Privacy Policy

Last Updated: April 6, 2026

1. Introduction & Controller Identity

Verdikt (the “Service”) is a B2B multi-agent AI debate platform designed to assist business decision-making. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service, website, and related applications.

1.1 Data Controller

Verdikt (the “Company,” “we,” “us,” or “our”) operates Verdikt. We are committed to protecting your privacy and ensuring you have a positive experience on our Service.

For data protection inquiries, contact:
Email: privacy@getverdikt.com
Website: getverdikt.com

1.2 Scope and Application

This Privacy Policy applies to:

Users in the European Union (GDPR)
Users in California and other CCPA-compliant jurisdictions
All other users accessing Verdikt

2. Information We Collect

2.1 Account and Authentication Data

When you create an account or authenticate with Verdikt, we collect:

Email address (if provided)
Account name and profile information
Organization/Company name (if applicable)
Billing and subscription tier information (Solo, Team, Business, Premium)
Firebase Authentication token (automatically managed)

2.2 Debate and Content Data

When you use Verdikt to submit debates, create dilemmas, or interact with the platform, we collect:

Business dilemmas and decision scenarios submitted
Debate context and supporting information
AI-generated verdicts, recommendations, and artifacts (including versioned deliverables)
Action Board data and follow-up ratings (7-day rating submissions)
Exported content (PDF files generated from debates)
Uploaded company documents (extracted text only — original files are not stored). Documents are scoped as either team-shared (visible to all organization members) or personal (visible only to the uploader). Documents are strictly isolated to your organization and cannot be accessed by other organizations

2.3 AI Interaction Data

Your prompts, context, and debate data are transmitted to AI providers (Google Gemini and Anthropic Claude) to generate debate arguments and verdicts. This data may include:

Raw prompts and queries
Business context and background information
Job descriptions and candidate evaluation data (for hiring debates)
Historical debate data used for context

2.4 Device and Usage Data

We automatically collect information about how you interact with Verdikt:

IP address and geolocation data
Device type, operating system, and browser information
Pages visited, features used, and time spent
Click paths, scroll depth, and interaction patterns
Error logs and performance metrics (via Sentry)

2.5 Hiring Feature Data

If you use Verdikt’s hiring debate feature, we collect and process:

Job descriptions and role specifications
Candidate names, qualifications, and experience data
Evaluation criteria and assessment results

This data is considered sensitive personal data and is subject to enhanced protection (see Section 12).

2.6 Communication Data

We collect information when you communicate with us:

Support inquiries and help requests
Feedback, bug reports, and feature suggestions
Email correspondence and communication records

2.7 Organizational Intelligence Data

For Team, Business, Premium, and Enterprise tiers, Verdikt processes decision data to build organizational intelligence. This includes:

Decision Ledger entries: Session category, stake level, verdict summaries, top recommendations, and consensus outcomes — encrypted with AES-256-GCM before storage
Outcome tracking data: Follow-up actions taken (followed, modified, ignored), outcome ratings (1–5), and whether the user would decide differently — recorded via a server-side Cloud Function that encrypts notes and lessons learned before writing
Company profile data: Strategic priorities, key constraints, industry, business stage, and company size as provided during workspace setup
Financial context (admin-only): Revenue range, burn rate, funding stage, and headcount. Financial data is stored in a separate, access-controlled document readable only by the organization administrator
Computed statistics: Programmatic aggregates (category breakdowns, outcome follow rates, average ratings, regretted decisions) — generated without AI, always factual
AI-generated narrative: A synthesized intelligence summary produced by Google Gemini, constrained to cite actual decision history. Narratives are cached for 24 hours and automatically regenerated

Per-session opt-out: Each session includes a “Share with company intelligence” toggle. When disabled, that session’s data is excluded from intelligence synthesis. The toggle is visible on the briefing screen before every session.

