Privacy Policy

Last updated: 13 May 2026

Veriflow Labs ("we", "us", "our") operates the Veriflow Labs API platform (the "Service"). This policy explains what data we collect, how we use it, and your rights under the UK GDPR and the Data Protection Act 2018.

1. Data controller

Veriflow Labs is the data controller for personal data processed through the Service. Contact: hello@veriflowlabs.co.uk.

2. Data we collect

• Account data: email address provided at signup, used to issue and manage your API key.
• API usage logs: timestamp, endpoint called, response code, and request count. We do not log request or response bodies.
• Billing data: managed by Stripe. We receive only a Stripe customer ID and subscription status; we do not store card numbers or bank details.
• Webhook payloads (Webhook Queue API only): event bodies you submit for delivery. These are stored for up to 7 days (free tier) or 30 days (Pro), then permanently deleted.

3. How we use your data

• To authenticate your API requests and enforce plan limits.
• To detect abuse and protect the availability of the Service.
• To send transactional emails (API key issuance, billing receipts). We do not send marketing email without explicit opt-in.
• To comply with legal obligations.

4. Legal basis for processing

• Contract performance — processing necessary to provide the Service you signed up for (Art. 6(1)(b) UK GDPR).
• Legitimate interests — usage logging for abuse detection and service stability (Art. 6(1)(f) UK GDPR).
• Legal obligation — where applicable law requires us to retain records (Art. 6(1)(c) UK GDPR).

5. Data retention

• Account and usage data: retained for 2 years after account closure, then deleted.
• Webhook payloads: 7 days (free tier), 30 days (Pro), then permanently deleted.
• Billing records: 7 years as required by UK financial regulations.

6. Data sharing

We do not sell your data. We share data only with:

• Stripe, Inc. — payment processing. Stripe's privacy policy applies to data they process.
• Fly.io — cloud infrastructure (London, UK region). Data remains within the UK/EEA.
• Competent authorities, where required by law.

7. International transfers

All production data is stored on servers located in the United Kingdom. Stripe processes payment data in the United States under Standard Contractual Clauses approved by the UK ICO.

8. Your rights

Under UK GDPR you have the right to: access your data, rectify inaccuracies, request erasure, object to processing, and port your data. To exercise any of these rights, email hello@veriflowlabs.co.uk. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

9. Cookies

The Veriflow Labs website does not use cookies or tracking scripts. The API itself does not use cookies.

10. Changes to this policy

We may update this policy. Material changes will be notified by email to registered users at least 14 days before taking effect. Continued use of the Service after that date constitutes acceptance.

11. Contact

Questions about this policy: hello@veriflowlabs.co.uk