Privacy & Data Policy

VerifyDoc.ai (“VerifyDoc.ai”, “we”, “us”, “our”) operates document verification infrastructure for issuers and verifiers worldwide. For the personal data described in this policy that we determine the purposes and means of processing, VerifyDoc.ai is the data controller.

For any privacy, deletion, or Google user data question, or to exercise your rights, contact our privacy team at hello@verifydoc.ai.

Registered legal entity, company number, registered address, and (where applicable) our UK/EU Article 27 representative and Data Protection Officer are identified here: [INSERT — to be completed before publication].

This Privacy & Data Policy explains how we handle personal data and document-related data when you use the VerifyDoc.ai website, dashboards, APIs, the Google Docs and Microsoft Word integrations, signing workflows, verification pages, and related services (the “Service”). It should be read together with our Terms & Conditions.

3.1 Workspace & account data

• name, work email, workspace membership, and authentication details;
• organisation, letterhead, support contact, and workspace configuration;
• subscription, billing, verification preferences, and marketing choices.

3.2 Google user data & editor-integration data

• Google account email and basic profile returned by Google OAuth;
• OAuth connection metadata, access tokens, refresh tokens, and granted scopes;
• Google Docs / Drive file content, metadata, and snapshots for files you authorise us to process;
• current-document context used by the add-on to insert verification QR blocks, capture source snapshots, and prepare signing workflows.

3.3 Verification & signing data

• document title, issuer name, recipient labels, reference codes, and metadata;
• verification records, QR references, immutable snapshots, and hashes;
• signer names, emails, roles, signing order, and field assignments;
• audit-trail events (invite sent, opened, viewed, consented, signed, completed, invalidated).

3.4 Technical, security & usage data

• IP address, user agent, device label, and country-level location;
• session identifiers, cookies, install/connection tokens, and logs;
• page usage, verification frequency, and operational monitoring;
• email delivery results, support interactions, and fraud indicators.

We obtain data directly from you (registration, configuration, uploads), automatically through your use of the Service (technical and usage data), from Issuers who register documents about you, and from third parties such as Google (where you connect an integration) and our payment processor.

For anonymous public verification checks, no account is required and we do not, by default, collect:

• government identification numbers or precise GPS location;
• payment card data in verification-only flows;
• a verifier’s personal contact details unless actively submitted.

This limitation does not apply to authenticated workspace users, invited signers, or connected Google users, where contact details, audit events, and security telemetry are required to operate the Service.

Under the UK and EU GDPR we must have a lawful basis for each processing purpose. The table below maps our main purposes to their bases.

Where we rely on legitimate interests, those interests are operating a secure, reliable, fraud-resistant verification service; you may object as described in Section 15. Where we rely on consent, you may withdraw it at any time without affecting prior processing.

Our role depends on the data:

• We are the controller for our own account, billing, security, and website data, and we decide how that data is used.
• We are a processorwhen an Issuer registers documents that contain other people’s personal data (for example recipients, signers, patients, or employees). In that case the Issuer is the controller, is responsible for having a lawful basis and for any required notices or consents, and we process that data on the Issuer’s documented instructions.

For enterprise Issuers we make a Data Processing Addendum (DPA) available, incorporating the required processor commitments, sub-processor terms, and international-transfer safeguards.

Documents registered by Issuers may contain special category data (for example health information in medical records). Where this occurs, the Issuer acts as controller and is responsible for establishing a valid condition for processing such data under Article 9 GDPR (or equivalent law). We process it only as a processor, to provide verification and signing, and apply heightened security to it. We do not intentionally collect special category data about our own account holders.

When you connect Google Docs or authorise VerifyDoc.ai with Google, we access Google user data only to provide or improve user-facing VerifyDoc.ai features for you or your workspace.

• We use Google account email and basic profile to identify the connected user and link the connection to the correct workspace.
• We use Google Docs / Drive access only to read the authorised document, generate verification QR blocks, prepare immutable signing snapshots, and maintain the related workflow.
• We store OAuth tokens and connection metadata to maintain the integration until you disconnect it or the workspace removes it.

We use cookies and similar technologies in the following categories:

• Strictly necessary — authentication, security, and core functionality; these cannot be switched off.
• Functional — remembering preferences and workspace settings.
• Analytics — understanding usage and performance, including via Google Tag Manager and the tags it loads.

