Privacy Policy

Last updated: June 2026

1. Who we are

Veragent is an AI agent governance platform operated by Veragent B.V., registered in the Netherlands. We are committed to protecting your personal data in accordance with the General Data Protection Regulation (GDPR) and the Dutch GDPR Implementation Act (Uitvoeringswet AVG). Our Data Protection contact can be reached at privacy@veragent.io.

2. What data we collect

We collect only the personal data strictly necessary to provide our services:

  • Account dataname, email address, and password — stored only as a salted hash, never in plaintext or reversible form (not applicable to single sign-on accounts)
  • Organisation dataorganisation name and administrative email
  • Usage dataagent activity logs, audit trails, and trust scores generated within the platform
  • Technical dataIP address, browser type, and session tokens for security purposes

We do not collect sensitive personal data as defined under Article 9 GDPR, nor do we collect data from individuals under the age of 16.

3. Legal basis for processing

We process your personal data on the following legal bases under Article 6 GDPR:

  • Contract performanceprocessing necessary to provide the Veragent platform services you have subscribed to
  • Legal obligationprocessing required to comply with applicable laws and regulations
  • Legitimate interestprocessing necessary to maintain platform security, prevent fraud, and improve our services
  • Consentfor optional communications such as product updates and newsletters, which you may withdraw at any time

4. How we use your data

We use your data exclusively to:

  • Provide and maintain the Veragent platform
  • Authenticate users and manage account security including two-factor authentication
  • Generate compliance reports and audit logs for your organisation
  • Send transactional emails such as account confirmations and security alerts
  • Respond to support requests and enquiries
  • Comply with legal obligations and enforce our Terms of Service

We do not sell, rent, or share your personal data with third parties for marketing purposes.

5. Data processors and third parties

We use the following trusted sub-processors to deliver our services. All sub-processors are bound by data processing agreements in accordance with Article 28 GDPR:

  • Supabasedatabase hosting and authentication (EU region, Frankfurt)
  • Vercelapplication hosting and content delivery
  • Resendtransactional email delivery
  • Stripepayment processing and billing (PCI-DSS certified)

6. Data retention

We retain your personal data only for as long as necessary for the purposes outlined in this policy or as required by law:

  • Account data is retained for the duration of your subscription and deleted within 30 days of account closure
  • Audit logs are retained according to your plan (7 days for Free, 30 days for Starter, 90 days for Business, 1 year for Enterprise)
  • Security logs are retained for 90 days for fraud prevention purposes
  • Billing records are retained for 7 years in accordance with Dutch tax law (Belastingdienst requirements)

7. Your rights under GDPR

Under the GDPR and Dutch Implementation Act you have the following rights:

  • Right of accessrequest a copy of the personal data we hold about you
  • Right to rectificationrequest correction of inaccurate or incomplete data
  • Right to erasurerequest deletion of your data where no legal basis for retention exists
  • Right to restrictionrequest that we limit processing of your data
  • Right to data portabilityreceive your data in a structured, machine-readable format
  • Right to objectobject to processing based on legitimate interest
  • Right to withdraw consentwithdraw consent at any time without affecting prior processing

To exercise any of these rights, contact us at privacy@veragent.io. We will respond within 30 days. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.

8. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include encrypted data storage, TLS encryption in transit, two-factor authentication, role-based access controls, and regular security reviews. In the event of a data breach that poses a risk to your rights and freedoms, we will notify the Dutch Data Protection Authority within 72 hours and inform affected users without undue delay, in accordance with Articles 33 and 34 GDPR.

9. Cookies

Veragent uses only strictly necessary cookies to maintain your authenticated session — sessions are held in encrypted, HttpOnly cookies and never in browser storage. Local storage is used solely for interface preferences such as theme selection. We do not use tracking cookies, advertising cookies, or third-party analytics cookies. No cookie consent banner is required for strictly necessary cookies under the Dutch Telecommunications Act (Telecommunicatiewet).

10. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or via an in-app notification at least 30 days before the changes take effect. Continued use of the platform after notification constitutes acceptance of the updated policy.

11. Contact

For any privacy-related questions or to exercise your rights, contact us at: privacy@veragent.io