Privacy Policy

Account information

• Your email address — used to sign you in and to send transactional messages such as magic-link emails and invite notifications.
• Your display name and avatar image — optional, used to personalise the account UI and team-management views.

Google Sign-In data

If you choose "Continue with Google", Google authenticates you and shares the basic profile data needed to create or access your GetVerdict account: your email address, name, profile image, and Google account identifier. We use that data only for authentication, account identity, profile display, fraud prevention, and support. We do not request access to Gmail, Drive, Calendar, contacts, or any other Google product content.

We do not sell Google user data, use it for advertising, use it to train machine-learning models, or share it with third parties except the processors listed below where needed to operate the Service. If you delete your account, we delete or detach the Google account link from your user record unless retention is required by law.

Usage data

• The briefs you file, the subjects you check, and the watchlists you create — used to deliver the Service and to enforce per-period quotas on the free tier.
• Server-side timestamps, request IPs, and basic user-agent metadata — used for rate-limiting, abuse prevention, and operational diagnostics. We do not build cross-site profiles from this data.

Anonymous-visitor identifiers

Visitors who are not signed in receive an opaque, randomly generated identifier (verdict_anon_id) stored in a first-party, http-only cookie. It is used solely to enforce the free-tier quota across a 30-day rolling period. It is not linked to any other dataset and is discarded when you clear cookies.

Billing information

When paid plans are connected to a payment processor, the processor collects and tokenises your card details on its own infrastructure. We receive only the metadata needed to reconcile your subscription — for example a customer identifier, the plan, and the billing period. We never see or store full card numbers.

• Deliver the Service. Render your account, produce briefs you request, send transactional emails (sign-in, team invites, billing receipts), and surface team-management actions.
• Operate the platform. Monitor uptime and performance, prevent abuse, enforce free-tier quotas, and respond to security incidents.
• Handle support requests. Reply to messages you send us and keep enough context to follow up.
• Comply with law. Respond to lawful requests from competent authorities, and keep records required by tax or accounting rules.

We do not sell your personal information. We do not use your data to train third-party machine-learning models.

We rely on a small set of vetted vendors to run the Service. Each receives only the data it needs to perform its function and is bound by its own data-protection commitments.

• DigitalOcean — application hosting and managed PostgreSQL database (data stored in their EU / Frankfurt region by default).
• Google— OAuth sign-in. When you choose "Sign in with Google", Google authenticates you and shares the basic profile fields listed in section 1.
• Resend — transactional email delivery (magic-link sign-in, team invites). Resend processes the recipient address and message body.
• Stripe — payment processing for paid plans. Card data is collected and stored by Stripe; we receive only subscription metadata needed to activate, renew, cancel, and reconcile your subscription.
• Sentry — error monitoring and operational diagnostics. We configure Sentry not to intentionally collect request bodies, cookies, headers, or default personal information. Error reports may still include technical metadata such as browser, device, route, and stack trace information.

GetVerdict uses only first-party, strictly necessary cookies. No third-party tracking, ad-tech, or analytics scripts are loaded on the public pages. Because the cookies listed below are required for the Service to function, there are no optional or marketing cookies to opt out of. If we add analytics, ads, or other non-essential tracking later, we will add a real consent choice before those tools run.

The cookies set on your device are:

• verdict_anon_id — anonymous-visitor identifier for free-tier quota enforcement; 1-year lifetime.
• authjs.session-token / __Secure-authjs.session-token — the signed-in session; set only after sign-in; 30-day rolling lifetime.
• display-prefs — your currency and area-unit choice from the header settings popover so prices stay in your picked units across pages; 1-year lifetime.
• verdict_ref_code — present only when you arrive via a referral link (getverdict.ae/r/<code>); attributes the referral when you sign up; 30-day lifetime.

You can clear any of these at any time via your browser's cookie controls; doing so will sign you out and reset your display preferences but will not stop the Service from working.

You can exercise the following rights directly from the account page:

• Access and review. Your account page shows the data we hold against your record — name, email, plan, usage, watchlists, and active sessions.
• Update. Edit your display name and avatar URL inline; the change is written immediately.
• Delete. The danger-zone control on the account page removes your user record, cascades to sessions, watchlists, billing rows, and team memberships, and anonymises archived briefs.
• Sign-in management. Revoke individual sessions or sign out everywhere from the account page.

For anything not covered by these self-serve flows — including data-export requests, the right to object, or the right to lodge a complaint with a supervisory authority — write to [email protected] and we will respond within 30 days.

• Account data — held while your account is active. Deleted on account closure, except where retention is required by law (e.g. accounting records for completed payments).
• Briefs and watchlists — held while your account is active; anonymised on account deletion so that aggregate market statistics remain reliable.
• Anonymous usage counters — auto-expire 30 days after the last brief filed.
• Operational logs — request logs are retained for up to 30 days for diagnostics, then discarded.

GetVerdict is operated from outside the European Economic Area but serves users globally. Where the GDPR or the UK GDPR applies to you, we rely on the legal bases of contract (delivering the Service) and legitimate interest (operating the platform, preventing abuse). Personal data is processed by the vendors listed in section 3, some of whom are located outside your jurisdiction. We rely on their published data-transfer frameworks for international transfers.

California residents covered by the CCPA / CPRA have the rights of access, deletion, correction, and the right to opt out of the "sale" or "sharing" of personal information. GetVerdict does not sell or share personal information for cross-context behavioural advertising; the opt-out is therefore the same as our default posture.

We host on managed infrastructure, encrypt data in transit (TLS) and at rest (managed PostgreSQL volume encryption), and gate administrative access through individually accountable accounts with two-factor authentication. No system is invulnerable; if you suspect a security incident affecting your account, write to [email protected] with the details and we will respond promptly.

The Service is intended for adults. We do not knowingly collect personal data from children under the age of 16. If you believe a child has provided us with personal data, contact us and we will delete it.

We may update this Privacy Policy as the Service evolves. When we do, we change the "Last updated" date above and, for material changes, notify active subscribers by email.