Privacy Policy

1. Information We Collect

1.1 Account Information

When you create an account, we store the following per user:

• Authentication: Email address, password (encrypted by Supabase Auth)
• Subscription: Subscription tier and status
• Payment: Stripe customer ID and subscription ID (credit card details are processed by Stripe only, we never see them)
• API Access: Browser extension API key (auto-generated, used for browser extension authentication)
• Preferences: Preferred language - used for AI response localization
• Usage Tracking: Daily API request count and reset timestamp (for rate limit enforcement)
• Security Flags: Account status flags (is_suspicious, suspended_at) for abuse prevention

1.2 Session Data

When you log in, we temporarily store session information:

• Session token: Random 64-character token stored in session-auth cookie
• IP address: Your IP address for rate limiting and abuse prevention
• User agent: Your browser information for security monitoring
• Expiration: Sessions expire after 30 days of inactivity

1.3 Usage Data

When you use our Service, we collect:

• URLs you check for safety
• Page content sent for AI analysis (title, description, text snippets)
• Analysis results and threat verdicts
• API usage statistics and rate limit counts

1.4 Browser Extension Data

Our browser extension:

• Stores your API key locally in your browser
• Accesses page content only when you click "Check This Page"
• Does NOT track your browsing history automatically
• Does NOT collect data from pages you don't explicitly check

2. How We Use Your Information

We use the collected information to:

• Provide URL safety checking and threat inspection services
• Analyze page content for phishing and threat patterns
• Localize AI responses based on your preferred language setting
• Improve our threat inspection algorithms
• Enforce rate limits based on your subscription tier
• Prevent abuse and detect suspicious account activity (using IP address and session data)
• Provide customer support
• Send service-related notifications (not marketing)
• Comply with legal obligations

3. Data Sharing and Disclosure

3.1 Third-Party Services

We use the following third-party service providers:

• Stripe: Payment processing (credit card information is handled exclusively by Stripe, we never see it)
• Groq (Third-Party LLM Provider): AI-powered threat inspections. When you request AI analysis, page content is sent to Groq's API for analysis. Groq does not store the content after processing. We only save the analysis results (safe/threat verdict), not the actual page content.
  Groq acts as a data processor under GDPR and has a Data Processing Addendum (DPA) in place. For details, see Groq's DPA.
• Supabase: Database and authentication infrastructure (PostgreSQL hosting)

Important: Page content sent for AI analysis is NOT stored in our database. We only cache the analysis results (content hash + verdict) for 7 days to avoid re-analyzing identical content.

3.2 We Do NOT Sell Your Data

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

4. Data Retention

Data retention periods:

• Account data: Until you delete your account (email, password hash, subscription tier)
• Your URL check history: Automatically deleted after 7 days (which user checked which URL)
• Page analysis results: Cached for 30 days (shared across all users, contains no personal data)
• AI analysis cache: Only the verdict is cached for 7 days - actual page content is NOT stored
• Sessions: Automatically deleted after 30 days

What we do NOT store:

• Page content (title, text, description) after AI analysis completes
• Full browsing history
• Credit card details (handled by Stripe)

An automated cleanup process runs daily to permanently delete expired data. We cannot recover deleted data.

5. Your Rights

You have the right to:

• Access: Request a copy of your personal data
• Correction: Update inaccurate or incomplete data
• Deletion: Request deletion of your account and data
• Export: Download your URL check history
• Opt-out: Disable email notifications

To exercise these rights, contact us at contact@veri.im

6. Security

We implement security measures including:

• HTTPS encryption for all data transmission
• Password hashing with industry-standard algorithms
• API key authentication for extension access
• Rate limiting to prevent abuse
• Regular security audits

7. Cookies and Tracking

7.1 Strictly Necessary Cookies

We use the following cookie:

• session-auth: First-party authentication cookie that keeps you logged in. This is a session cookie that expires after 30 days of inactivity. It is HttpOnly and Secure (HTTPS-only).

7.2 Browser Storage

• Local storage: Browser extension stores API key and settings locally in your browser only

7.3 What We Do NOT Use

• Third-party advertising cookies
• Analytics cookies (Google Analytics, etc.)
• Marketing or tracking cookies
• Social media tracking pixels
• Session recording tools

8. Children's Privacy

Our Service is not intended for users under 13 years of age. We do not knowingly collect personal information from children under 13.

9. International Data Transfers

Your data may be transferred to and processed in countries outside your residence. We ensure appropriate safeguards are in place for such transfers.

10. Changes to Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by updating the "Last updated" date and posting the new policy on this page.

11. Contact

For questions about this Privacy Policy or our data practices, contact: contact@veri.im