Privacy Policy

This policy applies to (a) visitors to our website at veridian.io, (b) customers who access our API and platform services, and (c) individuals whose personal data is submitted by our customers for identity verification or compliance purposes (“end users”).

Where Veridian processes personal data on behalf of customers (acting as a data processor), the customer's own privacy policy governs the relationship with end users. Our Data Processing Agreement (“DPA”) governs that relationship.

Account and billing information: When you register, we collect your name, email address, company name, billing address, and payment method details. Payment card data is handled by our PCI-compliant payment processor and is not stored by Veridian.

API usage data: We collect logs of API requests and responses, including timestamps, endpoint paths, status codes, latency, and IP addresses. This data is used for billing, debugging, and security monitoring.

End-user verification data:When customers submit individuals' data for KYC or sanctions screening, this may include names, dates of birth, government ID images, addresses, and biometric liveness data. This data is processed strictly to deliver the verification result and is not used for any other purpose.

Website analytics: We collect anonymized usage data on our marketing website using privacy-preserving analytics tools. We do not use tracking cookies that require GDPR consent banners.

We use the information we collect to:

• Provide, operate, and improve the Services
• Process transactions and send billing-related communications
• Respond to support requests and troubleshoot issues
• Monitor for security threats, fraud, and abuse
• Comply with legal obligations and respond to lawful requests
• Send product updates and announcements (opt-out available)

We do not sell personal data to third parties and do not use end-user verification data for advertising, profiling, or any purpose beyond delivering the requested compliance service.

For individuals in the European Economic Area, UK, or Switzerland, our legal bases for processing personal data are:

• Contract performance: Processing necessary to provide the Services you have contracted for
• Legitimate interests: Security monitoring, fraud prevention, and service improvement
• Legal obligation: Compliance with applicable laws and regulatory requirements
• Consent: For marketing communications (withdrawable at any time)

We share personal data only in the following circumstances:

• Sub-processors: We use vetted third-party service providers for cloud infrastructure, document verification, biometric processing, and sanctions database access. A current list of sub-processors is available at veridian.io/sub-processors.
• Legal requirements: When required by applicable law, court order, or government authority
• Business transfers: In connection with a merger, acquisition, or sale of assets, with appropriate data protection obligations
• With your consent: For any other purpose with your explicit authorization

We retain account and billing information for the duration of your subscription plus 7 years for tax and financial record-keeping purposes. API logs are retained for 90 days by default; customers on paid plans may configure extended retention.

End-user verification data (identity documents, biometric templates, and results) is retained for 12 months from the date of verification by default, after which it is securely deleted. Customers may request earlier deletion via the API or dashboard.

Veridian is headquartered in the United States. If you are located outside the US, your data may be transferred to and processed in the US and other countries. For transfers from the EEA or UK, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and the UK ICO, incorporated by reference into our DPA.

We implement administrative, technical, and physical safeguards appropriate to the sensitivity of the data we process. These include AES-256 encryption at rest, TLS 1.3 in transit, SOC 2 Type II audit in progress, role-based access controls, and automated vulnerability scanning. We follow a responsible disclosure policy at veridian.io/security.

No system is perfectly secure. We will notify affected customers of any confirmed data breach affecting their data within 72 hours of discovery, as required by GDPR and applicable law.

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you
• Correct inaccurate or incomplete data
• Request deletion of your personal data
• Object to or restrict certain processing activities
• Data portability (receive your data in a machine-readable format)
• Withdraw consent where processing is based on consent
• Lodge a complaint with your local supervisory authority

To exercise these rights, contact us at privacy@veridian.io. We will respond within 30 days (or sooner as required by law).

Our website uses only essential cookies required for authentication and security. We do not use third-party advertising cookies. You can control cookies through your browser settings.

The Services are not directed to individuals under 18 years of age. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a minor, contact us immediately at privacy@veridian.io.

We may update this Privacy Policy from time to time. We will notify you of material changes via email or prominent in-product notice at least 14 days before the changes take effect. The “Last updated” date at the top of this page indicates when the current version was published.

For privacy-related inquiries or to exercise your rights, contact our Data Protection Officer at privacy@veridian.io or by mail at Veridian Technologies, Inc., Attn: Privacy, 228 Park Ave S, PMB 70145, New York, NY 10003.