Privacy Policy

1. Introduction

Verifex ("we," "us," or "our") operates a real-time sanctions and watchlist screening API that enables developers and businesses to check persons and entities against international sanctions lists including OFAC SDN, UN Security Council, EU Consolidated List, UK HM Treasury, and World Bank Debarred.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website, create an account, or use our API services. By accessing or using Verifex, you agree to the terms of this Privacy Policy. If you do not agree, please discontinue use of our services immediately.

2. Information We Collect

2.1 Account Information

When you register for a Verifex account, we collect your name and email address. This information is necessary to create your account, issue API keys, and communicate with you about your account and our services.

2.2 API Usage Data

When you make requests to our API, we collect usage data including: the API endpoint called, request timestamps, response times, the number of screening queries made, IP addresses from which requests originate, and whether matches were found. We do not permanently store the names or entities you submit for screening beyond the temporary processing period required to return results and maintain short-term logs.

2.3 Payment Information

Payment processing is handled entirely by our third-party payment provider, Lemon Squeezy. We do not directly collect, store, or process your credit card numbers, bank account details, or other financial payment instruments. Lemon Squeezy may collect and process your payment information in accordance with their own privacy policy. We receive only confirmation of payment status, subscription tier, and a customer identifier from Lemon Squeezy.

2.4 Automatically Collected Information

When you visit our website, we may automatically collect certain information about your device including your browser type, operating system, referring URLs, and pages viewed. This data is collected through standard web server logs and is used to analyze trends and administer the site.

2.5 Screening Query Data

When you submit a name or entity for screening via our API, this data is processed in real-time to generate screening results. We process screening queries as follows:

• Screening queries are processed in server memory and are not written to permanent storage beyond what is necessary for rate limiting, usage tracking, and short-term operational logging.
• We do NOT build profiles of the individuals or entities you screen.
• We do NOT use your screening queries to train machine learning models or improve screening for other customers.
• We do NOT share, sell, or disclose the specific names or entities you screen to any third party.
• Screening query logs are automatically purged on a per-plan schedule (30 days on Free and Starter, 60 days on Growth, 90 days on Pro, 365 days on Enterprise). See Section 4 (Data Retention) for the full table.

If you are on a plan that includes audit trail features, screening results (including the queried name, match results, and timestamps) are stored in your account's audit log for the duration specified by your plan. This data is accessible only to you and is deleted upon account termination.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Providing the Service: To authenticate your API requests, deliver screening results, and manage your account and API keys.
• Billing and Payments: To manage your subscription, track usage against your plan quota, and coordinate billing through Lemon Squeezy.
• Product Improvement: To analyze aggregate usage patterns, monitor API performance, identify and fix bugs, and improve the accuracy and speed of our screening engine.
• Security: To detect and prevent fraud, abuse, unauthorized access, and other malicious activity against our platform and users.
• Communication: To send you essential service notifications such as API key expiration warnings, plan usage alerts, security notices, and responses to your support inquiries. We do not send unsolicited marketing emails.
• Legal Compliance: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests.

4. Data Retention

Screening records (query, match results, confidence scores, and timestamps) are retained according to the following per-plan schedule and are then deleted automatically:

• Free: 30 days
• Starter ($49/mo): 30 days
• Growth ($99/mo): 60 days
• Pro ($249/mo): 90 days
• Enterprise ($499/mo): 365 days

Account data (your name, email address, API key metadata, and subscription information) is retained for as long as your account remains active. If you request account deletion, we will delete your personal data within 30 days of the request, except where retention is required by law or for legitimate business purposes such as resolving disputes or enforcing our agreements.

Operational logs (uptime checks, error logs) are retained for up to 90 days for security, debugging, and abuse prevention.

5. Third-Party Services

We use the following third-party services to operate Verifex:

• IONOS — Hosts our infrastructure including the API, website, databases, and background processing services. All data is stored on dedicated servers located in the United States. IONOS processes data in accordance with their privacy policy available at ionos.com.
• Lemon Squeezy — Processes subscription payments. Lemon Squeezy may collect and process payment information (credit card numbers, billing addresses) in accordance with their privacy policy available at lemonsqueezy.com. We do not store your payment card details — Lemon Squeezy handles all payment data directly.

