Privacy Policy

1. Introduction

Veriaxis LLC ("we", "our", "us") is the data controller for personal information collected through the website at verigrc.com and the VeriGRC platform at app.verigrc.com. This Privacy Policy explains what personal data we collect, how we use it, the legal basis for processing, and your rights in relation to it.

If you have questions about this policy or wish to exercise your rights, contact us at privacy@verigrc.com.

2. Information we collect

We collect the following categories of personal data:

• Account information — name, work email address, organisation name, and a hashed password when you register for a VeriGRC account.
• Contact form submissions — name, work email, company name, subject, and message content submitted via the /contact page.
• Usage telemetry — page views, feature interactions, and session metadata collected through Plausible Analytics. No cookies are set and no personal identifiers are stored by the analytics system.
• Vendor portal submissions — evidence documents, assessment responses, and contact details submitted by third-party vendors through the VeriGRC vendor portal on behalf of a customer organisation.
• Integration data — data received through inbound integrations (e.g. vulnerability scan results, cloud security findings) as configured by administrators.

3. How we use your information

We process personal data on the following legal bases under GDPR Article 6:

• Contract — Art 6(1)(b): to create and manage your account, operate and deliver the VeriGRC platform, send transactional emails (assessment notifications, password resets) via Resend, and respond to contact form enquiries.
• Legitimate interest — Art 6(1)(f): to monitor service performance and uptime, detect and prevent abuse, improve the platform using aggregated usage telemetry, and maintain immutable audit logs required for multi-tenant security and compliance obligations.

We do not use your personal data for advertising. We do not sell personal data to third parties.

4. Data processors and sub-processors

We share data only with the following sub-processors necessary to operate the service:

• OVHcloud (EU region) — servers and object storage hosting the VeriGRC platform, application database, and backup infrastructure.
• Resend — transactional email delivery for assessment notifications, account emails, and system alerts.
• Anthropic — AI inference for the VeriGRC AI Assistant. Under our API agreement, prompts and responses are not used to train Anthropic models.
• Plausible Analytics — cookieless, privacy-first website analytics for the verigrc.com marketing site. No personal data is transmitted to Plausible.

All sub-processors are contractually bound to process data only as instructed and to maintain appropriate technical and organisational security measures.

5. Cookies and analytics

The verigrc.com marketing website uses Plausible Analytics — a cookieless, privacy-first analytics provider hosted in the EU. No tracking or analytics cookies are set on the marketing site and no personal data is transmitted to Plausible. The VeriGRC application at app.verigrc.com uses a single session cookie strictly necessary for authentication; this cookie is not used for tracking purposes.

The /contact page uses Google reCAPTCHA v3 for bot detection. reCAPTCHA sets cookies and transmits data — including your IP address and browser fingerprinting signals — to Google's servers to assess whether the form submission is from a human. This processing is governed by Google's Privacy Policy and Terms of Service. No other third-party advertising or behavioural tracking cookies are used on any Veriaxis LLC property.

6. Data retention

Account and platform data is retained for the duration of your active subscription and for 90 days after account termination, after which it is securely deleted or anonymised. Immutable audit log records are retained for 7 years to satisfy compliance and legal obligations. Contact form submissions are retained for 24 months. You may request early deletion by contacting privacy@verigrc.com.

7. Your rights

Under GDPR and applicable data protection law, you have the right to:

• Access — request a copy of the personal data we hold about you.
• Rectification — correct inaccurate or incomplete data.
• Erasure — request deletion of your personal data, subject to legal retention obligations.
• Portability — receive your data in a structured, machine-readable format.
• Objection — object to processing based on legitimate interest.
• Restriction — request that we restrict processing in certain circumstances.

To exercise any of these rights, email privacy@verigrc.com. We will acknowledge your request within 5 business days and respond fully within 30 days.

8. International transfers

Primary data processing occurs within the European Union (OVHcloud, EU region). Where sub-processors transfer data outside the EEA — including Anthropic (United States) — such transfers are protected by Standard Contractual Clauses approved by the European Commission, or an equivalent transfer mechanism.

9. Contact and complaints

For privacy-related enquiries or to exercise your data subject rights, contact us at privacy@verigrc.com or via the contact page.

You also have the right to lodge a complaint with your local supervisory authority. In the UK this is the ICO (ico.org.uk); in Ireland this is the DPC (dataprotection.ie).