Privacy Policy

1. Introduction

Welcome to Verit ("we," "our," or "us"). We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website and use our tamper-proof and privacy-focused Verifiable Credentials (VC) and Decentralized Identity (DID) services.

Verit Solutions Ltd, registered in the United Kingdom, is the data controller of personal data collected via our website and for our own marketing and business operations. We are subject to the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. When we process personal data on behalf of our customers (for example, learner or employee credentials issued using our platform), we generally act as a data processor under applicable data protection laws.

By accessing or using our services, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our policies and practices, please do not use our services.

2. Information We Collect

2.1 Personal Information You Provide

We collect information that you voluntarily provide to us when you:

• Register for an account
• Request a demo or contact us
• Subscribe to our newsletter
• Use our services
• Communicate with us

This information may include:

• Contact Information: Name, email address, phone number, company name, job title
• Account Credentials: Username, password (encrypted)
• Identity Information: For credential issuers, we collect contact details of authorized staff. For credential holders, we process only the minimum data needed to generate or deliver credentials (e.g., name, email), typically as a data processor on behalf of the training provider or employer. We do not put raw personal data onto any distributed ledger; we only store cryptographic hashes or metadata.
• Payment Information: When you make a payment, we collect billing address and process payment card details securely through third-party payment processors (we do not store card numbers ourselves)
• Communications: Any information you provide when contacting us

2.2 Information Automatically Collected

When you access our website, we automatically collect certain information:

• Usage Data: IP address, browser type, device information, operating system, pages visited, time spent on pages, referring URLs
• Cookies and Tracking Technologies: We use cookies, web beacons, and similar technologies (see Section 6)
• Analytics Data: Website performance metrics and user behavior patterns. We use analytics tools (including Google Analytics) to understand how visitors use our website. Where possible, we aggregate and pseudonymise this data. We do not use invasive cross-site tracking or behavioral profiling for advertising purposes.

2.3 Information from Third Parties

We may receive information from:

• Business partners and service providers
• Public databases and identity verification services
• Social media platforms (if you choose to connect your accounts)

3. How We Use Your Information

We use the collected information for the following purposes:

• Service Delivery: To provide, maintain, and improve our Verifiable Credentials and Decentralized Identity services
• Account Management: To create and manage your account, authenticate users, and provide customer support
• Communications: To send you service updates, security alerts, and administrative messages
• Marketing: To send promotional materials and newsletters (with your consent, where required)
• Analytics: To understand how users interact with our services and improve user experience
• Security: To detect, prevent, and address fraud, security issues, and technical problems
• Legal Compliance: To comply with legal obligations and enforce our terms and policies
• Business Operations: We may use aggregated and de-identified information to conduct research, analytics, and business development. We do not use the contents of your verifiable credentials for targeted advertising or to profile you for marketing purposes.
• Cryptographic Timestamping: When we anchor credential proofs or timestamps on external infrastructure (such as distributed ledgers), we only store cryptographic hashes and pseudonymous identifiers. No raw personal information is placed on-chain.

4. Legal Basis for Processing (UK GDPR and GDPR)

If you are in the United Kingdom or the European Economic Area (EEA), our legal basis for collecting and using your personal information depends on the data and context:

• Contract Performance: Processing necessary to provide our services to you
• Consent: You have given explicit consent for specific purposes (e.g., marketing communications)
• Legitimate Interests: Processing necessary for our legitimate business interests (e.g., fraud prevention, service improvement), provided these do not override your rights
• Legal Obligation: Processing required to comply with legal requirements

5. How We Share Your Information

We may share your information with:

5.1 Service Providers

Third-party vendors who perform services on our behalf:

• Cloud hosting providers
• Payment processors
• Analytics services
• Email service providers
• Customer support tools

5.2 Business Transfers

In connection with mergers, acquisitions, or sale of assets, your information may be transferred.

5.3 Legal Requirements

When required by law, court order, or to protect our rights and safety.

