LEGAL

Privacy Policy

Last updated: May 1, 2026 · Effective: May 1, 2026

Contents
Terms of Service →
Summary (not a substitute for the full text): We collect the minimum data needed to run the service. OTP codes are never persisted in Privacy Mode. We don't sell your data. EU users get GDPR rights. Contact privacy@verifiedcore.com for any requests.

1. Overview

VerifiedCore ("we", "our", "us") is committed to protecting your privacy. This Privacy Policy explains what data we collect, why we collect it, how we use it, and your rights in relation to it.

This Policy applies to all users of the VerifiedCore API, dashboard, website, and related services (collectively, the "Services"). By using the Services, you agree to the practices described here. If you are using the Services on behalf of a company, this Policy applies to that company too.

2. Data We Collect

We collect the minimum data necessary to provide the Services. This falls into three categories:

  • Account data: name, email address, company name, billing address, and payment method (tokenised — we never store raw card numbers).
  • Usage data: API request logs (endpoint, timestamp, response code, latency), session events, wallet transactions, and error traces.
  • OTP session metadata: session token, target phone number hash, service slug, country, Health Score™ at time of purchase, delivery timestamp, and SLA outcome. The OTP code itself is subject to Privacy Mode (see Section 5).
  • Technical data: IP address, user-agent, device type, browser locale, and referrer — collected automatically when you visit our website or make API calls.
  • Communications: emails you send to support@verifiedcore.com or legal@verifiedcore.com, and in-dashboard chat messages.

We do not collect sensitive personal data (health, biometric, racial/ethnic origin, or political opinions) and ask that you do not submit such data through the Services.

3. How We Use Your Data

We use the data we collect for the following purposes:

  • Providing the Services: authenticating you, routing OTP sessions, calculating Health Scores™, processing wallet top-ups and refunds, and delivering real-time OTPs via WebSocket.
  • Billing and fraud prevention: verifying transactions, detecting account abuse, enforcing rate limits, and complying with anti-money-laundering obligations.
  • Service improvement: aggregated and anonymised usage analytics to improve delivery rates, latency, and Health Score™ accuracy.
  • Communications: transactional emails (receipts, SLA alerts, security notifications) and — with your consent — product updates and feature announcements.
  • Legal compliance: retaining records as required by applicable law, and disclosing data to law enforcement when legally required.

We do not sell, rent, or trade your personal data to third parties for their marketing purposes.

5. Privacy Mode and OTP Storage

VerifiedCore's Privacy Mode is a zero-storage guarantee for OTP codes. When Privacy Mode is active, the OTP code is delivered directly to the client WebSocket and is never written to any persistent storage — database, log file, or object store.

Privacy Mode is opt-in for all accounts and is automatically enabled for sessions originating from EU IP addresses. You can toggle it globally in Dashboard → Settings → Privacy, or per-request via the API flag privacyMode: true.

Even with Privacy Mode enabled, we retain the session metadata described in Section 2 (token, number hash, delivery timestamp, SLA outcome) for billing accuracy and fraud prevention. A scheduled purge job deletes all session metadata — including metadata for Privacy Mode sessions — after 90 days.

6. Data Retention

We retain data only as long as necessary for the purposes described in this Policy:

  • OTP session metadata: 90 days from session creation, then permanently deleted.
  • API request logs: 30 days in hot storage, 12 months in cold archive (compressed, access-controlled), then deleted.
  • Wallet transaction records: 7 years to satisfy financial record-keeping obligations under Nigerian law and applicable international standards.
  • Account data: retained for the life of the account plus 30 days after deletion (to support reinstatement requests), then permanently purged.
  • Support communications: 2 years from the date of last reply.

You may request early deletion of your account and associated data at any time (see Section 9 — Your Rights). Financial records subject to legal retention obligations cannot be deleted before their statutory period.

