── Privacy Policy ──

Privacy, by construction.

Effective: May 14, 2026Last updated: May 14, 2026Version: 2026.05.14Entity: Verdict Systems Inc.

Verdict Systems Inc. ("Verdict," "we," "us") builds cryptographic evidence infrastructure. We hold ourselves to the standard our customers expect from infrastructure: minimum data, maximum verifiability, and obligations stated in writing.

This Policy explains what Personal Data we collect, why, how we share it, how long we keep it, and the rights you have. Where we act as a Processor on behalf of a Customer, the Customer's privacy notice governs the underlying data — we point those data subjects to the Customer.

§1.0

Scope & Our Role

1.1 Scope. This Policy applies to verdict.systems, its subdomains, our APIs, our MCP endpoints, the verdict-bench CLI in its telemetry-enabled mode, and our sales and support communications.

1.2 Our role. When you visit our website, sign up, or buy a subscription, we act as a Controller of your Personal Data under GDPR / UK GDPR (and the comparable role under U.S. state privacy laws). When a Customer uses the Service to seal evidence that contains Personal Data of a third party, the Customer is the Controller and Verdict is the Processor; our processing is governed by the Data Processing Addendum.

We do not sell Personal Data
Verdict does not sell Personal Data and does not share Personal Data for cross-context behavioral advertising as those terms are defined under California law. See Section 15.
§2.0

Categories of Personal Data We Collect

From you directly, when you visit our site, sign up, or contact us:

  • Identifiers: name, email, company, role, country, postal address (if provided).
  • Account & billing: account credentials (hashed), API key metadata, plan, invoices, payment last-4 (via Stripe — full card data is never transmitted to or stored by Verdict).
  • Commercial: the products and tiers you purchased; support tickets; sales calls and meeting notes you provide.
  • Communications: emails to evidence@, privacy@, legal@, security@, and replies to our newsletter (Field Notes).

Automatically, when you use the Service:

  • Technical: IP address (truncated for analytics), user-agent, device class, referrer, language, timezone, page-load timing.
  • Service telemetry: API call counts, latencies, error codes, rate-limit events, batch sizes — used to operate the Service and bill you on metered tiers.
  • Cookies and similar: see Section 12 and the Cookie Policy.

From third parties:

  • Payment processor (Stripe): billing details limited to what we need to issue invoices and prevent fraud.
  • Authentication providers (if you sign in via a third party): account identifier, name, email.
  • Business contact databases (sales prospecting): name, business email, role, company, public LinkedIn — used only for B2B outreach with opt-out in every message.
§3.0

Sources

Sources are summarized above and include: (a) you, (b) your device when you interact with our properties, (c) our service providers (subprocessors) acting on our instructions, and (d) public or licensed business directories for prospecting.

§4.0

Purposes & Legal Bases

We process Personal Data for the following purposes, with the indicated legal bases under GDPR / UK GDPR.

PurposeExamplesGDPR Legal Basis
Provide the ServiceAccount, API access, support, billingContract (Art. 6(1)(b))
Operate & secure the ServiceTelemetry, abuse prevention, incident response, fraudLegitimate interests (Art. 6(1)(f)) — our and our customers' interest in a reliable, secure service
Communicate with youTransactional notices, security alertsContract / legitimate interests
Marketing & newsletterField Notes, product updatesConsent (Art. 6(1)(a)) in EEA/UK/Swiss; legitimate interests with opt-out elsewhere
Comply with lawTax, accounting, lawful processLegal obligation (Art. 6(1)(c))
Defend rightsLitigation, enforcement of TermsLegitimate interests / legal claims (Art. 9(2)(f))

We do not knowingly process special-category data (GDPR Art. 9) at the website or marketing layer.

§5.0

Personal Data Inside Evidence Records

5.1 Who controls it. When you, the Customer, submit Customer Content to be sealed and that content contains Personal Data of a third party, you are the Controller. Verdict acts as Processor on your instructions under the DPA.

5.2 Minimization. We encourage you to minimize Personal Data in payloads. The integrity guarantees of the Service do not require us to read the payloads — we hash them.

