Privacy policy

How Verdifax handles personal data, what we collect, what we do not, and the rights you have over your information. This policy applies to the Verdifax website, documentation, dashboard, and API.

Summary

Verdifax is a deterministic execution and attestation system. The product itself is designed to operate on hashes and sealed envelopes — not on raw user data. We have engineered the platform so that the minimum amount of personal information is required to operate it, and so that data we do process is sealed, scoped, and verifiable end-to-end.

What we collect

We collect personal data only when you choose to provide it, or when it is necessary to operate the service.

Account and access data

When you request access to Verdifax we collect: your name, work email address, organization, role, and the country in which you operate. This information is used to evaluate your access request and, if approved, to provision an API key. We do not sell, rent, or trade this data.

Telemetry and operational logs

The Verdifax API records, for each authenticated request: the API key id (not the secret), the timestamp, the endpoint, the HTTP status code, and the manifest hash produced (if any). These logs are retained for ninety (90) days for security and abuse prevention, then aggregated into non-identifying counts for capacity planning.

Payload contents

The Verdifax API does not retain the raw input bytes you submit through POST /execute. Bytes are canonicalized, hashed, sealed, and discarded. The only payload-derived value retained on disk is the SHA-256 of the canonical envelope (envelope_hash). The raw bytes are never written to disk and are never written to logs.

Cookies and analytics

The marketing site (verdifax.com) sets a single first-party session cookie used to remember your cookie-banner choice. We use privacy-first analytics that do not set tracking cookies and do not fingerprint visitors. We do not embed third-party advertising trackers.

What we do not collect

We deliberately do not collect: raw payload contents you attest, the contents of your model weights, your IAM identity tokens, your customer records, or any data that you have not explicitly submitted to us. The Verdifax product is built so that we cannot read what you attest — only the manifest hash leaves your runtime.

How we use the data

Personal data is used to: provision and revoke access; secure the service against abuse; respond to support requests; comply with legal obligations; and improve our documentation. We do not use personal data for advertising, profiling, or automated decisions that produce legal effects.

Sharing

We share personal data only with: cloud and hosting providers necessary to run the service (subject to written data-processing agreements); payment processors when you have an active commercial relationship with us; and competent authorities when we are required by law to do so. We never sell personal data.

Retention

Account and access data is retained for the lifetime of your account plus thirty-six (36) months for audit purposes. Operational logs are retained for ninety (90) days. Cookie-banner preferences are retained until you clear your browser storage.

Your rights

If you are in the European Economic Area, the United Kingdom, Switzerland, or California, you have the right to: access the personal data we hold about you; correct inaccurate data; request deletion; object to processing; and request a portable copy. You may exercise these rights by emailing privacy@verdifax.com. We respond within thirty (30) days.

International transfers

Verdifax operates infrastructure in the United States and the European Union. Where personal data is transferred between these regions, we rely on the Standard Contractual Clauses approved by the European Commission.

Security

We protect personal data with: encryption in transit (TLS 1.3), encryption at rest (AES-256), least-privilege access controls, hardware-backed key storage, and continuous monitoring. We disclose security incidents that affect personal data to affected individuals and to the relevant supervisory authority within the timeframes required by law.

Changes

We will post any material change to this policy on this page and update the "Last updated" date above. For material changes affecting how your data is processed, we will additionally notify account-holders by email.

Contact

Questions or concerns about this policy can be sent to privacy@verdifax.com.