7. Third-Party Processors

We share data with the following sub-processors solely to deliver the Services. All sub-processors are bound by data processing agreements consistent with this Policy:

  • SMS/Voice delivery network — our authorized carrier partners: receive the target phone number and OTP code solely to deliver SMS/voice messages. Each partner is bound by a data processing addendum.
  • eSIM provisioning partner: receives eSIM purchase requests including ICCID and email address solely for eSIM package delivery.
  • Payment processors — regional and international partners: receive payment details for wallet top-up transactions. We pass tokenised references only; raw card data never touches our servers.
  • Cloud infrastructure — AWS (primary region: eu-west-1): hosts all backend services, databases, and object storage. Data in transit is encrypted with TLS 1.3; data at rest with AES-256.
  • Email delivery — Amazon SES: used for transactional and optional marketing emails.
  • Monitoring — Grafana Cloud / Prometheus: receives anonymised performance metrics and error traces. No PII is sent to monitoring systems.

We do not use third-party advertising networks, tracking pixels, or behavioural analytics platforms on the Services.

8. International Data Transfers

VerifiedCore is headquartered in Lagos, Nigeria. Your data may be processed in Nigeria and in the European Union (AWS eu-west-1, Ireland). Where we transfer data from the EEA to Nigeria or other third countries, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission, or equivalent transfer mechanisms.

If you have questions about the safeguards we use for international transfers, please contact privacy@verifiedcore.com.

9. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: request a copy of the personal data we hold about you.
  • Correction: request that we correct inaccurate or incomplete data.
  • Deletion (Right to Erasure): request deletion of your personal data, subject to our legal retention obligations.
  • Portability: receive your account and session data in a machine-readable format (JSON or CSV).
  • Restriction: request that we restrict processing of your data in certain circumstances.
  • Objection: object to processing based on legitimate interests.
  • Withdraw consent: opt out of marketing emails at any time.

To exercise any of these rights, email privacy@verifiedcore.com with the subject line "Privacy Request" and your registered email address. We will respond within 30 days. We may ask you to verify your identity before fulfilling a request.

EU/UK users may also lodge a complaint with their local data protection authority (e.g., the Irish DPC or the UK ICO).

10. Cookies and Tracking

We use a minimal set of cookies and local storage:

  • Session cookies: short-lived, used to maintain your authenticated dashboard session. Deleted when you close your browser.
  • Preference cookies (localStorage): store your selected theme (dark/light), dashboard layout preferences, and sandbox/live mode toggle. No expiry — persist until you clear browser storage.
  • No third-party analytics cookies: we do not use Google Analytics, Mixpanel, Hotjar, or similar third-party tracking tools on the dashboard or API documentation.

The marketing website (verifiedcore.com) may use a self-hosted analytics tool (Plausible) that does not use cookies or fingerprinting, does not track individuals across sites, and is fully GDPR-compliant without a consent banner.

11. Security

We implement technical and organisational measures appropriate to the risk level of the data we process. Key controls include: TLS 1.3 for all data in transit; AES-256 encryption at rest; PESSIMISTIC_WRITE database locks and SERIALIZABLE isolation for all financial operations; API key hashing (bcrypt, never stored in plaintext); role-based access control with MFA on all internal systems; regular third-party penetration tests; and automated anomaly detection for suspicious API usage patterns.

If we become aware of a security breach that is likely to result in a risk to your rights, we will notify affected users and relevant supervisory authorities within 72 hours as required by GDPR.

You are responsible for keeping your API keys secure (see Terms of Service Section 3). Please report suspected security incidents to security@verifiedcore.com immediately.

12. Children's Privacy

The Services are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact privacy@verifiedcore.com and we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you by email or a prominent notice in the dashboard at least 14 days before the effective date. The "last updated" date at the top of this page always reflects the most recent version.

Continued use of the Services after the effective date of a revised Policy constitutes your acceptance of the changes.

14. Contact and DPO

For privacy-related queries, data subject requests, or concerns about this Policy, contact our Privacy team at privacy@verifiedcore.com. We aim to respond to all requests within 5 business days.

For legal notices, write to: VerifiedCore Ltd., Lagos, Nigeria.

Questions about your data or this Policy? Email privacy@verifiedcore.com — we respond within 5 business days.