Veritas

Privacy Notice

Last updated: April 26, 2026

1. Who we are

Veritas is operated by Ahmed, an individual sole proprietor based in the Arab Republic of Egypt ("we", "us", "our"). We act as the data controller for the personal data described in this notice. If you'd like to contact us about privacy, write to privacy@veritas.app.

2. What personal data we collect

From your account

  • Email address and login credentials
  • Display name and optional profile information
  • Subscription tier and billing identifiers (provided by Paddle)

From your use of the Service

  • Documents you upload, plus extracted text, embeddings, and OCR metadata
  • Questions you ask, answers we generate, and citation metadata
  • Usage counts (documents processed, queries made)
  • Logs of important events (uploads, errors, security events)

Automatically collected

  • IP address, user agent, device identifiers, and approximate location (from IP)
  • Session and authentication tokens (essential cookies)

3. Why we use your data and our legal basis

  • To provide the Service — running OCR, embeddings, retrieval, and AI inference over your documents (legal basis: contract performance).
  • Account & billing — creating and securing accounts, processing subscriptions (legal basis: contract performance, legal obligation).
  • Security & abuse prevention — detecting fraud, brute-force attacks, quota abuse (legal basis: legitimate interests).
  • Customer support — responding to your inquiries (legal basis: contract performance, legitimate interests).
  • Service improvement — aggregated usage analytics; we do not use your document content to train third-party models (legal basis: legitimate interests).
  • Legal compliance — record-keeping for tax, accounting, and regulatory obligations (legal basis: legal obligation).

4. Who we share data with

We share personal data only with the following categories of recipients, and only as needed:

  • Hosting and infrastructure providers (Lovable Cloud / Supabase) — store account data, documents, embeddings, and logs.
  • Payment processor (Merchant of Record) — Paddle.com handles checkout, billing, tax collection, refunds, and invoicing.
  • OCR providers — text extraction services (e.g. Azure Document Intelligence) process the contents of uploaded files.
  • AI providers — embeddings and language models that generate answers from your documents.
  • Email service providers — to send transactional notifications (welcome, billing, usage warnings).
  • Professional advisers — accountants and legal counsel where strictly necessary.
  • Authorities — when required by valid legal process.

We do not sell your personal data, and we do not share it for cross-context behavioral advertising.

5. International transfers

Some of our service providers operate outside your country of residence (including the United States and the European Union). When personal data is transferred internationally, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses or equivalent mechanisms.

6. How long we keep your data

  • Account data — for the lifetime of your account, plus up to 30 days after deletion.
  • Documents and extracted content — until you delete them, or 30 days after account deletion.
  • Logs and audit records — up to 12 months for security and debugging.
  • Billing records — for the period required by tax law (typically 7 years).

You can request deletion at any time (see Section 7).

7. Your rights

Depending on your jurisdiction (e.g. GDPR, UK GDPR, CCPA), you may have the right to:

  • access the personal data we hold about you;
  • request correction of inaccurate data;
  • request deletion of your data ("right to be forgotten");
  • restrict or object to certain processing;
  • port your data to another service;
  • withdraw consent (where processing is based on consent);
  • lodge a complaint with your local data protection authority.

We respond to verified rights requests within 30 days. Send requests to privacy@veritas.app.

8. Security

We protect your data with industry-standard measures including encryption in transit (TLS), encryption at rest, role-based access controls, row-level security on the database, and signed URLs for file storage. No system is perfectly secure; if a breach occurs, we will notify affected users and authorities as required by law.

9. Cookies

We use a small number of essential cookies required for authentication and session management. We do not use advertising cookies. If we introduce optional analytics or preference cookies in the future, we will request your consent first.

10. Children

The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have, contact us and we will delete it.

11. Changes to this notice

We may update this notice. Material changes will be communicated by email or in-product notice. The "Last updated" date at the top of this page reflects the most recent revision.