Privacy

Privacy Policy

Verificate Pty Ltd (ACN 681 762 818) (“Verificate”, “we”, “us”) respects your privacy. This policy explains what personal information we collect, why, how we protect it, and your rights. It is written to comply with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles, and, where applicable, the EU/UK GDPR.

1 · Who we are

The data controller is Verificate Pty Ltd, Sydney, NSW, Australia. For any privacy request, contact [email protected].

2 · Information we collect

We practise data minimisation — we collect only what a feature needs.

  • Account data — name, email address, optional organisation, and a password (stored only as a one-way bcrypt hash; we never see your password). Account and trial timestamps.
  • Authentication — a session token (JWT) and your MCP access key.
  • MCP usage & security logs — your API key identifier, IP address and request timestamps. We use these solely to enforce single-user keys, apply rate limits, and detect key sharing/abuse.
  • Billing — processed by Stripe. Verificate stores only your Stripe customer and subscription identifiers and status. We never receive or store your card details.
  • Website analytics — a random session and visitor identifier plus page paths and funnel events. This is cookie-free, first-party, self-hosted, and contains no third-party trackers.
  • Communications — messages you send us, and bookings made via our scheduling link.

3 · How we use it (and legal bases)

  • To provide, authenticate and secure the service — performance of a contract.
  • To enforce single-user keys and prevent abuse, and to keep the service reliable and secure — legitimate interests.
  • To process subscriptions and comply with tax/accounting obligations — contract and legal obligation.
  • To respond to enquiries and, where you opt in, send product updates — consent / legitimate interests.

We do not sell personal information, and we do not use it for automated decisions that produce legal effects about you.

4 · Sub-processors we share with

We share the minimum necessary with vetted providers under data-protection terms:

  • Stripe — payments (PCI-DSS Level 1).
  • Cloudflare — website hosting, CDN and security.
  • Resend — transactional email.
  • Google — appointment scheduling, if you book a call.
  • Sovereign compute host — the Verificate account/MCP service runs on managed OpenShift (IBM Fusion) infrastructure; product inference runs on your or our sovereign infrastructure with zero outbound egress.

A current sub-processor list is available on request. See also our Trust & Security page.

5 · Storage, security & retention

Account and usage data are stored in a dedicated, access-controlled PostgreSQL database. Passwords are bcrypt-hashed; data is encrypted in transit (TLS). Our products are architected to run sovereignly with zero network egress. We retain account data for the life of your account plus any period required by law; security/abuse logs are kept for a short rolling window; analytics are retained in aggregate. See Trust & Security.

6 · Your rights

Subject to law, you may request to access, correct, delete, export, or restrict/object to the processing of your personal information, and withdraw consent at any time. Email [email protected] and we will respond within the statutory timeframe. You may also complain to the Office of the Australian Information Commissioner (OAIC), or your local supervisory authority in the EU/UK.

7 · International transfers

Verificate is based in Australia and our account data is hosted in Australia. Where a sub-processor processes data outside your country, we rely on appropriate safeguards (e.g. standard contractual clauses) as required.

8 · Cookies

We do not use advertising or third-party tracking cookies. We use browser localStorage/sessionStorage only for essential functionality (keeping you signed in) and our cookie-free, first-party analytics.

9 · Children

Our services are not directed to children and we do not knowingly collect their personal information.

10 · Changes

We may update this policy; material changes will be posted here with a new effective date.

© 2026 Verificate Pty Ltd · ACN 681 762 818 · Sydney, NSW, Australia · Last updated 8 July 2026