Privacy Policy

Data Philosophy

VerityAI Pty Ltd (“Verity AI”, “we”, “us”, “our”) builds product authentication infrastructure for businesses. Our core data principles:

• We authenticate products, not people. Product Images are photos of physical goods. They do not identify natural persons and are not Personal Data.
• We are B2B only. We have no direct relationship with the end consumers of our clients’ platforms. We do not collect consumer Personal Data.
• We do not sell data. We have never sold client data to a third party and will not do so.
• We do not run advertising. No data we hold is used for advertising purposes.
• We are transparent about model retraining. We use authentication data to improve our models. Section 5 explains exactly how, what we use, what we don’t use, and how to opt out.

Who This Policy Applies To

This Privacy Policy applies to:

• Enterprise clients — businesses that have executed an Order Form or are using the Service under a trial or pilot agreement;
• Developers — individuals or entities accessing the Verity AI API directly, including sandbox users; and
• Website visitors — people who visit verityai.app or any related Verity AI web property.

This Policy does not apply to the end consumers of our clients’ platforms. If you are a consumer who has interacted with a Verity AI-powered authentication check on a third-party platform, your data is governed by that platform’s privacy policy. Verity AI is not a controller of your Personal Data in that context.

What Data We Collect

Account and business data

When a business registers, requests a pilot, or executes an Order Form, we collect: business name, registered address, and company identifier (ABN or equivalent); name, job title, work email, and phone number of the individual registering; use case description, estimated monthly volume, and integration requirements; and billing and payment information processed through our payment provider.

Product Images and authentication data

We collect and process: Product Images submitted via the API; Authentication Results generated in response; confidence scores and model uncertainty signals; product category and brand metadata; and human review determinations where provided by the client.

We explicitly do not collect: end-consumer Personal Data; images of persons, faces, or bodies; biometric data; government-issued identification; financial account information of individuals; or special category data under GDPR Article 9.

API usage and technical data

We collect API request logs including timestamps, endpoint, response time, HTTP status code, and error codes (not image content); API key identifiers (not keys themselves); integration type and SDK version; and volume metrics used for billing and SLA monitoring.

Communications data

We collect the content of emails, support tickets, and meeting notes where clients or developers contact us.

Website analytics

We collect standard analytics data from verityai.app visitors including pages visited, referral source, session duration, and general location data (country/city level). No visitor is individually profiled or re-identified.

How We Use Your Data

Model Retraining

Why we retrain

Counterfeit techniques evolve continuously. A model trained only on historical data degrades in accuracy as counterfeiters adapt. Keeping our authentication models accurate requires learning from real, current authentication data across a diverse range of products and brands.

What we use

• Product Images submitted via the API
• Authentication Results (Authentic / Inauthentic / Inconclusive)
• Confidence scores and model uncertainty signals
• Product category and brand metadata
• Human review determinations where provided

What we do not use

• Personal Data of any kind (prohibited from submission under our Terms)
• Images of persons or faces
• Client business data, pricing, customer lists, or commercial strategies
• Any data that could identify one client to another

How we protect retraining data

Product Images used for retraining are stored on encrypted infrastructure across Amazon Web Services (AWS) and Google Cloud Platform (GCP), with primary data residency in Australian cloud regions (AWS ap-southeast-2 Sydney; GCP australia-southeast1 Sydney) where technically feasible. Encryption: AES-256 at rest; TLS 1.2+ in transit. Access is restricted to authorised Verity AI engineering personnel. Privacy-preserving machine learning techniques, including differential privacy where appropriate, are applied. Derived Model Data cannot be reverse-engineered to reveal raw Product Images.

No cross-client sharing

No single client’s raw Product Images are shared with or visible to any other client. Derived Model Data represents aggregate learnings and does not expose any client-specific data.

Your opt-out right

Enterprise Clients may opt out of retraining use of their Product Images by sending a written request to legal@verityai.app. Requests must be received before production data is submitted, or within 30 days of the Effective Date — whichever is earlier. Opt-out may affect per-call pricing and certain Service features. We will implement confirmed opt-outs within 30 business days.

Retention of retraining data

Product Images used for retraining are retained for the duration of model development needs. Derived Model Data is retained indefinitely as it forms part of our model infrastructure. On termination, the retraining licence ceases to apply to future submissions.

How We Share Data

We do not sell data

Verity AI has never sold client data to any third party and will not do so. We do not share data for advertising purposes.

Service providers and subprocessors

We share data with third-party service providers strictly as necessary to deliver the Service:

• Amazon Web Services, Inc. (AWS) — cloud compute, storage, database, and model inference. Regions: ap-southeast-2 (Sydney) primary; us-east-1 (Virginia) secondary. ISO 27001 and SOC 2 Type II certified.
• Google LLC (Google Cloud Platform / GCP) — cloud compute, storage, and machine learning infrastructure. Regions: australia-southeast1 (Sydney) primary; us-central1 (Iowa) secondary. ISO 27001 and SOC 2 Type II certified.
• Analytics providers — website-level analytics only; no API or Product Image data is shared.
• Email delivery providers — transactional email only (account notifications, invoices, support responses).
• Payment processors — billing and invoice processing; we do not store payment card details.