3. How We Use Your Information

3.1 Primary Service Delivery

We use your information to:

Create and maintain your account
Deliver the Verdikt platform and AI debate features
Generate verdicts, recommendations, and artifacts
Process PDF exports and artifact generation
Track 7-day follow-up ratings and outcomes

Lawful Basis: Contract (performance of our agreement with you)

3.2 Billing and Account Management

We use your information to:

Process subscription and billing information via Stripe
Manage subscription tiers (Team, Business, Premium) on monthly or annual billing cycles
Track strategic credit allocation, usage, purchased credit balances, and display credit usage analytics (daily trends, cycle comparisons, transaction history)
Send billing-related communications (renewal reminders, payment failure notices, credit notifications)
Enforce seat limits and team management
Process one-time credit pack purchases
Send ownership transfer notifications when admin rights are reassigned

Lawful Basis: Contract (billing obligations)

3.3 Service Improvement and Analytics

We use your information to:

Analyze usage patterns and platform performance
Identify and fix bugs and technical issues
Develop new features and improvements
Conduct A/B testing and user research

Lawful Basis: Legitimate interest (improving our Service and user experience)

3.4 Legal Compliance and Security

We use your information to:

Comply with legal obligations and law enforcement requests
Detect, prevent, and address fraud, abuse, and security issues
Enforce our Terms of Service and other agreements
Protect the rights, property, and safety of our users and business

Lawful Basis: Legal obligation, legitimate interest (security and fraud prevention)

3.5 Organizational Intelligence Synthesis

For organizations on Team, Business, Premium, or Enterprise tiers, we use decision data to:

Compute factual statistics about your organization’s decision patterns (category breakdowns, outcome follow rates, ratings by stake level)
Generate AI-powered narrative summaries that cite specific decisions from your organization’s history
Inject organizational context into future AI advisory sessions so advisors understand your company’s priorities, constraints, and decision history
Surface regretted decisions and logged lessons to inform future recommendations
For Premium and Enterprise tiers: incorporate financial context (revenue, burn rate, funding stage) into AI advisory sessions, with role-based visibility controls

Lawful Basis: Legitimate interest (Article 6(1)(f) GDPR) — improving the quality and relevance of decision advisory for your organization. We have conducted a balancing test confirming that this processing is proportionate: (a) data is processed only within your organization’s context and never shared across organizations, (b) PII is redacted before AI synthesis, (c) users have per-session opt-out control, and (d) the intelligence toggle can be disabled entirely in organization settings.

Data minimization: Intelligence synthesis uses only encrypted ledger summaries (truncated to 120 characters) and does not process full session transcripts or conversation histories. Cached intelligence is automatically purged after 90 days of organizational inactivity.

3.6 Communication and Support

We use your information to:

Respond to support inquiries and customer service requests
Send transactional emails (account confirmation, password reset, team invitations)
Send billing notifications (renewal reminders, payment failures, cancellation confirmations, credit alerts)
Send weekly analytics digests to organization administrators
Send onboarding lifecycle emails (welcome sequence, trial reminders, post-subscription nurture, and feature discovery — up to 11 behavioral emails over your first 21 days)
Send ownership transfer notifications when organization admin rights are reassigned
Provide product updates and announcements

Lawful Basis: Contract (service delivery), legitimate interest (customer support)

4. AI Data Processing

4.1 AI Provider Integration

Verdikt uses two AI providers to generate debates and verdicts:

Google Gemini API
Anthropic Claude API

4.2 Data Transmitted to AI Providers

When you submit a business dilemma or debate prompt, the following data is transmitted to our AI providers:

Your prompt text and queries
Contextual information you provide (background, constraints, options)
Historical debate data (if referenced)
For hiring debates: job descriptions, candidate names, and evaluation criteria
For intelligence synthesis (Team+ tiers): PII-redacted decision summaries, outcome data, and company profile context are transmitted to Google Gemini to generate organizational intelligence narratives. This processing occurs on a scheduled basis (daily) and on profile updates, not in real-time during sessions

4.3 Data Retention by AI Providers

Verdikt accesses Google and Anthropic exclusively through their paid commercial API tiers, which provide stronger data protection than consumer products. Specific retention terms:

Google Gemini API: Under Google’s Gemini API Terms of Service and Cloud Data Processing Addendum, API input and output data may be retained for up to 30 days for abuse monitoring and safety purposes, then deleted. Data is processed in the United States. Your data is not used to train or improve Google’s models.
Anthropic Claude API: Under Anthropic’s Privacy Policy and Commercial Terms of Service, API input and output data may be retained for up to 30 days for trust and safety (abuse detection) purposes, then deleted. Data is processed in the United States. Your data is not used to train or improve Anthropic’s models.