We do not sell, rent, or trade your personal information to third parties for their marketing purposes. We share data with the above providers only to the extent necessary to operate our service.

6. International Data Transfers

Verifex's infrastructure is hosted in the United States. If you are accessing our Service from outside the United States, please be aware that your data may be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction.

By using the Service, you consent to the transfer of your information to the United States and acknowledge that your data will be subject to United States law.

For users in the European Economic Area (EEA), United Kingdom, or Switzerland: We process personal data on the basis of legitimate interests (providing and improving our Service), contractual necessity (fulfilling our obligations under these Terms), and your consent where applicable. You have the right to withdraw consent at any time by contacting us at hello@verifex.dev.

7. Data Processing Agreement (DPA)

If you process personal data of individuals in the European Economic Area, United Kingdom, or other jurisdictions that require a Data Processing Agreement, we are prepared to enter into a DPA that governs our processing of personal data on your behalf.

To request a Data Processing Agreement, please contact us at hello@verifex.dev.

For the purposes of applicable data protection law:

• When you use our API to screen names, you are the Data Controller and Verifex is the Data Processor.
• We process screening data only on your instructions and for the purpose of providing screening results to you.
• We implement appropriate technical and organizational measures to protect personal data, as described in Section 10 (Security) of this Privacy Policy.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Right of Access: You may request a copy of the personal data we hold about you.
• Right to Correction: You may request that we correct any inaccurate or incomplete personal data.
• Right to Deletion: You may request that we delete your personal data. Upon receiving a valid request, we will delete your data within 30 days, subject to any legal obligations that require retention.
• Right to Data Portability: You may request an export of your data in a machine-readable format.
• Right to Restrict Processing: You may request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data.
• Right to Object: You may object to the processing of your personal data where we are relying on legitimate interests as the legal basis for processing.
• Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority in your jurisdiction if you believe our processing of your personal data violates applicable data protection law.
• California Residents (CCPA): If you are a California resident, you have the right to know what personal information we collect, request deletion of your personal information, and opt out of the sale of your personal information. We do not sell personal information. To exercise your CCPA rights, contact us at hello@verifex.dev.

To exercise any of these rights, please contact us at hello@verifex.dev. We will respond to your request within 30 days.

9. Cookies

Verifex uses minimal cookies strictly necessary for the functioning of our service. Specifically, we use session cookies to maintain your authenticated state when you are logged into the developer dashboard. These cookies are httpOnly, secure, and are not used for tracking or advertising purposes.

We do not use third-party tracking cookies, advertising cookies, or analytics cookies that track individual users across websites. You can configure your browser to refuse cookies, but doing so may prevent you from using the authenticated portions of our service.

10. Security

We take the security of your data seriously and implement appropriate technical and organizational measures to protect it. These measures include:

• All data transmitted between your systems and our API is encrypted in transit using HTTPS/TLS.
• API keys are stored as irreversible SHA-256 hashes. We never store your raw API key after initial generation.
• User passwords are hashed using bcrypt with appropriate salt rounds before storage.
• Database access is restricted and authenticated. All infrastructure runs within private networks.
• Each audit record includes a deterministic SHA-256 hash for self-integrity verification.

While we strive to use commercially acceptable means to protect your personal data, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security.

11. Data Breach Notification

In the event of a confirmed data breach that affects your personal data or your screening data, we will:

• Notify affected users within 72 hours of becoming aware of the breach, consistent with GDPR Article 33 requirements;
• Provide details of the nature of the breach, the categories of data affected, and the approximate number of users affected;
• Describe the measures taken or proposed to address the breach and mitigate its potential adverse effects;
• Provide contact information for further inquiries.

Notification will be sent to the email address associated with your account. We encourage you to keep your account email address current.

12. Children's Privacy

Verifex is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal data from a child without parental consent, we will take steps to delete that information.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will notify you by updating the "Effective date" at the top of this page and, where appropriate, by sending a notice to the email address associated with your account. We encourage you to review this policy periodically.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

hello@verifex.dev