Privacy Notice

1. Introduction

This Privacy Notice explains how Waditech B.V., trading as Veritrellis, processes personal data in connection with Veritrellis websites, applications, APIs, SDKs, documentation, sandbox and production environments, support, billing, and business operations.

Veritrellis is a B2B service. It is not intended for personal, household, or consumer use.

2. Controller and processor roles

Veritrellis may process personal data in two different roles.

Controller processing

We act as controller when we determine the purposes and means of processing, including for:

1. website visitors;
2. account registration;
3. authentication administration;
4. customer relationship management;
5. billing and payment administration;
6. security monitoring;
7. service communications;
8. support requests;
9. legal compliance;
10. marketing and business development where applicable; and
11. internal business records.

Processor processing

We act as processor when we process personal data contained in Customer Content on behalf of Customer, including action request payloads, policy evaluation records, approval metadata, permit records, audit logs, and workspace configuration to the extent such data is submitted by or for Customer.

For processor processing, the Customer is the controller or processor, and our Data Processing Agreement applies.

3. Identity and contact details

Controller: Waditech B.V., trading as Veritrellis
Address: Notelaan 11, 1185RS Amstelveen, the Netherlands
KVK number: 99644843
VAT ID: NL869074040B01
Privacy contact: privacy@veritrellis.ai
Legal contact: legal@veritrellis.ai
Security contact: security@veritrellis.ai

We have not appointed a formal Data Protection Officer unless stated otherwise on this page.

4. Personal data we process as controller

We may process the following categories of personal data:

1. Account data: name, email address, company name, role, workspace membership, authentication identifiers, and user settings.
2. Authentication data: login provider identifiers, session identifiers, authentication events, access timestamps, and security metadata.
3. Business contact data: email address, company, title, communication history, meeting notes, and CRM records.
4. Billing data: customer name, billing address, VAT number, subscription plan, payment status, invoice metadata, and payment processor references. Full payment card details are processed by Stripe or another payment provider and are not stored by us.
5. Technical data: IP address, browser type, device data, operating system, request metadata, API metadata, logs, error records, and security events.
6. Support data: support messages, attachments, diagnostics, configuration details, and communications.
7. Marketing and analytics data: newsletter preferences, campaign interactions, website form submissions, and communication preferences. Where analytics are active: page views, call-to-action interactions, and anonymous visitor identifiers on the marketing website (with consent); authenticated page views, in-app action events, pseudonymous user and workspace identifiers, and role data in the admin application (on a legitimate interests basis).
8. Cookie and local storage data: session cookies, authentication cookies, UI state, and functional storage. Analytics cookies (PostHog, prefix ph_) are set on the marketing website only after you provide consent. In the admin application, PostHog uses local storage and cookies on a legitimate interests basis as described in Section 7. We do not use advertising cookies or third-party marketing trackers.

5. Customer Content and action data

When you use Veritrellis, the service may process Customer Content, including:

1. action request payloads;
2. action types and schemas;
3. policy rules and policy evaluation outcomes;
4. approval requests, approvals, denials, comments, and timestamps;
5. approver identities and workspace membership;
6. signed permits and permit metadata;
7. audit logs;
8. API keys and integration metadata;
9. connector configuration; and
10. operational and security logs.

Customer Content may include personal data if the Customer submits it. Customers must avoid submitting sensitive or special-category personal data unless strictly necessary, legally permitted, covered by appropriate terms, and supported by the service plan.

6. Purposes and legal bases

Purpose	Legal basis
Providing accounts, authentication, workspaces, APIs, SDKs, and service access	Contract performance or legitimate interests
Operating, securing, monitoring, debugging, and improving the service	Legitimate interests
Billing, subscription management, invoicing, tax administration, and accounting	Contract performance and legal obligation
Customer support and service communications	Contract performance or legitimate interests
Security, fraud prevention, abuse detection, and incident response	Legitimate interests and legal obligation
CRM, sales, and business development communications	Legitimate interests or consent where required
Legal compliance, dispute handling, and enforcement	Legal obligation and legitimate interests
Cookie-based session management and UI state	Contract performance or legitimate interests
Product analytics on the marketing website (PostHog)	Consent
Product analytics in the admin application (PostHog)	Legitimate interests (service improvement and usage understanding)

Where we rely on legitimate interests, those interests include operating a secure B2B SaaS service, preventing abuse, supporting customers, improving reliability, enforcing terms, and protecting our business and users.

7. Cookies and local storage

Veritrellis uses essential and functional cookies or local storage necessary for login sessions, authentication, security, and user-interface state.

We currently use PostHog Cloud for web and product analytics on the marketing website and the admin application.

Marketing website (veritrellis.ai): PostHog analytics cookies and storage are activated only after you accept the cookie banner. We collect page views and primary call-to-action clicks. If you decline, no analytics cookies are set. When you click a call-to-action that takes you to the admin application, an anonymous PostHog identifier (phid) may be appended as a URL query parameter to support cross-surface funnel analysis. No personal identity information is included in this parameter.