Both providers delete API data automatically after their respective safety-retention windows. No user content is stored by AI providers beyond these periods.

4.4 User Rights and AI Data

Your right to access, delete, or port data applies to Verdikt’s servers. For the temporary data retained by AI providers during their safety-retention windows:

Data retained by Google and Anthropic is automatically deleted within 30 days of processing and is not accessible to, or retrievable by, Verdikt
When you delete your Verdikt account (see Section 8), all data on Verdikt’s servers is permanently deleted within 30 days. Data in AI provider safety-retention queues will expire automatically per the timelines above
To exercise data rights directly with our AI providers, refer to: Google Data & Privacy | Anthropic Privacy Policy

4.5 Safeguards

We have implemented the following safeguards:

Signed Data Processing Agreements (DPAs) with both Google Cloud and Anthropic
Zero model-training guarantee: Neither Google nor Anthropic uses your data to train, fine-tune, or improve their AI models under our commercial API agreements
Automated PII redaction applied to user content before transmission to AI providers (3-layer pipeline: regex, AI-based contextual detection, and encryption)
Encrypted transmission to AI providers via HTTPS/TLS 1.3
API key authentication with server-side secret management (no client-side exposure)

5. Data Sharing & Sub-Processors

We share your information with the following sub-processors who help us deliver Verdikt. All sub-processors have signed Data Processing Agreements (DPAs):

Provider	Purpose	Data Processed	Location
Google Cloud Platform	Cloud hosting, Firestore database, Cloud Functions	All customer data, debate history, user accounts	United States (us-central1)
Google AI (Gemini)	AI debate generation, verdict synthesis	User prompts, debate context, business dilemmas (PII-redacted). Retained ≤30 days for safety, then deleted. Not used for model training. API Terms	United States
Anthropic (Claude)	AI debate generation, artifact analysis	User prompts, debate context, job descriptions (PII-redacted). Retained ≤30 days for safety, then deleted. Not used for model training. Commercial Terms	United States
Stripe	Payment processing, subscription management, billing	Payment method, billing address, subscription status, invoice history	United States
Brevo (Sendinblue)	Email delivery (invitations, trial lifecycle, billing, renewal reminders)	Email address, notification content	European Union / United States
Sentry	Error tracking and debugging	Error logs, performance metrics, anonymized identifiers	United States

5.1 Third-Party Service Providers

In addition to sub-processors listed above, we may share data with:

Legal counsel and advisors (in response to legal requests)
Financial institutions (for billing and payments)
Business partners (only with your consent)

5.2 No Sale of Personal Information

Verdikt does NOT sell, rent, or trade your personal information to third parties. We do not monetize user data.

6. International Data Transfers

Verdikt operates with data infrastructure in the United States. If you are located in the European Union or other jurisdictions, your data is transferred to and processed in the United States.

6.1 EU-US Data Privacy Framework

Verdikt complies with the EU-US Data Privacy Framework (DPF), formerly Privacy Shield, as set forth by the U.S. Department of Commerce and the European Commission.

We commit to GDPR Principles of Data Minimization, Purpose Limitation, and Storage Limitation
We implement appropriate technical and organizational safeguards for international transfers

6.2 Standard Contractual Clauses

For data transfers outside the DPF framework, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission. Our sub-processors are bound by equivalent SCCs.

6.3 Transfer Impact Assessment

We have conducted Transfer Impact Assessments in accordance with GDPR Article 46 to evaluate:

Laws and legal frameworks applicable in recipient countries
Technical safeguards (encryption, access controls)
Organizational measures (staff training, confidentiality agreements)
Your rights to remedies and legal recourse

7. Data Retention

7.1 Retention Schedule

Account Data:

Retained while your account is active. Deleted within 30 days of account deletion or subscription cancellation.

Debate and Content Data:

Retained for the duration of your subscription plus a 30-day grace period after cancellation. You may request deletion at any time.