5.3 Erasure that respects integrity. If a data subject asks you to erase Personal Data inside an Evidence Record, we support hash-preserving redaction: the underlying payload is removed from our systems while the SHA-256 hash and Merkle proof remain. The existence of the event remains cryptographically verifiable; the personal data is gone. This is the only erasure mechanism compatible with the integrity property of the Service. See Terms § 6.5.

§6.0

Public Transparency Anchoring (Sigstore Rekor)

By design, Verdict anchors only the Merkle root of each evidence batch — a 32-byte hash — to the public Sigstore Rekor transparency log. The Rekor entry contains the root, a timestamp, our signing public key, and metadata identifying it as a Verdict batch. No Customer Content and no Personal Data is written to Rekor. The existence of an evidence batch becomes a public, immutable fact; the content does not.

§7.0

Sharing & Disclosure

We share Personal Data only as described here:

  • Subprocessors acting on our written instructions under a DPA (see Section 8 and /subprocessors).
  • Professional advisors (auditors, lawyers, accountants) under confidentiality.
  • Business transfers: in a merger, acquisition, financing, or sale of assets, subject to commercially reasonable confidentiality and continuity of this Policy.
  • Lawful process: see Legal Inquiries; we challenge overbroad demands and notify users by default unless legally prohibited.
  • To protect rights and safety of Verdict, our customers, or third parties.
  • With your consent.
§8.0

Subprocessors

Our current subprocessors and the categories of data they process are published at /subprocessors. We give Customers at least thirty (30) days' notice before adding or replacing a subprocessor and provide an objection window as described in the DPA.

§9.0

International Transfers

Personal Data may be transferred to and processed in the United States and other countries where Verdict or our subprocessors operate. For transfers from the EEA, the UK, and Switzerland to the U.S. or other "third countries," we rely on:

  • EEA → EU Standard Contractual Clauses (Commission Decision 2021/914), with Module 2 (controller-to-processor) or Module 3 (processor-to-processor) as applicable, and a Transfer Impact Assessment.
  • UK → the UK International Data Transfer Addendum (IDTA) or the UK Addendum to the EU SCCs.
  • Switzerland → the EU SCCs with FDPIC-recognized adaptations (references to the GDPR read as references to the Swiss FADP; references to EU member states read as references to Switzerland).
  • Adequacy decisions where applicable.

You may request a copy of the SCCs in place by emailing privacy@verdict.systems.

§10.0

Retention

We keep Personal Data only as long as needed for the purpose for which it was collected, plus the period required by law or to defend legal claims.

CategoryDefault retentionNotes
Account profileLife of account + 12 monthsDeleted on request thereafter
Evidence Record payloads (Developer / Growth)90 daysConfigurable in Order; subject to Terms § 6.4–6.5
Evidence Record metadata + Merkle rootsCryptographically immutableAnchored to Rekor; see § 6 above
Service telemetry (API logs)24 monthsAggregated thereafter
Billing & tax records7 yearsU.S. tax/audit obligations
Support tickets36 monthsFor pattern detection & product improvement
Marketing list (Field Notes)Until you unsubscribe + 24 monthsSuppression list kept permanently
Security logs24 monthsFor incident response and forensics
§11.0

Security

Our security architecture is described at /security. In short: TLS 1.3 in transit, AES-256 at rest, FIPS 140-2 Level 3 HSMs for Ed25519 signing keys, Sigstore Rekor anchoring for Merkle roots, role- based access with least privilege, mandatory MFA on production access, quarterly key rotation, and a documented incident- response plan. No security program is perfect; we operate the one your CISO can audit.

§12.0

Cookies & Tracking

We use only strictly-necessary cookies by default. Optional analytics (Google Analytics 4 with IP anonymization) is enabled only with consent in regions that require it, and is fully opt-out elsewhere. We honor Global Privacy Control (GPC)as a universal opt-out signal. Details: Cookie Policy.

§13.0

Children

The Service is for users 18+ and is not directed to children. We do not knowingly collect Personal Data from anyone under 18. If you believe a child has provided us Personal Data, email privacy@verdict.systems and we will delete it.

