Veracity-Engine — Defensible infrastructure for automating high-stakes legal work. Tracing every assertion to its source. Automatically.

This Privacy Policy describes how Veracity-Engine ("we,“ "us,“ or "our“) collects, uses, and shares your personal information when you use our website and services (collectively, the "Service“).

1. Acceptance of This Privacy Policy

By accessing or using the Service, you agree to be bound by this Privacy Policy. If you do not agree to this Privacy Policy, please do not access or use the Service.

2. Information We Collect

We collect several types of information to provide and improve our Service to you.

2.1. Information You Provide to Us

Account Information: When you register for an account, we collect personal information such as your name, email address, and password.
Payment Information: If you subscribe to a paid plan, our secure, third-party payment processor will collect your payment and billing information. Veracity-Engine does not directly store your full credit card information.

2.2. Your Content

Project and User Data: This is the core data you work with on our platform ("User Content"). This includes the text, files, and other materials you upload or create in your projects, the prompts you submit to our AI Services, and the output generated by the AI ("AI Output"). We treat your User Content as confidential and handle it with the highest of care.

2.3. Information We Collect Automatically

Usage Data: We automatically collect information about how you interact with our Service. This may include the features you use, the pages you visit, the actions you take, and the time, frequency, and duration of your activities.
Technical and Device Data: We collect technical information when you use our Service, including your IP address, browser type and version, operating system, and device identifiers.

3. How and Why We Use Your Information

We process your information for specific purposes and rely on a valid legal basis for each. The chart below details what information we collect and how we use it.

Category of Information	Purpose of Use	Legal Basis
Account & Payment Information	To create and manage your account, process payments, and send you essential service-related communications.	Performance of Contract
User Content (Prompts, documents, etc.)	To provide the core functionalities of the Service, including document editing, storage, and generating AI Output.	Performance of Contract
Usage Data	To improve and optimize our Service, develop new features, and understand user trends.	Legitimate Interest
Technical & Device Data	To secure our platform, prevent fraud, ensure compatibility, and for analytics.	Legitimate Interest
All Information Categories	To enforce our policies and to comply with legal obligations, such as responding to a subpoena or court order, or to protect the safety and rights of our users or the public.	Legal Obligation

A Note on AI Model Training: We do not use your confidential User Content to train our own or third-party AI models without your explicit consent.

4. How We Share Your Information

We do not sell your personal information. Sharing of information with third parties varies by the operational mode you use, as described in the bullets that follow.

Service Providers: We rely on trusted third-party vendors for supporting functions such as payment processing, authentication, error tracking, transactional email, and cloud infrastructure. These vendors do not have access to the content of your prompts, AI Output, or the substantive documents and data you create or upload. They are contractually obligated to protect any information they do handle.
Private Mode (Sovereign Shield): When you use Private Mode, AI inference occurs inside encrypted hardware enclaves under Zero Data Retention. Data processed in Private Mode is invisible to the cloud provider, invisible to Veracity-Engine, and invisible to third-party foundation-model providers. Private Mode is available in two configurations: a serverless TEE-backed variant for on-demand private inference, and an air-gapped enclave variant provisioned exclusively for the customer. See our Security page for the technical architecture.
Public Mode: When you use Public Mode, the content of your prompts is transmitted to the leading foundation-model provider you have selected (for example, Anthropic or Google) to generate AI Output. You control which provider is used. Each provider has its own privacy policies and data-handling terms, and we encourage you to review them.
BYOS (Bring Your Own Stack): When you use BYOS, you supply your own foundation-model provider and API credentials. Inference executes through the provider you have contracted with directly; Veracity-Engine orchestrates your workflow but is excluded from the inference path. Your existing agreement with that provider governs its data handling.
Legal Compliance and Safety: We may disclose your information if required to do so by law or in response to a valid legal request, such as a subpoena or court order, or to protect the safety and rights of our users or the public.
Business Transfers: In the event of a merger, acquisition, or sale of all or a portion of our assets, your information may be transferred as part of that transaction.

5. Data Security

We are deeply committed to the security of your data. Across all operational modes, we maintain baseline technical and organizational safeguards, including encryption of data in transit (TLS 1.3) and at rest (AES-256), role-based access controls, immutable audit logs, and the use of secure, compliant cloud infrastructure.