Admin application (app.veritrellis.ai): PostHog is used on the basis of legitimate interests to understand how authenticated users use the product and to improve service quality. We process: page views within the admin app, and key action events including workspace creation, API key creation, billing checkout initiation, approval decisions, and connector installation. These are recorded against a pseudonymous user identifier (your WorkOS user ID) and your workspace ID and role. We do not send to PostHog: authorization payloads, permit tokens, API key secrets, policy contents, action request payloads, or other Customer Content.

If you wish to object to analytics processing in the admin application, you may contact privacy@veritrellis.ai. We will consider your request under our legitimate interests basis and, where the objection is valid, cease the relevant processing.

We have considered the interests of users in performing this legitimate interests assessment: the data processed is pseudonymous, limited in scope, does not include sensitive information, and supports the direct improvement of a B2B service that users actively use. We believe this assessment is reasonably balanced, but a formal Legitimate Interests Assessment document is available on request.

We do not use advertising cookies, retargeting pixels, or third-party marketing trackers.

See the Cookie Policy for full details of cookies set and how to manage them.

8. Infrastructure and service providers

We use third-party providers to operate the service. Current or expected providers include:

Provider	Purpose	Location / transfer status
Hetzner	Hosting / infrastructure	EU region
Self-hosted PostgreSQL	Application database	Hosted by Veritrellis on EU infrastructure
WorkOS	Authentication and identity services	May involve international transfers depending on configuration
Postmark	Transactional email	May involve international transfers
Stripe	Billing and payment processing	May involve international transfers
HubSpot	CRM and business contact management	May involve international transfers
Self-hosted Directus	CMS / content management	Hosted by Veritrellis on EU infrastructure
PostHog	Web and product analytics	US or EU region depending on project configuration
Self-hosted Uptime Kuma	Uptime monitoring	Hosted by Veritrellis on EU infrastructure

A current list of subprocessors is maintained in the Subprocessor List.

Where personal data is transferred outside the EEA, we use appropriate safeguards such as adequacy decisions, Standard Contractual Clauses, transfer risk assessments, and supplementary measures where required.

9. AI and model training

Veritrellis does not currently use customer data to train AI models.

Veritrellis does not currently send Customer Content to external LLM providers as part of the service.

If AI-based functionality is introduced, including policy recommendations, natural-language policy authoring, audit summarization, or risk scoring, we will update this Privacy Notice and applicable product terms before using Customer Content for that functionality.

10. Data retention

We retain personal data only as long as reasonably necessary for the purposes described in this Privacy Notice, the Data Retention Policy, the DPA, contractual commitments, legal obligations, dispute resolution, security, and auditability.

Indicative retention periods:

Data category	Default retention
Account data	Duration of account plus up to 90 days, unless longer retention is required
Billing and tax records	Statutory accounting retention period
Authentication and session logs	Typically 30 to 180 days
API and technical logs	Typically 30 to 180 days
Security logs	Typically up to 12 months, longer if needed for investigation
Customer Content in active accounts	Duration of subscription or as configured
Audit logs and permit records	Typically 12 to 24 months, or longer if agreed in paid plans
Deleted account summary records	Up to 90 days, or longer where legally necessary
Backups	Typically overwritten or deleted within 30 to 90 days
Support records	Typically up to 36 months
CRM records	Until no longer commercially relevant or upon valid objection/deletion request

Specific customer retention settings may be made available in the admin or ops console over time.

11. Data subject rights

Subject to applicable law, individuals may have rights to:

1. access their personal data;
2. correct inaccurate data;
3. request deletion;
4. restrict processing;
5. object to processing;
6. request data portability;
7. withdraw consent where processing is based on consent; and
8. lodge a complaint with a supervisory authority.

Requests can be sent to privacy@veritrellis.ai.

If the request concerns Customer Content processed on behalf of a Customer, we may refer the request to the relevant Customer because the Customer controls that data.

12. Security

We use reasonable technical and organizational measures designed to protect personal data against unauthorized access, loss, misuse, alteration, and disclosure. Measures are described in the Security Measures document.

No system is perfectly secure. Customers remain responsible for secure configuration, access control, API key management, downstream enforcement, and safe use of AI agents and automation.

13. International users

Veritrellis is operated from the Netherlands and may be accessed internationally. If you use the service from outside the Netherlands, your data may be processed in the Netherlands, the EEA, and other countries where our service providers operate.

14. Children

Veritrellis is not intended for children or minors. We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, contact privacy@veritrellis.ai.

15. Complaints

You may contact us at privacy@veritrellis.ai.

You may also lodge a complaint with the Dutch Data Protection Authority, the Autoriteit Persoonsgegevens, or another competent supervisory authority.

16. Changes to this Privacy Notice

We may update this Privacy Notice from time to time. Material changes will be communicated through the website, app, email, or other reasonable means.