§14.0

California Rights (CCPA / CPRA)

If you are a California resident, you have the right to:

  • Know what categories and specific pieces of Personal Information we have collected, used, disclosed, or sold/shared in the prior 12 months.
  • Delete Personal Information, subject to permitted exceptions.
  • Correct inaccurate Personal Information.
  • Opt out of sale or sharing for cross-context behavioral advertising (we do not engage in either — see § 15).
  • Limit use of sensitive Personal Information.
  • Be free from retaliation for exercising your rights.
  • Designate an authorized agent to act on your behalf (with verifiable authorization).

Categories disclosed for a business purpose: identifiers, commercial information, internet/network activity, inferences, and professional/employment information. Recipients of those disclosures are our subprocessors (see § 8).

§15.0

Do Not Sell or Share My Personal Information

We do not sell or share
Verdict does not sell Personal Information for monetary or other valuable consideration and does not share Personal Information for cross-context behavioral advertising, as those terms are defined under California Civil Code § 1798.140. We honor Global Privacy Control (GPC) as a universal opt-out signal for any future change in this position.

To submit a do-not-sell / do-not-share request manually, email privacy@verdict.systems with the subject line "Do Not Sell or Share Request" and the email address tied to your account.

§16.0

EEA, UK, and Swiss Rights

If you are in the EEA, UK, or Switzerland, you have the right to:

  • Access your Personal Data and obtain a copy (Art. 15 GDPR).
  • Rectification of inaccurate or incomplete data (Art. 16).
  • Erasure — subject to the integrity-preserving redaction mechanism in § 5.3 for Evidence Records (Art. 17).
  • Restriction of processing (Art. 18).
  • Data portability — in a structured, commonly used, machine-readable format (Art. 20).
  • Object to processing based on legitimate interests or direct marketing (Art. 21).
  • Not be subject to a decision based solely on automated processing that produces legal effects (Art. 22) — see § 18.
  • Withdraw consent at any time where processing is based on consent.
  • Lodge a complaint with a supervisory authority. For example: the Irish DPC, the UK ICO, or the Swiss FDPIC.
§17.0

Other U.S. State Rights

Residents of Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia have rights to know, delete, correct, and opt out of sales, targeted advertising, and (in some states) profiling for decisions with legal effects. Submit requests to privacy@verdict.systems; we respond within the statutory window applicable to your state.

§18.0

Automated Decision-Making

Verdict does not use automated decision-making, including profiling, to produce legal or similarly significant effects on you. AI features of the Service produce informational outputs (summaries, conformance indications, search results) that are subject to human review by you or your counsel before any decision with consequence — see Terms § 7 and the Responsible AI Disclosure.

§19.0

How to Exercise Your Rights

To exercise any right above, email privacy@verdict.systems with the request, the right you are exercising, and information sufficient for us to verify your identity (typically the email address on your account and a response to a verification message). We respond within:

  • 45 days under CCPA/CPRA (extendable once by 45 more days with notice).
  • 30 days under GDPR / UK GDPR (extendable by 60 days for complex requests with notice).
  • The shorter of the above where multiple regimes apply.

We do not charge a fee for reasonable requests. Where a Customer's Personal Data is involved (i.e., we are the Processor), we will route the request to the Customer and notify you.

§20.0

Changes to This Policy

We will post material changes with at least 14 days' advance notice by email or in-product notice. Continued use after the effective date constitutes acceptance. The current version is always dated and posted at /privacy.

§21.0

Contact, DPO, EU & UK Reps

Privacy team: privacy@verdict.systems.

Data Protection Officer (acting): until Verdict appoints a standalone DPO, the privacy alias above functions as the contact for all DPO matters and routes to qualified counsel.

EU representative (Article 27 GDPR): to be appointed; in the interim, EEA residents may direct requests to the privacy alias above, which is monitored by EU-qualified counsel.

UK representative (Article 27 UK GDPR): to be appointed; in the interim, UK residents may direct requests to the privacy alias above.

Verdict Systems Inc.
Attn: Privacy
Houston, Texas, USA

── Questions about this policy ──

Email privacy@verdict.systems. For all other legal matters: legal@verdict.systems.

Postal: Verdict Systems Inc. · Attn: Legal · Houston, Texas, USA