The following protections apply depending on the operational mode you use:

Private Mode (Sovereign Shield): Confidentiality is enforced by hardware rather than by policy. AI inference occurs inside Trusted Execution Environments (TEEs) under Zero Data Retention. Cryptographic attestation and Platform Configuration Register (PCR) hash verification provide mathematical proof that the code running inside the enclave is the code that was audited, that no data was retained, and that no unauthorized access occurred. Data processed in Private Mode is invisible to the cloud provider, invisible to Veracity-Engine, and invisible to third-party foundation-model providers. See our Security page for the full technical architecture.
Public Mode: Prompts and AI Output are transmitted to the leading foundation-model provider you have selected, under that provider's contractual data-handling terms. You control which provider is used. We do not use your confidential User Content to train our own or third-party AI models without your explicit consent.
BYOS (Bring Your Own Stack): Inference executes through the foundation-model provider and API credentials you supply. Veracity-Engine orchestrates your workflow but is excluded from the inference path; your existing agreement with that provider governs its security and data handling.

While we take the measures described above to protect your data, no security system is impenetrable.

6. Data Retention

We retain your Account Information for as long as your account is active. We retain your User Content for as long as you choose to store it on our platform. You may delete your projects or your entire account at any time. When you delete your account, we will take commercially reasonable steps to delete your personal information and User Content from our active systems in accordance with our data retention policies.

The table below sets forth our retention periods by data category, current as of April 20, 2026. Retention is measured from the trigger stated for each row. Legally required retention (including tax, regulatory, and litigation-hold obligations) supersedes the periods below, consistent with Section 10.2 of our Data Processing Addendum.

Data Category	Retention Period	Trigger
Account profile data (name, email, firm, authentication identifiers)	30 days after account closure	Account cancellation
Chat messages and uploaded documents	90 days after account closure, or immediately on user-initiated delete	Account cancellation or user-initiated delete
Matter Pulse topics and notebooks	90 days after account closure	Account cancellation
Billing records (invoices, payment records)	7 years	Fiscal year end (tax retention)
Error logs (Sentry)	90 days	Event capture
Authentication logs (Clerk)	Per Clerk retention policy	Event capture
Database backups	35 days rolling	Backup creation
Private Mode / Enclave inference data	Not retained on Veracity-Engine servers	Session end (zero-access posture)

In Private Mode (Sovereign Shield), inference data exists only in volatile memory inside the Trusted Execution Environment and is purged on delivery of the result. Data processed in Private Mode is invisible to Veracity-Engine; the architecture makes access by Veracity-Engine a physical impossibility. In BYOS, inference executes through the foundation-model provider and credentials you supply; Veracity-Engine does not receive, store, or otherwise have access to the content of your prompts or AI Output. User Content that you upload, save, or store within the Service (matters, documents, projects, notes, chat history) follows the account-level retention policy above, regardless of operational mode.

7. Your Rights and Choices

Depending on your location, you may have certain rights regarding your personal information, including the right to:

Access the personal information we hold about you.
Request that we correct any inaccurate personal information.
Request that we delete your personal information.
Object to our processing of your personal information.
Request a copy of your personal information in a portable format.

To exercise these rights, please contact us at the email address provided below.

8. International Data Transfers

Veracity-Engine is based in the United States, and the service providers we engage to deliver the Service (including our infrastructure, authentication, payment, and foundation-model-inference providers) are primarily based in the United States. If you access the Service from the European Economic Area, the United Kingdom, Switzerland, or another jurisdiction whose data-protection laws restrict the transfer of personal information outside that jurisdiction, your personal information will be transferred to and processed in the United States.

Where required by applicable law, we transfer personal information out of the European Economic Area, the United Kingdom, or Switzerland in reliance on Standard Contractual Clauses adopted by the European Commission (including, as applicable, Module 2 governing controller-to-processor transfers), together with the UK International Data Transfer Addendum and the Swiss amendments, as incorporated into our Data Processing Agreement. Business customers may request a copy of the executed clauses as part of the DPA request process described in Section 13. In Private Mode (Sovereign Shield), inference data is processed within a Trusted Execution Environment under cryptographic controls that prevent foundation-model providers and Veracity-Engine personnel from accessing the content of prompts or AI Output in clear form, which operates in addition to the contractual transfer safeguards described above.

