VeriStay Ltd ("VeriStay", "we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Services.
1. Data Controller
For the purposes of UK GDPR and the Data Protection Act 2018, the data controller is:
VeriStay Ltd (registered in England and Wales)
Email: info@veristay.app
Our registered office is set out in clause 1 of our Terms and Conditions.
2. Information We Collect
2.1 Information You Provide
- Account Information: Business name, contact name, email address, phone number
- Property Data: Property details, room information, inspection records
- Media Content: Photos and videos uploaded during inspections
- Payment Information: Billing details (processed securely by Stripe)
- Communications: Messages sent through our support channels
2.2 Automatically Collected Information
- Usage Data: Pages visited, features used, time spent, clicks
- Device Information: IP address, browser type, operating system, device identifiers
- Location Data: Approximate location based on IP address
- Cookies: See our Cookie Policy for details
3. Legal Basis for Processing (UK GDPR Article 6)
We process your data based on the following legal grounds:
| Processing Activity |
Legal Basis |
| Providing the Services |
Contract Performance - necessary to fulfil our agreement with you |
| AI processing of inspection images |
Contract Performance - core service functionality |
| Sending service communications |
Legitimate Interests - keeping you informed about your account |
| Security and fraud prevention |
Legitimate Interests - protecting our systems and users |
| Analytics and improvement |
Legitimate Interests - improving our Services |
| Marketing communications |
Consent - only with your explicit opt-in |
| Legal compliance |
Legal Obligation - where required by law |
4. How We Use Your Information
We use your information to:
- Provide, maintain, and improve our Services
- Process AI analysis on inspection images
- Send service-related communications (account alerts, updates)
- Provide customer support
- Analyse usage patterns and optimise performance
- Detect and prevent fraud, abuse, or security incidents
- Comply with legal obligations
- Enforce our Terms and Conditions
5. Data Sharing and Disclosure
We do not sell your personal data. We may share data with:
5.1 Service Providers
We use a small number of vetted Sub-processors to operate the Services. The full, current list (with locations and purposes) is maintained in our Data Processing Agreement. Categories include:
- Cloud infrastructure: UpCloud (UK/EU) - managed Kubernetes, PostgreSQL, and S3-compatible object storage hosted in London (uk-lon1)
- Message broker: CloudAMQP - managed RabbitMQ hosted in the EU
- Authentication: Auth0 (Okta) - sign-in and identity
- AI processing: Google (Vertex AI — Gemini 2.5 Flash, EU region) as primary Deep AI provider; Anthropic (Claude) as secondary Deep AI provider and primary for property summaries and review; Microsoft Azure AI Vision and OpenAI as documented fallbacks
- Payments: Stripe (PCI DSS Level 1)
- Email: Resend (transactional email)
- Error monitoring: Sentry (EU region)
- DNS and bot protection: Cloudflare (DNS, Turnstile on signup)
- Mobile maps: Stadia Maps (tile rendering only)
- Web typography: Google Fonts
- Observability (where deployed): Grafana Cloud (EU)
- Container registry: GitHub Container Registry (operational images only, no Customer Data)
- Marketing site only: Microsoft Azure Static Web Apps and Google Analytics (consent-gated). These apply only to veristay.app and not to the production SaaS application.
5.2 Legal Requirements
We may disclose data when required by law, court order, or to protect our legal rights.
5.3 Business Transfers
In connection with any merger, acquisition, or sale of assets, your data may be transferred. We will notify you of any such change.
6. International Data Transfers
Your data is primarily stored and processed in the United Kingdom and European Economic Area (EEA).
Where data is transferred outside the UK/EEA, we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the UK ICO
- Adequacy decisions where available
- Data processing agreements with all sub-processors
7. Data Retention
We retain your data for as long as your account is active or as needed to provide Services:
| Data Type |
Retention Period |
| Account Data |
Until account deletion + 30 days |
| Inspection Data |
Configurable by tenant (default: 2 years) |
| Media (Photos/Videos) |
As per tenant retention settings |
| Backup Data |
Up to 90 days after deletion |
| Audit Logs |
7 years (legal compliance) |
Data subject to legal hold will be retained until the hold is released.
8. Your Rights (UK GDPR)
You have the following rights regarding your personal data:
- Right of Access: Request a copy of your data
- Right to Rectification: Correct inaccurate data
- Right to Erasure: Request deletion ("right to be forgotten")
- Right to Data Portability: Export your data in a machine-readable format
- Right to Restriction: Limit how we process your data
- Right to Object: Object to processing based on legitimate interests
- Right to Withdraw Consent: Revoke consent at any time (where consent is the legal basis)
- Rights Related to Automated Decision-Making: Request human review of automated decisions
To exercise these rights, contact us at info@veristay.app. We will respond within 30 days.
9. Data Security
We implement industry-standard security measures:
- Encryption in transit (TLS 1.2 or higher)
- Encryption at rest (AES-256)
- Single sign-on (SSO) and multi-factor authentication (MFA) available via Auth0, configurable per tenant
- Automated dependency vulnerability monitoring via GitHub Dependabot
- Strict access controls and audit logging
SOC 2 Type II certification is on our roadmap; we are not currently certified.
10. Cookies and Tracking
We use cookies and similar technologies for:
- Essential Cookies: Authentication, security, session management
- Analytics Cookies: Usage statistics (with consent)
- Preference Cookies: Remember your settings
See our Cookie Policy for full details and management options.
11. Third-Party Services
The Sub-processors listed in section 5.1 each have their own privacy policies. For convenience:
12. Children's Privacy
VeriStay is a business-to-business service not intended for individuals under 18 years of age. We do not knowingly collect data from children. If you believe we have collected data from a child, contact us immediately.
13. Changes to This Policy
We may update this Privacy Policy periodically. We will notify you of significant changes via email or in-app notification at least 30 days before changes take effect.
Continued use after changes constitutes acceptance of the updated policy.
14. Complaints
If you have concerns about how we handle your data, please contact us first at info@veristay.app.
You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow SK9 5AF
Website: ico.org.uk
Helpline: 0303 123 1113
15. Contact Us
For privacy-related questions or to exercise your rights:
VeriStay Ltd — Data Protection
Email: info@veristay.app
Related Documents