Privacy notice

We process account data, workspace membership data, billing records, review configuration data, uploaded documents or pasted text, generated findings, follow-up chat history, feedback submissions, and contact-form inquiries.

We also process operational metadata such as timestamps, audit events, IP-derived request information, and usage records needed to secure, operate, and improve the service.

We process personal and workspace data to authenticate users, operate workspaces, run review jobs, persist review history, provide billing and support workflows, enforce platform limits, and maintain security, audit, and retention controls.

Where GDPR or equivalent rules apply, the intended legal basis will normally be contract performance, legitimate interests in securing and operating the service, or compliance with legal obligations, depending on the processing context.

The Evaluation plan uses a VeracityGXP-managed AI provider path. That means uploaded text, extracted document text, prompts, findings, and follow-up questions may be transmitted to our managed model providers strictly to generate review output.

If you need tighter control over provider choice, retention, or regional processing, you should use a Bring Your Own Key workspace or an enterprise arrangement instead of relying on the Evaluation path.

Where Evaluation uses the OpenAI API, OpenAI publicly states that API inputs and outputs are not used to train OpenAI models by default. That statement is OpenAI's service position, not an independent legal guarantee from VeracityGXP, and you should review the provider terms directly before uploading sensitive data.

VeracityGXP is used by EU customers and this notice is written with EU data-protection expectations in mind. However, Evaluation and related subprocessors may involve processing outside your preferred jurisdiction depending on the provider path in use.

If your workflow requires stricter European residency or processor control, do not assume the public Evaluation plan is sufficient. Use Bring Your Own Key or contact us for an enterprise path aligned to those requirements.

Provider credentials are handled server-side and encrypted at rest. Access to workspace content is scoped by authenticated membership, and the platform keeps audit evidence for destructive or configuration-changing actions.

Review inputs and attachments are subject to product retention settings and cleanup jobs. Deletion of content does not necessarily remove operational audit evidence showing that a deletion occurred.

When you use the contact form, we process the information you submit so we can respond to your request, triage sales or support questions, and maintain a basic inquiry log in the platform admin area.

Contact inquiries are not meant for highly sensitive document content. Use the product workflow, not the contact form, for document reviews.

If GDPR, UK GDPR, or similar law applies to you, you may have rights to request access, correction, deletion, restriction, portability, or objection depending on the role and legal basis involved. Use the contact page if you want to make a privacy request.