Legal

Privacy Policy

How Vercrio handles personal data, biometric templates, and identity verification recordings — built around an on-device, privacy-first model.

Last updated: February 10, 2026

Our privacy promise

Biometric templates never leave the user's device. Vercrio receives only cryptographic proofs that a verification happened — not the underlying face, voice, or fingerprint data. PeerProofing videos are processed only as long as needed to confirm enrolment, and retention is configurable per workspace.

1

Introduction

Vercrio (“we”, “us”, or “our”) operates an identity verification and authentication platform. This Privacy Policy explains what data we process, why, how long we keep it, and the rights you have over it.

When your employer or another organisation deploys Vercrio, that organisation is the data controller and Vercrio acts as the data processor. Your employer's own privacy notice may also apply.

2

Information we process

A. Account data

When you sign up or are provisioned by an admin, we process:

  • Work email address and display name.
  • Connected identity provider username (SAML / OIDC subject identifier).
  • Billing information for paid workspaces, handled exclusively by our PCI-DSS-compliant payment processor — we never store full card numbers.

B. Authentication telemetry

To operate the Service we record:

  • Authentication events (success / failure, timestamp, requesting application).
  • Device fingerprints used to bind credentials (model class, OS, secure-enclave availability — no advertising identifiers).
  • Network metadata (IP, ASN, broad geolocation) used for adaptive risk scoring.

C. Biometric data

Biometric templates (face, voice, fingerprint) are generated and stored on the user's device, inside the platform secure enclave. Vercrio servers never receive raw biometric data — only short, signed attestations confirming a successful match.

Vercrio does not train models on biometric data and does not share biometric data with any third party for any purpose.

D. PeerProofing recordings

When your organisation uses PeerProofing™ to verify a user during onboarding or recovery, we record the live video session for audit integrity. Workspace administrators control:

  • Whether recordings are retained, and for how long (configurable from immediate purge up to seven years for regulated industries).
  • Who can access them — typically a small set of security and compliance roles.
  • Whether the recording is encrypted with a customer-managed key.

Users are notified before each recorded session and may decline; in that case, an alternative verification path is offered.

3

How we use this information

  • To operate the authentication and identity verification Service.
  • To generate audit logs and compliance reports for your organisation.
  • To send transactional, security, and operational notifications.
  • To detect, prevent, and mitigate abuse, fraud, and account takeover.
  • To improve Service reliability using aggregated, de-identified metrics only — never personal identifiers, never biometric data.

We do not use your data for advertising, do not sell it, and do not share it with brokers.

4

Data retention

  • Account data: retained for the duration of the workspace subscription.
  • Authentication telemetry: 13 months by default; configurable per workspace.
  • Biometric templates: not retained by Vercrio — they live on user devices only.
  • PeerProofing recordings: retained according to workspace policy; default is 90 days.
  • Backups: encrypted, rotated, and fully purged within 30 days of primary deletion.
5

Subprocessors

We share necessary data with a small set of vetted subprocessors. All are bound by data-processing agreements with confidentiality, security, and breach-notification obligations.

Cloud infrastructure

Compute, storage, encryption

Payment processing

Subscription billing

Email delivery

Transactional and security notifications

Observability

Service health and incident response

A full, versioned subprocessor list is available on request at privacy@vercrio.com.

6

Security

  • Encryption in transit (TLS 1.3) and at rest (AES-256).
  • Per-tenant key isolation; optional customer-managed keys on Enterprise plans.
  • Zero-trust internal access — every operator action is signed, logged, and reviewable.
  • Annual third-party penetration tests and continuous internal vulnerability management.
  • SOC 2 Type II and ISO 27001 audits maintained on an annual cadence.
7

Your rights

Depending on your jurisdiction (GDPR, UK GDPR, CCPA / CPRA, Illinois BIPA, and others), you may have the right to:

  • Access the personal data Vercrio holds about you.
  • Correct inaccurate data.
  • Request deletion (“right to be forgotten”).
  • Export your data in a portable format.
  • Object to or restrict certain processing activities.
  • Withdraw biometric consent at any time — your device-side templates can be revoked from your settings; we keep no copies.

Where Vercrio acts as a processor for your employer, please contact them first. We will route requests appropriately and assist with the fulfilment.

8

International transfers

Vercrio operates infrastructure in the European Union and the United States. When data crosses borders, we rely on Standard Contractual Clauses and equivalent safeguards. Enterprise customers may pin their workspace to a specific region.

9

Changes

We may update this Policy from time to time. Material changes will be communicated through the Service or by email at least thirty (30) days in advance.

Contact

Questions about your data, or want to file a request? Reach our privacy team at privacy@vercrio.com.