Privacy Policy

Last updated: March 2026

1. Who we are

Veragent is an AI agent governance platform operated by Veragent B.V., registered in the Netherlands. We are committed to protecting your personal data in accordance with the General Data Protection Regulation (GDPR) and the Dutch GDPR Implementation Act (Uitvoeringswet AVG). Our Data Protection contact can be reached at privacy@veragent.io.

2. What data we collect

We collect only the personal data strictly necessary to provide our services:

  • Account data: name, email address, and password (stored encrypted)
  • Organisation data: organisation name and administrative email
  • Usage data: agent activity logs, audit trails, and trust scores generated within the platform
  • Technical data: IP address, browser type, and session tokens for security purposes

We do not collect sensitive personal data as defined under Article 9 GDPR, nor do we collect data from individuals under the age of 16.

3. Legal basis for processing

We process your personal data on the following legal bases under Article 6 GDPR:

  • Contract performance — processing necessary to provide the Veragent platform services you have subscribed to
  • Legal obligation — processing required to comply with applicable laws and regulations
  • Legitimate interest — processing necessary to maintain platform security, prevent fraud, and improve our services
  • Consent — for optional communications such as product updates and newsletters, which you may withdraw at any time

4. How we use your data

We use your data exclusively to:

  • Provide and maintain the Veragent platform
  • Authenticate users and manage account security including two-factor authentication
  • Generate compliance reports and audit logs for your organisation
  • Send transactional emails such as account confirmations and security alerts
  • Respond to support requests and enquiries
  • Comply with legal obligations and enforce our Terms of Service

We do not sell, rent, or share your personal data with third parties for marketing purposes.

5. Data processors and third parties

We use the following trusted sub-processors to deliver our services. All sub-processors are bound by data processing agreements in accordance with Article 28 GDPR:

  • Supabase — database hosting and authentication (EU region, Frankfurt)
  • Vercel — application hosting and content delivery
  • Resend — transactional email delivery
  • Railway — background agent processing infrastructure

6. Data retention

We retain your personal data only for as long as necessary for the purposes outlined in this policy or as required by law:

  • Account data is retained for the duration of your subscription and deleted within 30 days of account closure
  • Audit logs are retained according to your plan (7 days for Free, 30 days for Starter, 90 days for Business, 1 year for Enterprise)
  • Security logs are retained for 90 days for fraud prevention purposes
  • Billing records are retained for 7 years in accordance with Dutch tax law (Belastingdienst requirements)

7. Your rights under GDPR

Under the GDPR and Dutch Implementation Act you have the following rights:

  • Right of access — request a copy of the personal data we hold about you
  • Right to rectification — request correction of inaccurate or incomplete data
  • Right to erasure — request deletion of your data where no legal basis for retention exists
  • Right to restriction — request that we limit processing of your data
  • Right to data portability — receive your data in a structured, machine-readable format
  • Right to object — object to processing based on legitimate interest
  • Right to withdraw consent — withdraw consent at any time without affecting prior processing

To exercise any of these rights, contact us at privacy@veragent.io. We will respond within 30 days. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.

8. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include encrypted data storage, TLS encryption in transit, two-factor authentication, role-based access controls, and regular security reviews. In the event of a data breach that poses a risk to your rights and freedoms, we will notify the Dutch Data Protection Authority within 72 hours and inform affected users without undue delay, in accordance with Articles 33 and 34 GDPR.

9. Cookies

Veragent uses only strictly necessary cookies and local storage to maintain your authenticated session and remember your preferences such as theme selection. We do not use tracking cookies, advertising cookies, or third-party analytics cookies. No cookie consent banner is required for strictly necessary cookies under the Dutch Telecommunications Act (Telecommunicatiewet).

10. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or via an in-app notification at least 30 days before the changes take effect. Continued use of the platform after notification constitutes acceptance of the updated policy.

11. Contact

For any privacy-related questions or to exercise your rights, contact us at: privacy@veragent.io