5.4 With Your Consent

We may share information with third parties when you have given explicit consent.

We do not sell your personal information to third parties. We do not "sell" or "share" your personal information as those terms are defined under the California Consumer Privacy Act, as amended (CCPA/CPRA).

6. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to:

• Essential Cookies: Required for website functionality, security, and authentication
• Analytics Cookies: Help us understand how visitors use our website (e.g., Google Analytics). You can opt out of analytics cookies through our cookie consent banner.
• Preference Cookies: Remember your settings and preferences

We do not use third-party advertising cookies or cross-site behavioral tracking. You can control cookies through your browser settings. However, disabling essential cookies may affect website functionality. For more information, see our Cookie Consent Banner when you first visit our site.

7. Data Security

We implement appropriate technical and organizational measures to protect your personal information:

• Encryption of data in transit (TLS) and at rest
• Secure password hashing (bcrypt)
• Regular security assessments and updates
• Access controls and authentication mechanisms
• Employee training on data protection
• Incident response procedures
• Privacy-by-Design: We do not store raw personal information on distributed ledgers; only cryptographic hashes and metadata are used for verification

Our security practices are aligned with recognised frameworks including NCSC guidance, Cyber Essentials principles, and ISO 27001 standards. However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

8. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. Factors considered include:

• The nature and sensitivity of the information
• Legal and regulatory requirements
• The purposes for which we process the information
• Whether we can achieve those purposes through other means

Specific retention periods for our credential platform:

• Issuer Account Data: Retained for the duration of your account plus up to 7 years for legal and compliance purposes
• Audit Logs: Retained for up to 7 years to support security investigations and regulatory compliance
• Verification Request Metadata: Retained for up to 2 years for service improvement and fraud prevention
• Learner Credential Data: When acting as a data processor, we retain learner data only as instructed by the issuing organization. After credential issuance, we do not retain the full credential contents unless required for service delivery.

9. Your Privacy Rights

Depending on your location, you may have the following rights:

9.1 UK GDPR and GDPR Rights (UK and EEA Residents)

• Right to Access: Request copies of your personal data
• Right to Rectification: Request correction of inaccurate data
• Right to Erasure: Request deletion of your data ("right to be forgotten")
• Right to Restrict Processing: Request limitation of data processing
• Right to Data Portability: Receive your data in a structured format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent at any time
• Right to Lodge a Complaint: File a complaint with a supervisory authority (in the UK: the Information Commissioner's Office; in the EEA: your local data protection authority)

9.2 CCPA/CPRA Rights (California Residents)

These rights apply only to California residents where we are subject to the California Consumer Privacy Act, as amended (CCPA/CPRA):

• Right to Know: Request disclosure of collected personal information
• Right to Delete: Request deletion of personal information
• Right to Non-Discrimination: Not be discriminated against for exercising your rights
• Right to Correct: Request correction of inaccurate information
• Right to Limit: Limit use of sensitive personal information

Note: As stated in Section 5, we do not "sell" or "share" personal information as defined under CCPA/CPRA.

9.3 How to Exercise Your Rights

To exercise any of these rights, please contact us at:

10. International Data Transfers

Your personal data is primarily stored and processed in the United Kingdom and the European Economic Area (EEA). In some cases, your information may be transferred to and processed in countries other than your country of residence. These countries may have different data protection laws. When we transfer data internationally, we ensure appropriate safeguards are in place, such as:

• Standard Contractual Clauses approved by the European Commission or the UK Information Commissioner's Office
• Adequacy decisions
• Your explicit consent

11. Children's Privacy

Our services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately.

12. Third-Party Links and Services

Our website may contain links to third-party websites and services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal information.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

• Posting the new Privacy Policy on this page
• Updating the "Last Updated" date
• Sending you an email notification (for significant changes)

Your continued use of our services after changes become effective constitutes acceptance of the revised Privacy Policy.

14. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us: