Veritor is GDPR-compliant by design. This policy explains what personal data we process, why, where it lives, how long we keep it, and what rights you have over it.
Veritor (operated by the entity registered under the SalesDots / Fixtra group, Poland) acts as the data controller for visitors to this website and as the data processor for verification queries our customers submit through the API.
Data Protection contact: privacy@veritor.org.
Website visitors — minimal. Server access logs (IP, user-agent, page requested) retained 14 days for security purposes. No third-party analytics that fingerprint users. No tracking cookies. No advertising pixels.
API customers — account email, organisation name, billing details (handled by Stripe for paid plans), API call logs (audit trail required for AML compliance use cases).
Verification queries — the entity names, identifiers, and country codes you submit. We do not retain these beyond cache TTL + audit-log retention. We do not aggregate them, build derived datasets, or sell them.
Verification results — data from government registries (KRS, GLEIF, Companies House, etc.). This is public business data per the relevant legal acts of each registry. It is not personal data under GDPR for company-level fields; for personal data fields (director names, UBO data), we process it under the legal basis of legal obligation (AMLD6) for AML-purposed customer use.
EU only. Primary region: Frankfurt. Polish region available on Enterprise tier (Warsaw). Dublin standby replica. We do not transfer customer data to the US. Some sub-processors (e.g., Stripe for billing) operate globally but with EU-acceptable data-handling guarantees (SCCs in place).
Website logs: 14 days.
API audit logs: 6 years (required for AML compliance — adjustable on Enterprise contracts).
Verification cache: 24h default, force-fresh available per query.
Account data: deleted within 90 days of account closure, except where retention is required by law (tax records, AML records).
Right of access (Art. 15), rectification (Art. 16), erasure (Art. 17 — subject to legal-obligation retention), portability (Art. 20), object to processing (Art. 21), withdraw consent. Email privacy@veritor.org. We respond within 30 days.
Current sub-processor list: Supabase (EU region, Frankfurt — database), Stripe (global, SCCs in place — payment processing), Vercel (EU region — hosting), Cloudflare (DDoS mitigation, EU region for our domain), Sentry (EU region, sentry.de — error monitoring). Full list with DPA links available on request.
This website uses no cookies for tracking or advertising. The Veritor app (app.veritor.org) uses essential session cookies for authentication only. We do not use third-party cookies.
Material changes notified via email to account holders 30 days before taking effect. Version history retained at /privacy/changelog (coming soon). Current version: 1.0, last updated 15 May 2026.
Data Protection: privacy@veritor.org. Lead supervisory authority: UODO (Polish Personal Data Protection Office) for EU-domiciled customers; your national DPA otherwise.