Data protection.

VERA ("VERA", "we", "us", or "our") operates a platform that helps organizations evaluate candidates using structured, reference-based behavioural insights. This Privacy Policy explains how we collect, use, disclose, and protect personal data when you use our website, applications, and services (collectively, the "Service"). It applies to candidates, recruiters, referees, and visitors. For the personal data we process on our own behalf, VERA acts as the data controller; where we process data on behalf of a recruiter or organization, we act as a data processor under their instructions.

We collect the following categories of personal data, depending on how you interact with the Service:

• ·Account data — name, email address, password (stored hashed), role, organization, and authentication identifiers (including Google sign-in identifiers where used).
• ·Candidate profile data — professional background, employment history, skills, self-assessment responses, and any information you choose to add to your profile.
• ·Reference & referee data — contact details of referees you nominate, and the structured responses, ratings, and free-text comments referees submit about you.
• ·Payment data — billing details and transaction records processed through our payment provider (Stripe). We do not store full card numbers; card data is handled directly by the payment provider.
• ·Usage & technical data — IP address, device and browser information, log data, pages viewed, and timestamps, collected to operate and secure the Service.
• ·Communications — messages, support requests, and correspondence you send to us.

We use personal data to provide, operate, secure, and improve the Service, including to create and manage accounts; collect and structure references; generate behavioural insights and profiles; process payments and subscriptions; send transactional and service-related communications; provide customer support; detect and prevent fraud, abuse, and security incidents; comply with legal obligations; and analyze and improve our features. We do not sell your personal data.

Where the GDPR applies, we rely on one or more of the following lawful bases: (a) your consent — for example, when a candidate consents to reference collection or a referee submits a response; (b) performance of a contract — to deliver the Service you have signed up for; (c) our legitimate interests — to secure, operate, and improve the Service, provided these interests are not overridden by your rights; and (d) compliance with a legal obligation. You may withdraw consent at any time without affecting processing carried out before withdrawal.

Reference data is collected only with the candidate's knowledge and consent and the referee's voluntary participation. Referee responses are treated as confidential and are presented to recruiters in a structured, aggregated, and where appropriate anonymized format. Verbatim referee quotes are restricted and are not shown on public profiles or to candidates. References are used solely to generate behavioural insights and are never used to make automated decisions.

VERA uses third-party artificial-intelligence services (including large language models provided by Anthropic) to structure reference inputs into narratives, profiles, and trade-off maps. These outputs are advisory and descriptive only. VERA does not make hiring decisions, does not produce pass/fail scores, and does not engage in automated decision-making that produces legal or similarly significant effects. Final decisions always rest with the human recruiter or hiring organization.

We share personal data only as necessary to provide the Service, and with appropriate safeguards in place. Recipients may include: AI processing providers (e.g., Anthropic); payment processing (Stripe); email delivery (Resend); authentication (Google, where you choose social sign-in); cloud hosting and database infrastructure providers; and professional advisors or authorities where required by law. We may also disclose data in connection with a merger, acquisition, or sale of assets, or to protect the rights, safety, and property of VERA and others.

Some of our service providers may process data outside your country or the European Economic Area. Where personal data is transferred internationally, we put in place appropriate safeguards, such as European Commission Standard Contractual Clauses or reliance on adequacy decisions, to ensure your data remains protected.

We retain personal data only for as long as necessary to fulfil the purposes described in this Policy, to comply with legal, tax, and accounting obligations, and to resolve disputes and enforce our agreements. Account and profile data are retained while your account is active; following a verified deletion request, data is permanently deleted after a 30-day grace window (during which logging in cancels the deletion), except where longer retention is required by law.

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, loss, alteration, or misuse, including encryption in transit, hashed credentials, access controls, and the principle of least privilege. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

Subject to applicable law, you have the right to:

• ·Access — obtain a copy of the personal data we hold about you.
• ·Rectification — correct inaccurate or incomplete data.
• ·Erasure — request deletion of your data ("right to be forgotten").
• ·Restriction — limit how we process your data in certain circumstances.
• ·Portability — receive your data in a structured, machine-readable format.
• ·Objection — object to processing based on legitimate interests.
• ·Withdraw consent — at any time, where processing is based on consent.
• ·Complain — lodge a complaint with your local data protection supervisory authority.

Candidates can exercise key rights directly from their account: export a complete copy of their data, remove individual references, and request account deletion. You may also contact us using the details below to exercise any of your rights.

We use strictly necessary cookies to operate the Service (for example, to keep you signed in via secure session cookies) and may use limited analytics to understand and improve usage. You can control non-essential cookies through your browser settings; disabling necessary cookies may affect functionality.

The Service is not directed to individuals under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority and, where required, affected individuals, in accordance with applicable law and within the legally mandated timeframes.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will post the updated version with a revised effective date and, where changes are material, take reasonable steps to notify you.

For privacy questions, requests, or complaints, contact us at privacy@vera-analysis.com. If you are in the EEA or UK and are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.