Current subprocessor list: verityai.app/legal/subprocessors. We will give at least 30 days’ advance written notice of material subprocessor changes.

Legal disclosures

We may disclose data where required by law, court order, or regulatory authority. We will notify affected clients of such requests where legally permitted to do so.

No cross-client disclosure

We never disclose one client’s data to another client.

International Data Transfers

Verity AI is headquartered in Australia. Our primary data residency regions are AWS ap-southeast-2 (Sydney) and GCP australia-southeast1 (Sydney). Some processing — particularly machine learning compute workloads — may occur in US regions (AWS us-east-1 Virginia; GCP us-central1 Iowa).

EEA and UK clients

Transfers of Personal Data from the EEA or UK to Australia and the United States are conducted under EU Standard Contractual Clauses (Commission Decision 2021/914, Module 2: Controller to Processor) with both AWS and GCP. Our Data Processing Addendum (available on request) incorporates these SCCs.

Australian clients

Cross-border disclosures comply with Australian Privacy Principle 8. By using the Service, clients acknowledge that data may be processed on infrastructure in the United States under the terms described above.

California clients (CCPA/CPRA)

Verity AI acts as a “service provider” under the CCPA and CPRA for any California Personal Data processed on client’s behalf. We do not sell or share Personal Data as defined under CCPA/CPRA.

Data Security

We implement the following technical and organisational security measures:

• Encryption in transit: TLS 1.2 or higher for all API communications and data transfers across AWS and GCP
• Encryption at rest: AES-256 encryption on all AWS and GCP storage layers containing client data
• API authentication: Token-based API key authentication with rate limiting and anomaly detection
• Access controls: Role-based access controls (RBAC); principle of least privilege applied to all engineering personnel
• Security testing: Regular penetration testing and vulnerability assessments conducted by qualified third parties
• Audit logging: Comprehensive logging of all data access and API activity, retained for a minimum of 7 years
• Business continuity: Redundant infrastructure across multiple availability zones
• Personnel: Security awareness training for all staff with access to client data

In the event of a data security incident affecting client data, we will notify affected clients within 72 hours of becoming aware of the incident.

Data Retention

Your Rights

The rights below apply to Personal Data we hold about your business contacts and account representatives — not to Product Images (which are not Personal Data).

GDPR rights (EEA and UK)

• Access: Request a copy of Personal Data we hold about you
• Correction: Request correction of inaccurate Personal Data
• Deletion: Request deletion of Personal Data where we have no overriding legal basis to retain it
• Restriction: Request restriction of processing in certain circumstances
• Objection: Object to processing based on legitimate interests
• Portability: Receive your Personal Data in a structured, machine-readable format

Australian Privacy Rights

Under the Australian Privacy Act 1988, you have the right to access and correct Personal Data we hold about you. You may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

California Privacy Rights (CCPA/CPRA)

California residents have the right to: know what Personal Data we collect and how it is used; request deletion or correction of Personal Data; opt out of sale or sharing (we do not sell or share); and not be discriminated against for exercising these rights.

How to exercise your rights

Submit requests to privacy@verityai.app. We will respond within 30 days (or as required by applicable law). We may need to verify your identity before processing requests.

Cookies and Tracking

Cookies and similar tracking technologies apply to the Verity AI website (verityai.app) only. The Verity AI API does not use cookies.

• Essential cookies: Necessary for website functionality (session management, security). Cannot be disabled.
• Analytics cookies: Help us understand how visitors use the site. You may opt out via your browser settings or our cookie preference centre.
• Marketing cookies: Used to measure the effectiveness of our marketing. Applied only with your consent where required by law.

Third-Party Integrations

Clients may integrate the Verity AI API with third-party platforms (e.g. Shopify, warehouse management systems, returns platforms). Verity AI is not responsible for the privacy practices of those third-party platforms. Clients should review the privacy policies of any platform they connect to the Verity AI API. Where clients use Verity AI’s official integrations, data flows are described in integration-specific documentation at verityai.app/docs.

AI-Specific Privacy

No automated decisions about people

The Verity AI Service makes assessments about physical objects (products), not about natural persons. We do not make automated decisions that produce legal or similarly significant effects on individuals. No individual is profiled, scored, or subject to automated decision-making through our Service.

EU AI Act transparency

Computer vision product authentication is not a high-risk AI system under Annex III of the EU AI Act — it does not involve biometric identification, safety components, or decisions affecting natural persons’ fundamental rights. Model documentation is available to enterprise clients on written request.

Human oversight

Our Service is designed to support, not replace, human judgment. Authentication Results include confidence scores to enable human review for borderline cases and High-Value Decisions. We do not recommend sole reliance on Authentication Results for decisions with material consequences.

Children

Verity AI’s Service is designed for business use only and is not directed at or intended for individuals under the age of 18. We do not knowingly collect Personal Data from minors. If we become aware that we have inadvertently collected Personal Data from a minor, we will delete it promptly. Contact us at privacy@verityai.app if you believe this has occurred.

Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified to active clients by email at least 30 days before taking effect. Minor clarifications may be made without advance notice. Continued use of the Service after a material update has taken effect constitutes acceptance of the updated Policy. We will never retroactively change how we use data already collected in ways that would be materially less favourable to clients without obtaining fresh consent.

Contact Us