Privacy Policy VeriLeges
Version: 1.1
Date: April 2026
Status: Published
This privacy policy explains how VeriLeges processes personal data when you use the website and app.
1. Who are we?
VeriLeges is a trade name of Softron B.V. (private limited company), Chamber of Commerce (KvK) no. 42001589. Softron B.V. is the controller for the personal data processed when you use the web application at app.verileges.nl and the associated website www.verileges.nl.
Contact details:
Softron B.V. (trading as VeriLeges)
Peperstraat 2, 1011 TL Amsterdam, the Netherlands
E-mail for privacy queries: privacy@verileges.nl
No Data Protection Officer (DPO) has been appointed.
2. What personal data do we process?
We process the following categories of personal data:
2.1 Account data
- Name and e-mail address (provided upon registration)
- Password (stored as a hash; we have no access to your readable password)
- Organisation name and role (optional)
- Date of registration
2.2 Subscription and payment data
- Chosen subscription tier and billing period
- Payment history (via our payment service provider Stripe; we do not store full payment card details)
- Billing address (if provided)
2.3 Usage data
- Number of Verifications performed and timestamps
- Subscription status and usage quota
- Logging of API requests (for security and troubleshooting purposes)
2.4 Technical data
- IP address
- Browser and device type
- Session and authentication tokens
2.5 Content of Verifications (Content)
- The text submitted by the User for verification
Important: We advise users not to include unnecessary personal data of clients or other third parties in the texts submitted. If this is nevertheless the case, we process such data solely to carry out the requested verification.
2.6 Communication data
- E-mail messages you send us (support requests, etc.)
3. Purposes and legal bases
| Purpose | Data | Legal basis (GDPR art. 6) |
|---|---|---|
| Creating and managing an account | Account data | Performance of a contract (para. 1, sub b) |
| Providing the Verification Service | Account data, usage data, Content | Performance of a contract (para. 1, sub b) |
| Processing payments | Subscription and payment data | Performance of a contract (para. 1, sub b) |
| Invoicing and bookkeeping | Subscription and payment data | Legal obligation (para. 1, sub c) |
| Security and fraud prevention | Technical data, usage data | Legitimate interests (para. 1, sub f) |
| Support | Communication data, account data | Performance of a contract (para. 1, sub b) |
| Product improvement (anonymised and aggregated) | Anonymised usage statistics | Legitimate interests (para. 1, sub f) |
| Legal obligations (tax, etc.) | Payment data | Legal obligation (para. 1, sub c) |
| Marketing communications (existing customers) | E-mail address | Legitimate interests (para. 1, sub f) / Consent (para. 1, sub a) |
We do not train AI models on users' Content and do not sell it to third parties.
4. Retention periods
| Category | Retention period |
|---|---|
| Account data (active account) | For as long as the account is active |
| Account data (after deletion) | Maximum 30 days after deletion, then permanently erased |
| Verification history and Content | 90 days |
| Payment and invoicing data | 7 years (statutory tax retention obligation) |
| Log files (technical/security) | Maximum 90 days |
| Communication data (support) | Maximum 2 years after closure |
5. Recipients and processors
We share personal data with third parties only where necessary for the provision of our services or where required by law:
5.1 Sub-processors
| Party | Role | Purpose | Location |
|---|---|---|---|
| Supabase | Sub-processor | Database hosting (users, verification data) | EU (project region) |
| Microsoft Azure | Sub-processor | Application hosting and deployment | West Europe |
| Stripe | Sub-processor | Payment processing | US / EU |
| Supabase Auth (transactional e-mail infrastructure) | Sub-processor | Transactional e-mail (auth/signup flows) | EU / provider infrastructure |
5.2 Other recipients
- Tax authorities / accountant: only where required by law (invoicing data).
- Law enforcement or supervisory authorities: where we are legally required to do so.
5.3 External data sources (no transfer of personal data)
The Service queries publicly accessible data sources (Rechtspraak.nl, Overheid.nl, Officielebekendmakingen.nl, EUR-Lex, HUDOC) solely to validate legal references in submitted text. As a general rule, no personal data of users is transferred to these sources.
6. Transfers outside the European Economic Area (EEA)
We endeavour to process data within the EEA. Where transfers outside the EEA do occur (e.g. via Stripe's international infrastructure), we ensure appropriate safeguards such as Standard Contractual Clauses (SCCs) pursuant to Article 46 GDPR.
7. Automated decision-making and profiling
The Service uses automated processing to detect and validate legal references. This processing concerns the submitted text, not the User themselves. No profiling of Users takes place and no decisions are made that are based solely on automated processing and produce legal effects concerning the User.
8. Security
We implement appropriate technical and organisational measures to protect personal data, including:
- Encrypted storage of passwords (bcrypt or equivalent)
- Encrypted connections (TLS/HTTPS)
- Access controls based on the least-privilege principle
- Regular security audits and updates
- Monitoring and logging of suspicious activity
In the event of a data breach that may pose risks to data subjects, we will notify the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) within 72 hours and data subjects as soon as reasonably possible.
9. Your rights
As a data subject, you have the following rights under the GDPR:
| Right | Description |
|---|---|
| Access (art. 15 GDPR) | You may request an overview of the personal data we process about you. |
| Rectification (art. 16 GDPR) | You may request correction of inaccurate data. |
| Erasure (art. 17 GDPR) | You may request deletion of your data ('right to be forgotten'). |
| Restriction (art. 18 GDPR) | You may request that processing be temporarily restricted. |
| Portability (art. 20 GDPR) | You may request your data in a structured, commonly used and machine-readable format. |
| Objection (art. 21 GDPR) | You may object to processing based on legitimate interests. |
| Withdrawal of consent | Where processing is based on consent, you may withdraw it at any time. |
You can exercise your rights by sending a request to privacy@verileges.nl. We will respond within one month. For complex requests, this period may be extended by two months; we will inform you accordingly.
You also have the right to lodge a complaint with the Dutch Data Protection Authority (autoriteitpersoonsgegevens.nl).
10. Cookies and similar technologies
10.1 Strictly necessary cookies
We place cookies that are strictly necessary for the functioning of the application, including session and authentication cookies. These cookies do not require consent.
10.2 Analytical cookies
Where analytics tooling is enabled, we use analytical cookies to measure website and product usage and to improve user experience. These cookies are only placed after you give consent via the cookie banner.
10.3 Marketing cookies
Where marketing or advertising tooling is enabled, marketing cookies may be used to measure campaign performance and support relevant communications. These cookies are only placed based on explicit consent via the cookie banner.
11. Minors
The Service is not directed at persons under the age of 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently processed data relating to a minor, please contact us.
12. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. Material changes will be communicated to users by e-mail or through the application at least thirty (30) days before they take effect. The most current version is always available at https://www.verileges.nl/en/privacy.
13. Contact
For questions about this Privacy Policy or about the processing of your personal data, please contact us:
Softron B.V. (trading as VeriLeges)
Peperstraat 2, 1011 TL Amsterdam, the Netherlands
E-mail: privacy@verileges.nl
Version 1.1 — April 2026.