Billing and Credit Transaction Data:

Credit transaction records are retained for 12 months and automatically purged. When an account or organization is deleted, Stripe customer records are permanently deleted via the Stripe API (not archived). Stripe retains invoice and charge records independently for tax compliance per their own data retention policies.

Deletion Audit Logs:

When an account or organization is permanently deleted, an anonymized audit log is retained for 6 years per IRS record-keeping requirements (26 USC §6501). Audit logs contain only hashed identifiers (truncated SHA-256) — no raw email addresses, names, or user IDs are stored. These anonymized records are automatically purged after the statutory retention period.

Usage and Analytics Data:

Retained for 12 months from collection date. Aggregated, anonymized data may be retained longer.

Organizational Intelligence Cache:

Cached intelligence summaries are refreshed every 24 hours and automatically purged after 90 days of organizational inactivity. Decision Ledger entries are retained for the duration of the organization’s subscription and deleted upon organization deletion. When a user deletes their account, their entries in the organization’s Decision Ledger are anonymized (userId replaced with “deleted-user”) to preserve aggregate intelligence while removing personal attribution.

Hiring Feature Data:

Retained for 90 days after final evaluation. Extended retention requires explicit consent.

Support and Communication Data:

Retained for 3 years to address follow-up issues and legal compliance.

7.2 Data Deletion

Upon subscription cancellation, your organization enters a 30-day grace period during which data is accessible in read-only mode. After the grace period, all organization data is permanently deleted through an automated cascade that removes sessions, verdicts, artifacts, billing records, persona memories, team invitations, and audit logs. Upon account deletion or specific deletion requests, we will purge your personal data from our systems within 30 days, subject to legal retention obligations.

8. Your Rights (GDPR & CCPA)

You have the following privacy rights. To exercise any of these rights, contact privacy@getverdikt.com with your request.

8.1 GDPR Rights (for EU residents)

Right to Access (Article 15): Request a copy of your personal data in a structured, machine-readable format within 30 days.
Right to Rectification (Article 16): Correct inaccurate or incomplete personal data.
Right to Erasure (Article 17): Request deletion of your personal data, subject to legal retention obligations. Deleted within 30 days.
Right to Restrict Processing (Article 18): Request that we limit how we use your data while we review your requests.
Right to Data Portability (Article 20): Receive your personal data in a portable format and transmit it to another service provider within 30 days.
Right to Object (Article 21): Object to our processing of your data for legitimate interests, marketing, or profiling.
Right to Lodge a Complaint: Lodge a complaint with your local supervisory authority (national data protection authority).

8.2 CCPA Rights (for California residents)

Right to Know (CCPA § 1798.100): Request what personal information we collect, use, share, or sell. Response within 45 days.
Right to Delete (CCPA § 1798.105): Request deletion of personal information collected from you. Deleted within 45 days.
Right to Correct (CCPA § 1798.100(e)): Correct inaccurate personal information.
Right to Opt-Out (CCPA § 1798.120): We do NOT sell personal information. You have the right to opt-out of targeted advertising and data sharing for marketing.
Right to Non-Discrimination (CCPA § 1798.125): We will not discriminate against you for exercising your CCPA rights.

8.3 Response Timeline and Process

For all rights requests:

Submit your request to: privacy@getverdikt.com
Include: Your full name, email, and specific request details
We will confirm receipt within 5 business days
GDPR Response: Within 30 days (extendable to 60–90 days for complex requests)
CCPA Response: Within 45 days (extendable to 90 days)
We may request identity verification before processing your request

9. Children’s Privacy (COPPA Compliance)

Verdikt is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13 in compliance with the Children’s Online Privacy Protection Act (COPPA). Account registration is blocked for users under 13 through both client-side and server-side enforcement.

Users aged 13–17 may create an account only with verifiable parental or guardian consent, as confirmed during the registration process.

If we become aware that we have collected data from a child under 13 without verifiable parental consent, we will delete it immediately and terminate the associated account.

Parents or guardians who believe a child has provided us with personal information should contact privacy@getverdikt.com immediately.

