Privacy Policy
Last updated: June 2026
This Privacy Policy explains how ("we", "us") collects, uses, and protects personal data when you use our platform. We are committed to complying with UK GDPR and the Data Protection Act 2018.
1. Who We Are
is the data controller for personal data collected about business owners, staff, and visitors to our platform. For personal data that you (as a business owner) hold about your own clients via the platform, you are the data controller and we act as your data processor.
Contact us at: privacy@veroproject.co.uk
2. Data We Collect
2.1 Business account holders and staff
- Name, email address, phone number — provided at registration
- Business name, address, trading information — provided during onboarding
- Payment information — card details processed and held by Stripe; we store only a payment method token
- Usage data — pages visited, features used, timestamps (for security and product improvement)
- Communications — support emails and messages sent to us
2.2 End clients (customers of businesses using the platform)
If a business uses to manage their customer relationships, we process the following data as a data processor on that business's behalf:
- Name, email, phone number
- Booking history and appointment notes
- Health notes and allergy information (where provided by the client)
- Payment records
- Photos uploaded by the business or the client
2.3 Website visitors
- IP address and browser information (server logs, retained 30 days)
- No third-party analytics cookies are currently set
3. How We Use Your Data
| Purpose | Lawful basis |
|---|---|
| Provide and operate the Service | Contract performance |
| Process payments and manage billing | Contract performance |
| Send transactional emails (booking confirmations, reminders) | Contract performance / Legitimate interest |
| Provide customer support | Legitimate interest |
| Detect and prevent fraud and abuse | Legitimate interest |
| Comply with legal obligations (tax, GDPR requests) | Legal obligation |
| Improve and develop the Service | Legitimate interest |
| Send product update emails (opt-out available) | Legitimate interest |
4. Who We Share Data With
We do not sell personal data. We share data only with the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Stripe | Payment processing | USA (SCCs) |
| Resend | Transactional email delivery | USA (SCCs) |
| Railway | Backend hosting and database | EU (Germany) |
| Vercel | Frontend hosting | USA (SCCs) |
| Cloudflare R2 | File and media storage | EU (SCCs) |
| Anthropic | AI assistant (ARIA) processing | USA (SCCs) |
SCCs = Standard Contractual Clauses, providing an adequate transfer mechanism under UK GDPR.
5. How Long We Keep Your Data
- Active accounts: for as long as your account is active
- After account cancellation: dormant state for 12 months, then permanently deleted
- Payment records: 7 years (required by HMRC)
- Server logs: 30 days
- Support communications: 3 years
6. Your Rights
Under UK GDPR you have the right to:
- Access — request a copy of personal data we hold about you
- Correction — ask us to correct inaccurate data
- Erasure — ask us to delete your data (subject to legal retention obligations)
- Portability — receive your data in a machine-readable format
- Objection — object to processing based on legitimate interest
- Restriction — ask us to restrict processing in certain circumstances
- Withdraw consent — where processing is based on consent
To exercise any right, contact us at privacy@veroproject.co.uk. We will respond within 30 days.
You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.
7. Security
We implement appropriate technical and organisational measures to protect your data, including encryption in transit (TLS), encryption at rest, access controls, and regular security reviews. We will notify you and the ICO within 72 hours of becoming aware of a personal data breach that is likely to result in risk to your rights and freedoms.
8. Cookies
We use a strictly necessary httpOnly session cookie for authentication. No consent is required for this cookie. See our Cookie Policy for details.
9. Changes to This Policy
We may update this policy. We will notify you of material changes by email at least 14 days before they take effect.