Summary: Verdaio collects only what is necessary to deliver our compliance tools. We do not sell your data. We use AWS-hosted infrastructure within the EU. You may request deletion of your data at any time by emailing privacy@verdaio.ai.
1. Data Controller
The data controller responsible for your personal data is:
Verdaio
[Company registered address]
Email: privacy@verdaio.ai
Website: verdaio.ai
When this policy refers to "Verdaio", "we", "us", or "our", it means the entity above acting as data controller for personal data collected through our website and tools.
2. Data We Collect
We collect the following categories of personal data:
2.1 Data you provide directly
| Data | When collected | Purpose |
|---|---|---|
| Email address | CSRD Assessment and DMA tools | To send your assessment report |
| Name (optional) | Assessment tools | To personalise your report |
| Company name (optional) | Assessment tools | To personalise your report |
| Company sector, size, revenue, and countries of operation | Assessment tools | To generate a relevant, sector-specific AI analysis |
| Assessment responses | CSRD Assessment and DMA tools | To calculate your compliance profile and generate recommendations |
2.2 Data collected automatically
When you visit our website, we may automatically collect technical data including your IP address, browser type, operating system, referring URLs, and pages visited. This data is collected via analytics tools described in Section 5.
3. How We Use Your Data
We use your personal data for the following purposes:
- To deliver the service: Processing your assessment inputs through our AI engine to generate a personalised compliance analysis and sending that report to your email address.
- To improve our tools: Analysing aggregated, anonymised assessment patterns to improve the quality and accuracy of our compliance analysis. Individual responses are never shared externally in identifiable form.
- To comply with legal obligations: Retaining records as required by applicable law.
- To produce market statistics: We may publish anonymised, aggregated insights derived from assessment data (e.g., "X% of companies in the manufacturing sector identified climate change as material"). No individual or company is identifiable in these statistics.
We do not use your data for automated decision-making that produces legal effects or similarly significant impacts without human review.
4. Legal Basis for Processing
Under the General Data Protection Regulation (GDPR), we rely on the following legal bases:
| Processing activity | Legal basis (GDPR Art. 6) |
|---|---|
| Generating and delivering your assessment report | Performance of a contract / pre-contractual steps (Art. 6(1)(b)) |
| Sending your report by email | Performance of a contract / pre-contractual steps (Art. 6(1)(b)) |
| Storing assessment data for service improvement and market statistics | Legitimate interests (Art. 6(1)(f)) — we have a legitimate interest in improving our service and understanding compliance trends |
| Analytics and website usage data | Legitimate interests (Art. 6(1)(f)) / Consent (Art. 6(1)(a)) where cookies require it |
5. Third-Party Processors
We share data with the following third-party service providers who process data on our behalf under appropriate Data Processing Agreements:
| Processor | Purpose | Data shared | Location |
|---|---|---|---|
| Netlify, Inc. | Website hosting and serverless function execution | All data transiting the platform | AWS (EU region) |
| Anthropic, PBC | AI-powered analysis generation (Claude API) | Company profile and assessment inputs | United States — Anthropic does not use API inputs to train models and does not retain inputs beyond processing |
| Resend, Inc. | Transactional email delivery | Email address, recipient name, report HTML | AWS (EU region available) |
| Supabase, Inc. | Database — storage of assessment records | Email, company profile, assessment scores, timestamp | AWS eu-central-1 (Frankfurt, Germany) |
We do not sell, rent, or share your personal data with any third party for their own marketing purposes.
6. International Data Transfers
Your data is primarily processed within the European Economic Area (EEA). Where data is transferred to processors outside the EEA — specifically Anthropic (United States) — we rely on the following safeguards:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Anthropic's API terms, which specify that inputs are not retained beyond the processing of a single request and are not used for model training
7. Data Retention
We retain personal data only for as long as necessary for the purposes described in this policy:
- Assessment records (email, company profile, scores): retained for up to 3 years from submission, or until you request deletion.
- Email delivery logs: retained by Resend for up to 30 days.
- Website analytics data: retained in aggregated form for up to 26 months.
You may request deletion of your data at any time. See Section 8 for how to exercise this right.
8. Your Rights Under GDPR
As a data subject under GDPR, you have the following rights:
- Right of access — request a copy of the personal data we hold about you.
- Right to rectification — request correction of inaccurate or incomplete data.
- Right to erasure — request deletion of your personal data ("right to be forgotten").
- Right to restriction — request that we restrict processing of your data in certain circumstances.
- Right to data portability — receive your data in a structured, machine-readable format.
- Right to object — object to processing based on legitimate interests.
- Right to withdraw consent — where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, contact us at privacy@verdaio.ai. We will respond within 30 days. You also have the right to lodge a complaint with your national data protection authority.
9. Cookies
We use cookies and similar tracking technologies on our website. For full details of the cookies we use, their purpose, and how to manage your preferences, please see our Cookie Policy.
10. Minors
Our services are directed at businesses and professionals. We do not knowingly collect personal data from individuals under the age of 16. If you believe we have inadvertently collected such data, please contact us at privacy@verdaio.ai and we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page. We encourage you to review this policy periodically.
Continued use of our services after changes are posted constitutes acceptance of the updated policy.
12. Contact Us
For any privacy-related questions, requests, or complaints:
Verdaio — Data Privacy
Email: privacy@verdaio.ai
Website: verdaio.ai
If you are not satisfied with our response, you have the right to lodge a complaint with your national supervisory authority. In Portugal, this is the Comissão Nacional de Proteção de Dados (CNPD).