Privacy Policy

1. Introduction

Verifex ("we," "us," or "our") operates a real-time sanctions and watchlist screening API that enables developers and businesses to check persons and entities against international sanctions lists including OFAC SDN, UN Security Council, EU Consolidated List, UK HM Treasury, and World Bank Debarred.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website, create an account, or use our API services. By accessing or using Verifex, you agree to the terms of this Privacy Policy. If you do not agree, please discontinue use of our services immediately.

2. Information We Collect

2.1 Account Information

When you register for a Verifex account, we collect your name and email address. This information is necessary to create your account, issue API keys, and communicate with you about your account and our services.

2.2 API Usage Data

When you make requests to our API, we collect usage data including: the API endpoint called, request timestamps, response times, the number of screening queries made, IP addresses from which requests originate, and whether matches were found. We do not permanently store the names or entities you submit for screening beyond the temporary processing period required to return results and maintain short-term logs.

2.3 Payment Information

Payment processing is handled entirely by our third-party payment provider, Lemon Squeezy. We do not directly collect, store, or process your credit card numbers, bank account details, or other financial payment instruments. Lemon Squeezy may collect and process your payment information in accordance with their own privacy policy. We receive only confirmation of payment status, subscription tier, and a customer identifier from Lemon Squeezy.

2.4 Automatically Collected Information

When you visit our website, we may automatically collect certain information about your device including your browser type, operating system, referring URLs, and pages viewed. This data is collected through standard web server logs and is used to analyze trends and administer the site.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Providing the Service: To authenticate your API requests, deliver screening results, and manage your account and API keys.
• Billing and Payments: To manage your subscription, track usage against your plan quota, and coordinate billing through Lemon Squeezy.
• Product Improvement: To analyze aggregate usage patterns, monitor API performance, identify and fix bugs, and improve the accuracy and speed of our screening engine.
• Security: To detect and prevent fraud, abuse, unauthorized access, and other malicious activity against our platform and users.
• Communication: To send you essential service notifications such as API key expiration warnings, plan usage alerts, security notices, and responses to your support inquiries. We do not send unsolicited marketing emails.
• Legal Compliance: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests.

4. Data Retention

API request logs (including endpoint, response time, match status, and associated metadata) are retained for 90 days from the date of the request. After this period, logs are automatically and permanently deleted.

Account data (your name, email address, API key metadata, and subscription information) is retained for as long as your account remains active. If you request account deletion, we will delete your personal data within 30 days of the request, except where retention is required by law or for legitimate business purposes such as resolving disputes or enforcing our agreements.

Audit logs maintained through our audit logging system are retained for the duration required by the applicable audit retention policy, which may exceed the 90-day API log retention period for users on plans that include audit trail access.

5. Third-Party Services

We use the following third-party services to operate Verifex. Each of these providers may collect and process data in accordance with their own privacy policies:

• Lemon Squeezy — Processes all subscription payments and manages billing. Lemon Squeezy acts as the Merchant of Record. Their privacy policy is available at lemonsqueezy.com.
• Vercel — Hosts our website and web application. Vercel may process request-level data (IP addresses, headers) as part of serving web pages. Their privacy policy is available at vercel.com.
• Railway — Hosts our API infrastructure, databases, and background processing services. Railway processes data within their infrastructure in accordance with their privacy policy available at railway.app.

We do not sell, rent, or trade your personal information to third parties for their marketing purposes. We share data with the above providers only to the extent necessary to operate our service.

6. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Right of Access: You may request a copy of the personal data we hold about you.
• Right to Correction: You may request that we correct any inaccurate or incomplete personal data.
• Right to Deletion: You may request that we delete your personal data. Upon receiving a valid request, we will delete your data within 30 days, subject to any legal obligations that require retention.
• Right to Data Portability: You may request an export of your data in a machine-readable format.

To exercise any of these rights, please contact us at hello@verifex.dev. We will respond to your request within 30 days.

7. Cookies

Verifex uses minimal cookies strictly necessary for the functioning of our service. Specifically, we use session cookies to maintain your authenticated state when you are logged into the developer dashboard. These cookies are httpOnly, secure, and are not used for tracking or advertising purposes.

We do not use third-party tracking cookies, advertising cookies, or analytics cookies that track individual users across websites. You can configure your browser to refuse cookies, but doing so may prevent you from using the authenticated portions of our service.

8. Security

We take the security of your data seriously and implement appropriate technical and organizational measures to protect it. These measures include:

• All data transmitted between your systems and our API is encrypted in transit using HTTPS/TLS.
• API keys are stored as irreversible SHA-256 hashes. We never store your raw API key after initial generation.
• User passwords are hashed using bcrypt with appropriate salt rounds before storage.
• Database access is restricted and authenticated. All infrastructure runs within private networks.
• We maintain tamper-evident audit logs for all critical operations using cryptographic hash chaining.

While we strive to use commercially acceptable means to protect your personal data, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security.

9. Children's Privacy

Verifex is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal data from a child without parental consent, we will take steps to delete that information.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will notify you by updating the "Effective date" at the top of this page and, where appropriate, by sending a notice to the email address associated with your account. We encourage you to review this policy periodically.

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

hello@verifex.dev