Non-essential cookies are set only with your consent where required by law (for example UK PECR and the EU ePrivacy rules). You can manage your choices at any time through the site cookie controls or your browser settings.

We do not sell personal data, including Google user data. We share data only with:

• service providers that host, secure, monitor, and operate the platform (cloud infrastructure, storage, logging);
• email-delivery providers (such as MailerSend or a configured SMTP relay) for transactional mail and sign invitations;
• Google, where required to operate the Google Docs integration on your behalf;
• other members of your own workspace whom you invite into a document workflow;
• professional advisers, regulators, or law enforcement where legally required;
• an acquirer or successor in a merger, acquisition, or restructuring, under confidentiality and continuity obligations.

A current list of sub-processors is available on request and, for enterprise customers, under the DPA. We require sub-processors to provide protections consistent with this policy.

We operate globally and may transfer personal data to countries outside the UK, EEA, or your home jurisdiction, including where our service providers are located. Where we do, we rely on an appropriate safeguard, such as:

• an adequacy decision or adequacy regulations covering the destination country;
• the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses;
• the EU Standard Contractual Clauses, with supplementary measures where needed.

Where the Nigeria Data Protection Act 2023 applies, transfers are made on the bases it permits. You can request details of the safeguard used for a particular transfer.

We apply technical and organisational safeguards designed to protect data, including:

• encryption in transit and at rest where supported by the service layer;
• access controls, role separation, credential hashing, and secrets management;
• monitoring, audit logging, fraud controls, and environment isolation;
• signed evidence manifests, document hashes, and tamper-evident records for signing and verification.

No system is perfectly secure, but we maintain processes to detect, investigate, and respond to incidents, and will notify affected individuals and regulators where required by law.

We keep data only as long as needed to provide the Service, preserve signed evidence, prevent fraud, meet contractual duties, and comply with law. Operational retention defaults:

Verification records are retained on a permanent basis specifically to keep already-issued documents verifiable for their full useful life — for example, an academic credential that may be checked decades after issuance. This retention is independent of the issuing organisation’s subscription status, in line with the Continuity of Verification commitment set out in the Terms & Conditions at §10A.

Google OAuth tokens, editor-connection metadata, source snapshots, and signing records are retained while the related workspace or workflow remains active, unless deleted earlier or a longer period is required for evidentiary, security, or compliance reasons.

You may request deletion or disconnection at hello@verifydoc.ai. Some data may be retained after a deletion request where needed to preserve completed audit trails, signed artifacts, legal obligations, dispute records, or fraud-prevention evidence. Operational defaults are also published on our Data Retention page.

Subject to applicable law, you have the following rights over your personal data:

To exercise any right, contact hello@verifydoc.ai. We respond within one month (extendable for complex requests) and do not charge unless a request is manifestly unfounded or excessive. Where an Issuer is the controller of your data, we will refer your request to that Issuer.

You also have the right to lodge a complaint with a supervisory authority — in the UK, the Information Commissioner’s Office (ICO); in the EEA, your local authority; and in Nigeria, the Nigeria Data Protection Commission (NDPC). We ask that you contact us first so we can try to resolve the matter.

If you are a California resident, the CCPA/CPRA gives you the right to know what personal information we collect and how it is used and shared, to request deletion or correction, to opt out of the “sale” or “sharing” of personal information, and to limit the use of sensitive personal information. We do not sell or share personal information as those terms are defined under the CCPA/CPRA, and we do not use sensitive personal information beyond the purposes permitted. You will not be discriminated against for exercising your rights, and you may use an authorised agent. Submit requests to hello@verifydoc.ai.

The Service is intended for organisations and adults. It is not directed to children, and we do not knowingly collect personal data from anyone under 18. If you believe a child has provided us personal data, contact us and we will take appropriate steps to delete it.

We use automated tools to flag suspected fraud, abuse, and anomalous verification activity. These tools support — but do not replace — human judgement: we do not make decisions producing legal or similarly significant effects about you based solely on automated processing without human involvement. We do not use Google Workspace API data to train general-purpose AI models.

We may update this policy as our product, integrations, or legal obligations change. If we materially change how we access or use Google user data or other personal data, we will update this page, revise the version and “Last updated” date, and provide additional notice in the product, by email, or through the relevant account workflow where required.

Verification should not compromise privacy. Trusted document workflows should operate with clear disclosure, limited access, and defensible evidence handling — and your rights should be easy to exercise. Questions? Reach us at hello@verifydoc.ai.