10. Cookies & Tracking

10.1 Cookies and Local Storage

Verdikt uses cookies and local storage to:

Maintain user sessions and authentication
Remember user preferences and settings
Analyze usage patterns via Google Analytics (anonymized)
Provide essential platform functionality

10.2 Cookie Types

Essential Cookies: Required for authentication and platform functionality. These cannot be disabled.

Analytics Cookies: Google Analytics is used to understand how you use Verdikt. Data is anonymized. You can opt-out via browser settings or by installing the Google Analytics Opt-out Browser Add-on.

Firebase Analytics: Firebase collects usage data to help us understand platform performance. Data is not sold to third parties.

10.3 Managing Cookies

You can control cookies through your browser settings. Most browsers allow you to refuse cookies or alert you when cookies are being sent. Note that disabling cookies may impact platform functionality.

11. Data Security

11.1 Security Measures

We implement comprehensive security safeguards to protect your personal data:

End-to-end encryption for data in transit (TLS 1.2+)
AES-256 encryption for data at rest in Google Cloud Firestore
Firebase Authentication with OAuth 2.0 and JWT tokens
Access controls and role-based permissions (RBAC)
Regular security audits and penetration testing
Multi-factor authentication (MFA) available for accounts
Monitoring and alerting via Sentry error tracking

11.2 Data Breach Notification

In the event of a data breach affecting your personal information:

We will notify affected users within 72 hours of discovery
Notifications will be sent via email to your registered email address
We will provide details about the breach and recommended actions
For GDPR users: We will notify supervisory authorities as required by law

11.3 Limitations

While we implement industry-standard security measures, no system is completely secure. We cannot guarantee absolute protection against all unauthorized access, loss, alteration, or destruction of data. You are responsible for maintaining the confidentiality of your account credentials.

12. High-Risk Processing (Hiring Feature)

12.1 Data Protection Impact Assessment (DPIA)

The Verdikt hiring feature processes candidate evaluation data and job descriptions, which may include sensitive personal data (as defined in GDPR Article 9). We have conducted a Data Protection Impact Assessment (DPIA) for this feature in accordance with GDPR Article 35.

Key findings from our DPIA:

Hiring debates involve processing special category data (job applicant information)
Enhanced data minimization and security measures are implemented
Users maintain control over which candidates are evaluated
A copy of our DPIA is available upon request to privacy@getverdikt.com

12.2 Special Protections for Hiring Data

When using the hiring feature, we:

Limit access to hiring data to authorized team members only
Implement role-based access controls (RBAC)
Require explicit consent before processing candidate data
Delete hiring data within 90 days of evaluation completion
Do not use hiring data for automated decision-making affecting candidates

12.3 Candidate Rights

Candidates whose data is processed through the hiring feature have the right to:

Request access to their personal data used in evaluations
Request rectification of inaccurate data
Request deletion of their data (subject to retention obligations)
Lodge complaints regarding the use of their data

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

Posting the updated Privacy Policy on getverdikt.com with a new “Last Updated” date
Sending an email notification to your registered email address for material changes
Requiring your consent before changes take effect, if legally required

Your continued use of Verdikt after policy changes constitutes your acceptance of the updated Privacy Policy.

14. Contact Us

If you have questions or concerns about this Privacy Policy or our privacy practices, please contact us at:

Email: privacy@getverdikt.com
Website: getverdikt.com
Address: 1317 Edgewater Dr #6656, Orlando, FL 32804

14.1 Data Protection Officer

Verdikt designates privacy@getverdikt.com as the primary contact for all privacy inquiries.

15. EU Representative

In accordance with GDPR Article 27, Verdikt will appoint an EU representative for data protection inquiries. Residents of the EU may contact us at privacy@getverdikt.com.

15.1 GDPR Contact Information Summary

For all GDPR inquiries:

Data Controller: Verdikt
Address: 1317 Edgewater Dr #6656, Orlando, FL 32804
Privacy Contact: privacy@getverdikt.com
Response Timeline: 30 days (extendable to 60–90 days)
Supervisory Authority Contact: Your local national data protection authority

This Privacy Policy is effective as of April 6, 2026 and governs all use of Verdikt. Verdikt is operated in compliance with GDPR, CCPA, and applicable data protection laws.