_consent) do not require your consent.
Analytics cookies (_ga, _ga_*) are only set after you give consent via the cookie banner. You may decline analytics cookies without any impact on the functionality of the Service.
We do not use advertising cookies, social media tracking widgets, or marketing pixels.
We do not use localStorage or sessionStorage for tracking purposes.
You can change your cookie preference at any time by clearing your browser cookies and revisiting the site. You can also control cookies through your browser settings. Disabling the __session cookie will prevent you from staying logged in.
Our website loads fonts from Google Fonts (fonts.googleapis.com / fonts.gstatic.com). This transmits your IP address to Google's servers on each page load. Google's privacy policy applies to this transfer: Google Privacy Policy.
When you sign in with Google, the authentication flow passes through Firebase/Google infrastructure. Google may set its own cookies during the OAuth sign-in process on its domains (e.g., accounts.google.com). These cookies are governed by Google's Privacy Policy, not by VeriVeri.
We use the following third-party processors to deliver the Service:
| Processor | Service | Data Processed | Location |
|---|---|---|---|
| Google Cloud Platform | Database hosting, application hosting, AI/ML processing | All stored and processed data, verification requests | Global |
| Firebase Authentication (Google) | User authentication | Auth credentials, session data | EU |
| Microsoft Azure | Infrastructure hosting, AI/ML processing | Verification requests and results | Global |
| Stripe, Inc. | Payment processing, subscription management | Name, email, payment details, billing address, tax ID | EU/US |
| Google Analytics (Google LLC) | Website usage analytics (consent-based) | IP address (anonymised), page views, usage patterns | EU/US |
Note on Stripe: Stripe acts as our data processor for payment processing on our behalf. Stripe also acts as an independent data controller for its own fraud prevention, compliance, and legal obligations. For details, see Stripe's Privacy Policy.
All processors are bound by data processing agreements. Google Cloud's data processing terms include EU Standard Contractual Clauses (SCCs) for any transfers outside the EEA.
All processors are bound by data processing agreements that include EU Standard Contractual Clauses (SCCs) for transfers outside the EEA. Verification requests may be processed in global regions to ensure availability and performance. Enterprise customers requiring EU-only data residency should contact us.
We do not use advertising or tracking services. We use Google Analytics for website usage analysis (see Section 5 for details and consent).
VeriVeri uses globally distributed infrastructure (Google Cloud Platform and Microsoft Azure) to deliver the Service. Verification requests may be processed in regions outside the EEA, including the United States. All international transfers are protected by:
Enterprise customers requiring EU-only data residency should contact us for a custom agreement.
We implement appropriate technical and organisational measures to protect your data, including:
When you submit personal data to VeriVeri's API on behalf of third parties, you are the data controller and VeriVeri is the data processor under GDPR Article 28.
The terms governing this relationship are set out in our standalone Data Processing Agreement. By submitting personal data via the API, you enter into the DPA.
Under the GDPR, you have the following rights regarding your personal data:
You may request a copy of the personal data we hold about you.
You may update your display name and account details via the dashboard settings page. For other corrections, contact us.
You may delete your Account via the dashboard. Deletion triggers a 30-day grace period during which your account can be restored. After 30 days, all data is permanently deleted.
You may request that we limit processing of your data in certain circumstances.
You may request an export of your data in a structured, commonly used, machine-readable format (JSON or CSV).
You may object to processing based on our legitimate interest (Art. 6(1)(f)). We will cease processing unless we demonstrate compelling legitimate grounds.
You have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects on you. VeriVeri does not make such decisions — see Section 12 for details.
Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
You have the right to lodge a complaint with the Swedish Authority for Privacy Protection:
Integritetsskyddsmyndigheten (IMY) Box 8114, 104 20 Stockholm, Sweden imy.se
Contact us at alex@hejalex.com with your request. We will respond without undue delay and within one (1) month. Where requests are complex or numerous, we may extend by a further two (2) months, in which case we will inform you within the first month. We may ask you to verify your identity before processing your request.
VeriVeri's API provides automated verification verdicts using AI/ML models. These verdicts are informational outputs delivered to you as our customer.
VeriVeri does not use automated decision-making that produces legal or similarly significant effects on individuals (Art. 22 GDPR).
If you, as a data controller, use VeriVeri's Verification Results to make decisions affecting individuals, it is your responsibility to ensure compliance with Art. 22 GDPR, including providing appropriate safeguards and human oversight.
The Service is not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If we learn that we have collected data from a child, we will delete it promptly.
We may update this Privacy Policy from time to time. We will notify you of material changes at least 30 days in advance via the email address associated with your Account.
The "Last updated" date at the top of this page indicates the most recent revision.
For privacy-related inquiries or to exercise your data subject rights:
Northloop Group AB Org. nr 559579-7787 Birger Jarlsgatan 99b, 1201, 113 56 Stockholm, Sweden alex@hejalex.com