9. California Privacy Rights (CCPA/CPRA)

This section supplements the information in this Privacy Policy and applies solely to California residents covered by the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the “CCPA”).

Categories of Personal Information Collected. In the preceding twelve (12) months, we have collected the following categories of personal information about California residents, as those categories are defined under the CCPA:

Identifiers (e.g., name, email address, account credentials, IP address, device identifiers).
Commercial information (e.g., subscription tier, billing records, transaction history).
Internet or other electronic network activity information (e.g., interaction logs with the Service, session metadata).
Professional or employment-related information that you voluntarily provide (e.g., firm, role, practice area).
Inferences drawn from the foregoing categories to support Service functionality.

We do not knowingly collect sensitive personal information as defined in Cal. Civ. Code § 1798.140(ae) for any purpose beyond those necessary to provide the Service and otherwise permitted by Cal. Civ. Code § 1798.121(a), and we do not use or disclose any such information for purposes that would trigger a consumer’s right to limit use.

Sources of Personal Information. We collect personal information directly from you when you create an account or use the Service; automatically through your interaction with the Service; and from our service providers (including authentication and payment processors) to the limited extent necessary to deliver and maintain the Service.

Business and Commercial Purposes. We collect and process personal information for the business and commercial purposes described in Section 3 of this Privacy Policy, including providing and securing the Service, processing transactions, improving functionality, and complying with legal obligations.

Categories of Third Parties. We disclose personal information to the categories of service providers described in Section 4 (infrastructure, authentication, payments, and foundation-model inference in Public Mode only), and to legal, regulatory, or law-enforcement authorities where required by law.

No Sale or Sharing of Personal Information. We do not sell or share your personal information as those terms are defined under the CCPA. We do not use or disclose sensitive personal information for any purpose other than those permitted by Cal. Civ. Code § 1798.121(a).

Your California Rights. Subject to verification and applicable exceptions, California residents have the right to:

Know what personal information we have collected about you, including the categories of information, the sources, the purposes of collection, and the categories of third parties to whom we disclose it.
Delete personal information we have collected from you, subject to certain exceptions.
Correct inaccurate personal information we maintain about you.
Portability: request a copy of personal information you have provided to us in a portable, readily usable format.
Opt Out of Sale or Sharing. As stated above, we do not sell or share personal information; no opt-out is required.
Limit Use of Sensitive Personal Information. As stated above, we do not use sensitive personal information beyond permitted purposes; no limitation request is required.
Non-Discrimination. We will not discriminate against you for exercising any of your rights under the CCPA.

How to Exercise Your Rights. To submit a verifiable consumer request, contact us at legal@veracity-engine.com with the subject line “CCPA Request.” We will respond within forty-five (45) days of receipt of a verifiable request, with one additional forty-five (45) day extension where reasonably necessary, as permitted by the CCPA. We may need to verify your identity before fulfilling your request, which may involve requesting information matching what we have on file. You may designate an authorized agent to submit a request on your behalf by providing written authorization signed by you; we may require the agent to submit proof of authorization and, separately, verification of your identity.

10. Children's Privacy

The Service is intended exclusively for use by legal professionals who are eighteen (18) years of age or older. We do not knowingly collect personal information from anyone under thirteen (13). If we learn that we have collected personal information from a child under thirteen (13), we will delete that information promptly. If you believe a child under thirteen (13) has provided personal information to us, please contact us at legal@veracity-engine.com.

11. Cookies and Other Tracking Technologies

We and our third-party service providers use cookies and other similar technologies (“Cookies“) in order for us to provide our Service and ensure that it performs properly, to analyze our performance and marketing activities, and to personalize your experience.

Please note that we do not change our practices in response to a “Do Not Track“ signal in the HTTP header from a browser or mobile application. However, most browsers allow you to control cookies, including whether or not to accept them and how to remove them. You may set most browsers to notify you if you receive a cookie, or you may choose to block cookies with your browser.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on our website and updating the "Last Updated" date.

13. Contact Us

If you have any questions about this Privacy Policy, please contact us at: legal@veracity-engine.com

Data Processing Agreements. Business customers who require a Data Processing Agreement (DPA), for example to meet GDPR Article 28 obligations or customer-level compliance requirements, may request one by emailing legal@veracity-engine.com with the subject line “DPA Request” and identifying your organization. We will respond with our then-current DPA for counter-signature.